Software assurance entails many different activities and concerns. Without an overall plan, you might be spending a lot of effort to build in security, while in fact your efforts may be unaligned, disproportional or even counterproductive. The goal of the Strategy and Metrics (SM) practice is to build an efficient and effective plan for realizing your software security objectives within your organization.
A software security program, that selects and prioritizes activities of the rest of the model, serves as the foundation for your efforts. The practice works on building the plan, maintaining and disseminating it.
At the same time, you want to keep track of your security posture and program improvements. A metrics-driven approach is included to ensure an accurate view on your activities. To measure is to know.
Overview
| Maturity 1 | Maturity 2 | Maturity 3 | |
|---|---|---|---|
| Objective | Identify objectives and means of measuring effectiveness of the security program. | Establish a unified strategic roadmap for software security within the organization. | Align security efforts with the relevant organizational indicators and asset values. |
Streams
A: Create and Promote
| Maturity 1 | Maturity 2 | Maturity 3 |
|---|---|---|
| Identify organization drivers as they relate to the organization's risk tolerance. | Publish a unified strategy for application security. | Align the application security program to support the organization's growth. |
B: Measure and Improve
| Maturity 1 | Maturity 2 | Maturity 3 |
|---|---|---|
| Define metrics with insight into the effectiveness and efficiency of the Application Security Program. | Set targets and KPI's for measuring the program effectiveness. | Influence the strategy based on the metrics and organizational needs. |