This preview shows page 1. Sign up to view the full content.
Unformatted text preview: havior in order to check that expectations are being met. By
introducing routine audits that start out lightweight and grow in depth over time, organizational change
is achieved iteratively.
In a sophisticated form, provision of this Practice entails organization-wide understanding of both internal standards and external compliance drivers while also maintaining low-latency checkpoints with
project teams to ensure no project is operating outside expectations without visibility. SAMM / Understanding the Model - v1.0 Education & Guidance 10 The Education & Guidance (EG) Practice is focused on arming personnel involved in the software lifecycle with knowledge and resources to design, develop, and deploy secure software. With improved
access to information, project teams will be better able to proactively identify and mitigate the specific
security risks that apply to their organization.
One major theme for improvement across the Objectives is providing training for employees, either
through instructor-led sessions or computer-based modules. As an organization progresses, a broad
base of training is built by starting with developers and moving to other roles throughout the organization, culminating with the addition of role-based certification to ensure comprehension of the material.
In addition to training, this Practice also requires pulling security-relevant information into guidelines
that serve as reference information to staff. This builds a foundation for establishing a baseline expectation for security practices in your organization, and later allows for incremental improvement once
usage of the guidelines has been adopted. Governance
Activities overview Strategy & Metrics
SM 1 ...more on page 34 SM 2 SM 3 Objective Establish unified strategic
roadmap for software security
within the organization Measure relative value of
data and software assets
and choose risk tolerance Align security expenditure
with relevant business
indicators and asset value Activities A. Estimate overall business
B. Build and maintain assurance
program roadmap A. Classify data and applications
based on business risk
B. Establish and measure perclassification security goals A. Conduct periodic industrywide cost comparisons
B. Collect metrics for
historic security spend Policy & Compliance
PC 1 ...more on page 38 PC 2 PC 3 Objective Understand relevant
governance and compliance
drivers to the organization Establish security and
compliance baseline and
understand per-project risks Require compliance
and measure projects
policies and standards Activities A. Identify and monitor external
B. Build and maintain
compliance guidelines A. Build policies and standards
for security and compliance
B. Establish project audit practice A. Create compliance
gates for projects
B. Adopt solution for
audit data collection Education & Guidance 1 EG 2 EG 3 Objective Offer development staff
access to resources around
the topics of secure
programming and deployment Educate all personnel...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14