Additionally each member of the security response

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: the field, internal discovery of high-risk vulnerabilities, etc. In case of an event, the closest contact would step in as an extra resource and advisor to the affected project team(s) to provide technical guidance and brief other stakeholders on progress of mitigation efforts. The point of contact should be chosen from security-savvy technical or management staff with a breadth of knowledge over the software projects in the organization. A list of these assigned security points of contact should be centrally maintained and updated at least every six months.Additionally, publishing and advertising this list allows staff within the organization to request help and work directly with one another on security problems. B. Create informal security response team(s) From the list of individuals assigned responsibility as a security point of contact or from dedicated security personnel, select a small group to serve as a centralized technical security response team. The responsibilities of the team will include directly taking ownership of security incidents or vulnerability reports and being responsible for triage, mitigation, and reporting to stakeholders. Given their responsibility when tapped, members of the security response team are also responsible for executive briefings and upward communication during an incident. It is likely that most of the time, the security response team would not be operating in this capacity, though they must be flexible enough to be able to respond quickly or a smooth process must exist for deferring and incident to another team member. The response team should hold a meeting at least annually to brief security points of contact on the response process and high-level expectations for security-related reporting from project teams. Results ✦✦Lightweight process in place to handle high-priority vulnerabilities or incidents ✦✦Framework for stakeholder notification and reporting of events with security impact ✦✦High-level due diligence for handling security issues Success Metrics ✦✦>50% of the organization briefed on closest security point of contact in past 6 months ✦✦>1 meeting of security response team and points of contact in past 12 months Costs ✦✦Ongoing variable project overhead from staff filling the security point of contact roles ✦✦Identification of appropriate security response team Personnel ✦✦Security Auditors (1 day/yr) ✦✦Architects (1 day/yr) ✦✦Managers (1 day/yr) ✦✦Business Owners (1 day/yr) Related Levels ✦✦Education & Guidance - 2 ✦✦Strategy & Metrics - 3 SAMM / The Security Practices - v1.0 Activities 71 VM 2 Vulnerability Management Elaborate expectations for response process to improve consistency and communications Results ✦✦Communications plan for dealing with vulnerability reports from third-parties ✦✦Clear process for releasing security patches to software operators ✦✦Formal process for tracking, handling, and internally communicating about incidents Add’l Success Metrics ✦✦>80% of project teams briefed on incident response process in past 6 months...
View Full Document

Ask a homework question - tutors are online