Organizations grown by acquisition in an organization

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: allows the organization to opportunistically establish activities that ensure compliance and enable the future roadmap to be tailored accordingly. Web Services Platforms For organizations building web services platforms, design errors can carry additional risks and be more costly to mitigate. Therefore, activities from Threat Assessment, Security Requirements, and Secure Architecture should be placed in earlier phases of the roadmap. Organizations Grown by Acquisition In an organization grown by acquisition, there can often be several project teams following different development models with varying degrees of security-related activities incorporated. An organization such as this may require a separate roadmap for each division or project team to account for varying starting points as well as project-specific concerns if a variety of software types are being developed. Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review Security Testing Vulnerability Management Environment Hardening Operational Enablement SAMM / Applying the Model - v1.0 Rationale 29 Financial Services Organization Roadmap template Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Strategy & Metrics Policy & Compliance Rationale A Financial Services Organization involves the core business function of building systems to support financial transactions and processing. In general, this implies a greater concentration of internal and back-end systems that interface with disparate external data providers. Initially, effort is focused on improving the Practices related to Governance since these are critical services that set the baseline for the assurance program and help meet compliance requirements for the organization. Since building secure and reliable software proactively is an overall goal, Practices within Construction are started early on and ramped up sharply as the program matures. Education & Guidance Verification activities are also ramped up smoothly over the course of the roadmap to handle legacy systems without creating unrealistic expectations. Additionally, this helps ensure enough cycles are spent building out more proactive Practices. Threat Assessment Since a financial services organization often operates the software they build, focus is given to the Practices within Deployment during the middle of the roadmap after some initial Governance is in place but before heavy focus is given to the proactive Construction Practices. Security Requirements Secure Architecture Design Review Code Review Additional Considerations Outsourced Development For organizations using external development resources, restrictions on code access typically leads to prioritization of Security Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow the organization to better clarify security needs to the outsourced developers. Since expertise on software configuration...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online