Are stakeholders aware of options for additional

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ✦ for incident reporting and handling? 3 OE 1 OE 2 OE 3 Yes/No ✦Do the majority of projects document some ✦ requirements for the operational environment? ✦Do most projects check for security updates ✦ to third-party software components? ✦Is a consistent process used to apply upgrades ✦ and patches to critical dependencies? ✦Do most project leverage automation to check ✦ application and environment health? ✦Are stakeholders aware of options for additional tools ✦ to protect software while running in operations? ✦Does routine audit check most projects ✦ for baseline environment health? Operational Enablement Yes/No ✦Are security-related alerts and error conditions ✦ documented for most projects? ✦Are most project utilizing a change management ✦ process that’s well understood? ✦Do project teams deliver an operational security ✦ guide with each product release? ✦Are most projects being audited to check each release ✦ for appropriate operational security information? ✦Is code signing routinely performed on software ✦ components using a consistent process? SAMM / Applying the Model - v1.0 ✦Do you deliver security notes with the ✦ majority of software releases? 25 Creating Scorecards before after Based on the scores assigned to each Security Practice, an organization can create a scorecard to capture those values. Functionally, a scorecard can be the simple set of 12 scores for a particular time. However, selecting a time interval over which to generate a scorecard facilitates understanding of overall changes in the assurance program during the time frame. Strategy & Metrics 2 Policy & Compliance 1 ✦Gap analysis - Capturing scores from detailed ✦ assessments versus expected performance levels ✦Demonstrating improvement - Capturing scores from before ✦ and after an iteration of assurance program build-out ✦Ongoing measurement - Capturing scores over consistent time ✦ frames for an assurance program that is already in place Education & Guidance 1+ Threat Assessment 1 The figure on the right shows an example scorecard for how an organization’s assurance program changed over the course of one year. If that organization had also saved the data about where they were planning on being at the end of the year, that would be another interesting data set to plot since it would help show the extent to which the plans had to change over the year. Security Requirements 3 2 Using interval scorecards is encouraged for several situations: E PL EX Design Review AM Secure Architecture 2 2 0+ 1+ 0 1 1 2 1 Vulnerability Management 0+ Environment Hardening 26 2 Security Testing SAMM / Applying the Model - v1.0 Code Review 1 Operational Enablement 2 3 2 1 1 3 Building Assurance Programs Phase 1 Phase 2 Phase 3 Phase 4 Conduct initial assessment Start Create empty roadmap no Existing roadmap template? Threat Assessment Security Requirements Secure Architecture Design Review EX After a roadmap is established, the buil...
View Full Document

Ask a homework question - tutors are online