|
1 | 1 | --- |
2 | | -In this article the usage of DSOMM is explained and the dimensions and corresponding sub-dimensions. |
| 2 | +This article explains the usage of DSOMM, the dimensions and |
| 3 | + corresponding sub-dimensions. |
3 | 4 |
|
4 | 5 | # Pre-Requirements |
| 6 | + |
5 | 7 | Before you start, there is kind of maturity level 0. |
6 | 8 |
|
7 | 9 | The pre-requirements are highly based (mostly copied) on [AppSecure NRW](https://github.com/AppSecure-nrw/security-belts/tree/master/white). |
8 | 10 |
|
9 | | -## Onboard Product Owner and other Manager |
| 11 | +## Risk management |
| 12 | + |
| 13 | +[NIST defines `risk`](https://csrc.nist.gov/glossary/term/risk) as |
| 14 | + |
| 15 | +> a measure of the extent to which an entity is threatened by a potential |
| 16 | +circumstance or event, and typically is a function of: |
| 17 | +> 1. the adverse impact, or magnitude of harm, that would arise |
| 18 | +> if the circumstance or event occurs; and |
| 19 | +> 2. the likelihood of occurrence. |
| 20 | + |
| 21 | +In information security, risks arise from the loss of: |
| 22 | +- confidentiality, |
| 23 | +- integrity, |
| 24 | +- or availability |
| 25 | + |
| 26 | +of information or information systems and reflect the |
| 27 | +potential adverse impacts to: |
| 28 | +- organizational operations |
| 29 | + (including: - mission, - functions, - image, - or reputation), |
| 30 | +- organizational assets, |
| 31 | +- individuals, |
| 32 | +- other organizations |
| 33 | +(see [NIST.SP.800-53Ar4](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf). |
| 34 | + |
| 35 | +A risk then tied to a **threat**, its **probability** and its **impacts**. |
10 | 36 |
|
11 | | -Software vulnerabilities might be exploited when shipped into production. |
| 37 | +If you are interested in Risk Management frameworks and |
| 38 | +strategies, you can start from |
| 39 | +[FISMA](https://csrc.nist.gov/Projects/risk-management/). |
12 | 40 |
|
13 | | -This results in risks for the organization. |
14 | 41 |
|
15 | | -The person responsible for judging "risks vs. |
16 | | -revenue" on your product |
17 | | -(e.g., Product Owner, manager) must be convinced that continuously improving |
18 | | -security through Security Belts is the best way |
| 42 | +## Onboard Product Owner and other Managers |
| 43 | + |
| 44 | +To adopt a DSOMM in a product or a project, it is important to identify |
| 45 | +the person or the team which is responsible to ensure |
| 46 | +that risk-related considerations reflects the organizational |
| 47 | +risk tolerance |
| 48 | +(see [Risk Executive](https://csrc.nist.gov/glossary/term/risk_executive) |
| 49 | +for a more complete view). |
| 50 | + |
| 51 | +Depending on the project, this "Risk Manager" - which in layman terms |
| 52 | +is responsible for judging "risks vs. costs" of the product - |
| 53 | +can be the `Project Manager`, the `Product Owner` or else: |
| 54 | +it is important that he has the proper risk management |
| 55 | +knowledge and, receive a proper training. |
| 56 | + |
| 57 | +The "Risk Manager" must be convinced that continuously improving |
| 58 | +security through DSOMM is an effective way to |
19 | 59 | to minimize risk and build better products. |
20 | | -Judging about security risks requires company specific understanding |
21 | | -about security risk management. |
22 | | -Ensure that the aforementioned roles have this knowledge |
23 | | -and train them if this is not the case. |
24 | | -- Identify the persons who are judging "risks vs. |
25 | | -revenue". |
26 | | -- Raise the awareness of these persons |
27 | | - (e.g., show how easy it is to exploit software). |
28 | | -- Convince these persons that security is a continuous effort |
29 | | - and that Security Belts are a cost efficient solution. |
| 60 | + |
| 61 | +The first steps for deploying DSOMM are then the following: |
| 62 | + |
| 63 | +1. identify the persons in charge for risk decisions |
| 64 | +1. make them aware of information security risks, showing the impacts of |
| 65 | + threats and their probability. |
| 66 | +1. convince them that security requires continuous efforts |
30 | 67 |
|
31 | 68 | ### Benefits |
32 | 69 |
|
33 | | -- The Product Owner is aware that software can have security vulnerabilities. |
34 | | -- Resources are allocated to improve in security - |
35 | | - to avoid, detect and fix security vulnerabilities. |
36 | | -- Management can perform well informed decision when |
37 | | - judging "risks vs. |
38 | | -revenue". |
39 | | -- The Product Owner has transparency on how secure the product is. |
| 70 | +- The "Risk Manager" is aware that all software have security vulnerabilities, |
| 71 | + and that the related risks should be minimized. |
| 72 | +- Resources must be allocated to improve security and |
| 73 | + to avoid, detect and fix vulnerabilities. |
| 74 | +- Management can perform well informed risk decisions |
| 75 | +- The "Risk Manager" has transparent knowledge on how secure the product is. |
40 | 76 |
|
41 | 77 | ## Get to Know Security Policies |
| 78 | + |
42 | 79 | Identify the security policies of your organization and adhere to them. |
43 | 80 |
|
44 | 81 |
|
|
0 commit comments