Unformatted text preview: ted upgrade scripts to prevent errors
during deployment. B. Maintain formal operational security guides
Starting from the information captured on critical software events and the procedures for
handling each, project teams should build and maintain formal guides that capture all the
security-relevant information that users and operators need to know.
Initially, this guide should be built from the known information about the system, such as
security-related configuration options, event handling procedures, installation and upgrade
guides, operational environment specifications, security-related assumptions about the deployment environment, etc. Extending this, the formal operational security guide should
elaborate on each of these to cover more details such that the majority of the users and
operators will be informed for all the questions they might have had. For large or complex
systems, this can be challenging, so project teams should work with business stakeholders to
determine the appropriate level of documentation. Additionally, project teams should document any recommendations for deployments that would enhance security.
The operational security guide, after initial creation, should be reviewed by project teams and
updated with each release. Operational Enablement OE 3 Mandate communication of security information and validate artifacts for completeness A. Expand audit program for operational information
When conducting routine project-level audits, expand the review to include inspection of artifacts related to operational enablement for security. Projects should be checked to ensure
they have an updated and complete operational security guides as relevant to the specifics
of the software.
These audits should begin toward the end of the development cycle close to release, but
must be completed and passed before a release can be made. For legacy systems or inactive
projects, this type of audit should be conducted and a one-time effort should be made to
address findings and verify audit compliance, after which additional audits for operational
enablement are no longer required.
Audit results must be reviewed with business stakeholders prior to release. An exception
process should be created to allow projects failing an audit to continue with a release, but
these projects should have a concrete timeline for mitigation of findings. Exceptions should
be limited to no more that 20% of all active projects. B. Perform code signing for application components
Though often used with special-purpose software, code signing allows users and operators
to perform integrity checks on software such that they can cryptographically verify the
authenticity of a module or release. By signing software modules, the project team enables
deployments to operate with a greater degree of assurance against any corruption or modification of the deployed software in its operating environment.
Signing code incurs overhead for management of signing credentials for the orga...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14