Is most of your development staff aware of future

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: curity assurance program already in place? ✦ ✦Do most of the business stakeholders understand ✦ your organization’s risk profile? ✦Is most of your development staff aware of ✦ future plans for the assurance program? SM 1 SM 2 SM 3 PC 1 PC 2 PC ✦Are most of your applications and resources categorized by risk? ✦ 3 EG 1 EG 2 EG 3 ✦Are risk ratings used to tailor the required assurance activities? ✦ ✦Does most of the organization know about ✦ what’s required based on risk ratings? ✦Is per-project data for cost of assurance activities collected? ✦ ✦Does your organization regularly compare your ✦ security spend with other organizations? Policy & Compliance Yes/No ✦Do most project stakeholders know their ✦ project’s compliance status? ✦Are compliance requirements specifically ✦ considered by project teams? ✦Does the organization utilize a set of policies and ✦ standards to control software development? ✦Are project teams able to request an audit for ✦ compliance with policies and standards? ✦Are projects periodically audited to ensure a baseline ✦ of compliance with policies and standards? ✦Does the organization systematically use audits to ✦ collect and control compliance evidence? Education & Guidance Yes/No SAMM / Applying the Model - v1.0 ✦Have most developers been given high✦ level security awareness training? 22 ✦Does each project team have access to secure ✦ development best practices and guidance? ✦Are most roles in the development process ✦ given role-specific training and guidance? ✦Are most stakeholders able to pull in security ✦ coaches for use on projects? ✦Is security-related guidance centrally controlled and ✦ consistently distributed throughout the organization? ✦Are most people tested to ensure a baseline skill✦ set for secure development practices? Construction Assessment worksheet Threat Assessment Yes/No ✦Do most projects in your organization ✦ consider and document likely threats? ✦Does your organization understand and ✦ document the types of attackers it faces? TA 1 TA 2 TA 3 SR 1 SR 2 SR ✦Do project teams regularly analyze functional ✦ requirements for likely abuses? 3 SA 1 SA 2 SA 3 ✦Do project teams use a method of rating ✦ threats for relative comparison? ✦Are stakeholders aware of relevant threats and ratings? ✦ ✦Do project teams specifically consider risk from external software? ✦ ✦Are all protection mechanisms and controls ✦ captured and mapped back to threats? Security Requirements Yes/No ✦Do most project teams specify some security ✦ requirements during development? ✦Do project teams pull requirements from best✦ practices and compliance guidance? ✦Are most stakeholders reviewing access ✦ control matrices for relevant projects? ✦Are project teams specifying requirements based ✦ on feedback from other security activities? ✦Are most stakeholders reviewing vendor ✦ agreements for security requirements? ✦Are the security requirements specified ✦ by project teams being audited? Secu...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online