Policy and standards development starts by gaining appreciation for your unique business circumstances. We highlight key decisions required, outline options, and customize appropriately. A typical Policy, Standards, and Guidelines framework comprises the following elements:
- Software Security Initiative Charter. Specifies authority and organizational scope for the program.
- Secure Software Development Life Cycle (SSDLC) and Product Development Life Cycle (PDLC). Outlines a secure overlay for your agile, spiral, or traditional SDLC and acquisition process.
- Software Security Policy. Describes overarching principles of operation. For example, the directive regarding SSDLC contains a brief instruction for the two formal interactions between security and development.
- Secure Coding Guidelines. Provide extensive range of technology/language-specific help for development teams.
- Software Risk Ranking Policy and Calculator. Defines a methodology and attributes to assign a risk ranking to software assets.
- Project (Impact) Risk Ranking Policy, Calculator, and Activity Selection Matrix. Defines a methodology and attributes to assign a risk ranking to projects modifying software assets.
- Data Classification Policy. Defines classification levels including example data elements for each category.