Step 3: Set the Target

Decide where you want to be: set a target maturity level for each security practice.

Activities

Define the target
Set or update the target by identifying which activities your organization should implement. Typically, this will include more lower-level than higher-level activities. Ensure that the total set of selected activities makes sense and take into account dependencies between activities.

Estimate overall impact
Estimate the impact of the chosen target on the organization. Try to express this in budgetary terms.

Resources

SAMM Toolbox : includes the Roadmap worksheet and SAMM Benchmark

Best practices

Take into account the organization’s risk profile.
Respect dependencies between activities.
As a rough measure, the overall impact of a software assurance effort is estimated at 5% to 10% of the total development cost.