In a sophisticated form provision of this practice

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: havior in order to check that expectations are being met. By introducing routine audits that start out lightweight and grow in depth over time, organizational change is achieved iteratively. In a sophisticated form, provision of this Practice entails organization-wide understanding of both internal standards and external compliance drivers while also maintaining low-latency checkpoints with project teams to ensure no project is operating outside expectations without visibility. SAMM / Understanding the Model - v1.0 Education & Guidance 10 The Education & Guidance (EG) Practice is focused on arming personnel involved in the software lifecycle with knowledge and resources to design, develop, and deploy secure software. With improved access to information, project teams will be better able to proactively identify and mitigate the specific security risks that apply to their organization. One major theme for improvement across the Objectives is providing training for employees, either through instructor-led sessions or computer-based modules. As an organization progresses, a broad base of training is built by starting with developers and moving to other roles throughout the organization, culminating with the addition of role-based certification to ensure comprehension of the material. In addition to training, this Practice also requires pulling security-relevant information into guidelines that serve as reference information to staff. This builds a foundation for establishing a baseline expectation for security practices in your organization, and later allows for incremental improvement once usage of the guidelines has been adopted. Governance Activities overview Strategy & Metrics SM 1 ...more on page 34 SM 2 SM 3 Objective Establish unified strategic roadmap for software security within the organization Measure relative value of data and software assets and choose risk tolerance Align security expenditure with relevant business indicators and asset value Activities A. Estimate overall business risk profile B. Build and maintain assurance program roadmap A. Classify data and applications based on business risk B. Establish and measure perclassification security goals A. Conduct periodic industrywide cost comparisons B. Collect metrics for historic security spend Policy & Compliance PC 1 ...more on page 38 PC 2 PC 3 Objective Understand relevant governance and compliance drivers to the organization Establish security and compliance baseline and understand per-project risks Require compliance and measure projects against organization-wide policies and standards Activities A. Identify and monitor external compliance drivers B. Build and maintain compliance guidelines A. Build policies and standards for security and compliance B. Establish project audit practice A. Create compliance gates for projects B. Adopt solution for audit data collection Education & Guidance 1 EG 2 EG 3 Objective Offer development staff access to resources around the topics of secure programming and deployment Educate all personnel...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online