After broadly capturing worst case scenario ideas

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: nified strategic roadmap for software security within the organization A. Estimate overall business risk profile Interview business owners and stakeholders and create a list of worst-case scenarios across the organization’s various application and data assets. Based on the way in which your organization builds, uses, or sells software, the list of worst-case scenarios can vary widely, but common issues include data theft or corruption, service outages, monetary loss, reverse engineering, account compromise, etc. After broadly capturing worst-case scenario ideas, collate and select the most important based on collected information and knowledge about the core business. Any number can be selected, but aim for at least 3 and no more than 7 to make efficient use of time and keep the exercise focused. Elaborate a description of each of the selected items and document details of contributing worst-case scenarios, potential contributing factors, and potential mitigating factors for the organization. The final business risk profile should be reviewed with business owners and other stakeholders for understanding. B. Build and maintain assurance program roadmap Understanding the main business risks to the organization, evaluate the current performance of the organization against each the twelve Practices. Assign a score for each Practice from 1, 2, or 3 based on the corresponding Objective if the organization passes all the cumulative success metrics. If no success metrics are being met, assign a score of 0 to the Practice. Once a good understanding of current status is obtained, the next goal is to identify the Practices that will be improved in the next iteration. Select them based on business risk profile, other business drivers, compliance requirements, budget tolerance, etc. Once Practices are selected, the goals of the iteration are to achieve the next Objective under each. Iterations of improvement on the assurance program should be approximately 3-6 months, but an assurance strategy session should take place at least every 3 months to review progress on activities, performance against success metrics and other business drivers that may require program changes. Results ✦✦Concrete list of the most critical business-level risks caused by software ✦✦Tailored roadmap that addresses the security needs for your organization with minimal overhead ✦✦Organization-wide understanding of how the assurance program will grow over time Success Metrics ✦✦>80% of stakeholders briefed on business risk profile in past 6 months ✦✦>80% of staff briefed on assurance program roadmap in past 3 months ✦✦>1 assurance program strategy session in past 3 months Costs ✦✦Buildout and maintenance of business risk profile ✦✦Quarterly evaluation of assurance program Personnel ✦✦Developers (1 day/yr) ✦✦Architects (4 days/yr) ✦✦Managers (4 days/yr) ✦✦Business Owners (4 days/yr) ✦✦QA Testers (1 day/yr) ✦✦Security Auditor (4 days/yr) Related Levels ✦✦Policy & Compliance - 1 ✦✦Threat Assessment - 1 ✦✦Security Requirements - 2 SAMM / The Security Practices - v1.0 Activities 35 SM 2 Strategy & Metr...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online