Model | Governance | Policy and Compliance | Policy and Standards
Benefit
Clear expectation of minimum security level in the organization
Activity
Develop a library of policies and standards to govern all aspects of software development in the organization. Policies and standards are based on existing industry standards and appropriate for the organization’s industry. Due to the full range of technology-specific limitations and best practices, review proposed standards with the various product teams. With the overarching objective of increasing security of the applications and computing infrastructure, invite product teams to offer feedback on any aspects of the standards that would not be feasible or cost-effective to implement, as well as opportunities for standards to go further with little effort on the product teams.
For policies, emphasize high-level definitions and aspects of application security that do not depend on specific technology or hosting environment. Focus on broader objectives of the organization to protect the integrity of its computing environment, safety and privacy of the data, and maturity of the software development life-cycles. For larger organizations, policies may qualify specific requirements based on data classification or application functionality, but should not be detailed enough to offer technology-specific guidance.
For standards, incorporate requirements set forth by policies, and focus on technology-specific implementation guidance intended to capture and take advantage of the security features of different programming languages and frameworks. Standards require input from senior developers and architects considered experts in various technologies in use by the organization. Create them in a format that allows for periodic updates. Label or tag individual requirements with the policy or a 3rd party requirement, to make maintenance and audits easier and more efficient.
Question
Do you have and apply a common set of policies and standards throughout your organization?
Quality criteria
You have adapted existing standards appropriate for the organization’s industry to account for domain-specific considerations |
Your standards are aligned with your policies and incorporate technology-specific implementation guidance |
Answers
No |
Yes, for some applications |
Yes, for at least half of the applications |
Yes, for most or all of the applications |
Benefit
Common understanding of how to reach compliance with security policies for product teams
Activity
To assist with the ongoing implementation and verification of compliance with policies and standards, develop application security and appropriate test scripts related to each applicable requirement. Organize these documents into libraries and make them available to all application teams in formats most conducive for inclusion into each application. Clearly label the documents and link them to the policies and standards they represent, to assist with the ongoing updates and maintenance. Version policies and standards and include detailed change logs with each iterative update to make ongoing inclusion into different products' SDLC easier.
Write application security requirements in a format consistent with the existing requirements management processes. You may need more than one version catering to different development methodologies or technologies. The goal is to make it easy for various product teams to incorporate policies and standards into their existing development life-cycles needing minimal interpretation of requirements.
Test scripts help reinforce application security requirements through clear expectations of application functionality, and guide automated or manual testing efforts that may already be part of the development process. These efforts not only help each team establish the current state of compliance with existing policies and standards, but also ensure compliance as applications continue to change.
Question
Do you publish the organization's policies as test scripts or run-books for easy interpretation by development teams?
Quality criteria
You create verification checklists and test scripts where applicable, aligned with the policy's requirements and the implementation guidance in the associated standards |
You create versions adapted to each development methodology and technology the organization uses |
Answers
No |
Yes, some content |
Yes, at least half of the content |
Yes, most or all of the content |
Benefit
Understanding of your organization’s compliance with policies and standards
Activity
Develop a program to measure each application’s compliance with existing policies and standards. Mandatory requirements should be motivated and reported consistently across all teams. Whenever possible, tie compliance status into automated testing and report with each version. Compliance reporting includes the version of policies and standards and appropriate code coverage factors.
Encourage non-compliant teams to review available resources such as security requirements and test scripts, to ensure non-compliance is not a result of inadequate guidance. Forward issues resulting from insufficient guidance to the teams responsible for publishing application requirements and test scripts, to include them in the future releases. Escalate issues resulting from the inability to meet policies and standards to teams that handle application security risks.
Question
Do you regularly report on policy and standard compliance, and use that information to guide compliance improvement efforts?
Quality criteria
You have procedures (automated, if possible) to regularly generate compliance reports |
You deliver compliance reports to all relevant stakeholders |
Stakeholders use the reported compliance status information to identify areas for improvement |
Answers
No |
Yes, but reporting is ad-hoc |
Yes, we report at regular times |
Yes, we report at least annually |
Stream Guidance
- SAMM team guidance Google Doc
- Community guidance Google Doc
Want to contribute?
Complete this Google Form with guidance for this Stream.
To learn more about Stream guidance for the SAMM model, see the Stream guidance page.