Model | Governance | Strategy and Metrics
Software assurance entails many different activities and concerns. Without an overall plan, you might be spending a lot of effort to build in security, while in fact your efforts may be unaligned, disproportional or even counterproductive. The goal of the Strategy and Metrics (SM) practice is to build an efficient and effective plan for realizing your software security objectives within your organization.
A software security program, that selects and prioritizes activities of the rest of the model, serves as the foundation for your efforts. The practice works on building the plan, maintaining and disseminating it.
At the same time, you want to keep track of your security posture and program improvements. A metrics-driven approach is included to ensure an accurate view on your activities. To measure is to know.
Maturity level | Stream ACreate and Promote | Stream BMeasure and Improve | |
---|---|---|---|
1 | Identify objectives and means of measuring effectiveness of the security program. | Identify organization drivers as they relate to the organization's risk tolerance. | Define metrics with insight into the effectiveness and efficiency of the Application Security Program. |
2 | Establish a unified strategic roadmap for software security within the organization. | Publish a unified strategy for application security. | Set targets and KPI's for measuring the program effectiveness. |
3 | Align security efforts with the relevant organizational indicators and asset values. | Align the application security program to support the organization's growth. | Influence the strategy based on the metrics and organizational needs. |