Without this information even the most securely

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: rom the project teams building software and communicating it to the users and operators of the software. Without this information, even the most securely designed software carries undue risks since important security characteristics and choices will not be known at a deployment site. Starting from lightweight documentation to capture the most impactful details for users and operators, an organization evolves toward building complete operational security guides that are delivered with each release. In an advanced form, operational enablement also entails organization-level checks against individual project teams to ensure that information is being captured and shared according to expectations. Deployment Activities overview Vulnerability Management VM 1 ...more on page 70 VM 2 VM 3 Objective Understand high-level plan for responding to vulnerability reports or incidents Elaborate expectations for response process to improve consistency and communications Improve analysis and data gathering within response process for feedback into proactive planning Activities A. Identify point of contact for security issues B. Create informal security response team(s) A. Establish consistent incident response process B. Adopt a security issue disclosure process A. Conduct root cause analysis for incidents B. Collect per-incident metrics Environment Hardening EH 1 ...more on page 74 EH 2 EH 3 Objective Understand baseline operational environment for applications and software components Improve confidence in application operations by hardening the operating environment Validate application health and status of operational environment against known best practices Activities A. Maintain operational environment specification B. Identify and install critical security upgrades and patches A. Establish routine patch management process B. Monitor baseline environment configuration status A. Identify and deploy relevant operations protection tools B. Expand audit program for environment configuration Operational Enablement 1 OE 2 OE 3 Objective Enable communications between development teams and operators for critical security-relevant data Improve expectations for continuous secure operations through provision of detailed procedures Mandate communication of security information and validate artifacts for completeness Activities A. Capture critical security information for deployment B. Document procedures for typical application alerts A. Create per-release change management procedures B. Maintain formal operational security guides A. Expand audit program for operational information B. Perform code signing for application components SAMM / Understanding the Model - v1.0 OE ...more on page 78 17 Applying the Model Putting it all to work This section covers several important and useful applications of SAMM. Given the core design of the model itself, an organization can use SAMM as a benchmark to measure its security assurance program and create a scorecard. Using scorecards, an organization can demonst...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online