{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Organization wide understanding of expectations for

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ed integrity verification tools, etc. Based on the organization and project-specific knowledge, technical stakeholders should work with support and operations staff to identify and recommend selected operations protection tools to business stakeholders. If deemed a valuable investment in terms of riskreduction versus cost of implementation, stakeholders should agree on plans for a pilot, widespread rollout, and ongoing maintenance. Results ✦✦Reinforced operational environment with layered checks for security ✦✦Established and measured goals for operational maintenance and performance ✦✦Reduced likelihood of successful attack via flaws in external dependencies Add’l Success Metrics ✦✦>80% of stakeholders briefed on relevant operations protection tools in past 6 months ✦✦>75% of projects passing infrastructure audits in past 6 months B. Expand audit program for environment configuration Add’l Costs When conducting routine project-level audits, expand the review to include inspection of artifacts related to hardening the operating environment. Beyond an up-to-date specification for the operational environment, audits should inspect current patch status and historic data since the previous audit. By tapping into monitoring tools, audits can also verify key factors about application configuration management and historic changes. Audits should also inspect the usage of operations protections tools against those available for the software’s architecture type. ✦✦Research and selection of operations protection solutions ✦✦Buildout or license of operations protections tools ✦✦Ongoing operations overhead from maintenance of protection tools ✦✦Ongoing project overhead from infrastructure-related audits Add’l Personnel ✦✦Business Owners (1 day/yr) ✦✦Managers (1-2 days/yr) ✦✦Support/Operators (3-4 days) Related Levels ✦✦Policy & Compliance - 2 SAMM / The Security Practices - v1.0 Audits for infrastructure can occur at any point after a project’s initial release and deployment, but should occur at least every 6 months. For legacy systems or projects without active development, infrastructure audits should still be conducted and reviewed by business stakeholders. An exception process should be created to allow special-case projects to continue operations, but with an explicitly assigned timeframe for mitigation of findings. Exceptions should be limited to no more that 20% of all projects. 77 Operational Enablement OE 1 OE 2 OE 3 Objective Enable communications between development teams and operators for critical security-relevant data Improve expectations for continuous secure operations through provision of detailed procedures Mandate communication of security information and validate artifacts for completeness Activities A. Capture critical security information for deployment B. Document procedures for typical application alerts A. Create per-release change management procedures B. Maintain formal operational security guides A. Expand audit program for operational information B. Perform code signing for application components ✦✦Do you deliver security notes with the majority of software releases? ✦✦Are security-related alerts and error conditions documented for most projects? ✦✦Are most project utilizing a change management process that’s well understood? ✦✦Do project teams deliver an operational security guide with each product release? ✦✦Are most...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online