Unformatted text preview: ✦✦>80% of stakeholders briefed on security
issue disclosures in past 6 months Add’l Costs
✦✦Ongoing organization overhead
from incident response process Add’l Personnel
✦✦Security Auditors (3-5 days/yr)
✦✦Managers (1-2 days/yr)
✦✦Business Owners (1-2 days/yr)
✦✦Support/Operators (1-2 days/yr) Related Levels SAMM / The Security Practices - v1.0 ✦✦ 72 Activities
A. Establish consistent incident response process
Extending from the informal security response team, explicitly document the organization’s
incident response process as well as the procedures that team members are expected to
follow. Additionally, each member of the security response team must be trained on this
material at least annually.
There are several tenets to sound incident response process and they include initial triage
to prevent additional damage, change management and patch application, managing project
personnel and others involved in the incident, forensic evidence collection and preservation,
limiting communication about the incident to stakeholders, well-defined reporting to stakeholders and/or communications trees, etc.
With development teams, the security responders should work together to conduct the
technical analysis to verify facts and assumptions about each incident or vulnerability report.
Likewise, when project teams detect an incident or high-risk vulnerability, they should follow
an internal process that puts them in contact with a member of the security response team. B. Adopt a security issue disclosure process
For most organizations, it is undesirable to let news of a security problem become public, but
there are several important ways in which internal-to-external communications on security
issues should be fulfilled.
The first and most common is through creation and deployment of security patches for
the software produced by the organization. Generally, if all software projects are only used
internally, then this becomes less critical, but for all contexts where the software is being
operated by parties external to the organization, a patch release process must exist. It should
provide for several factors including change management and regression testing prior to
patch release, announcement to operators/users with assigned criticality category for the
patch, sparse technical details so that an exploit cannot be directly derived, etc.
Another avenue for external communications is with third parties that report security vulnerabilities in an organization’s software. By adopting and externally posting the expected
process with timeframes for response, vulnerability reporters are encouraged to follow
responsible disclosure practices.
Lastly, many states and countries legally require external communications for incidents involving data theft of personally identifiable information and other sensitive data type. Should
this type of incident occur, the security response team should work with managers and business stakeholders to determine appropriate next-steps....
View Full Document
- Spring '14