[SAMM] SAMM and ISM3

Tue Dec 15 06:12:41 EST 2009

Dear All,

Regarding this mapping, I am under the impression SAMM is mainly about
Software Development. This means there is a strong match between SAMM
and the ISM3 process "OSP-8 Software Development Lifecycle Control"

I attach a preliminary mapping, which can be improved by identifying
what are the deliverables produced completely of in part by each
activity, among the following

OSP-081-Software Development Security Controls
OSP-082-Information Security Requirements
OSP-083-Information Security Requirements Test Report
OSP-194-Source Code Review Procedure
OSP-195-Source Code Review Report
Information Security Targets
Alerts, Fixes and Threats Report
Source Code Review Report
Information Security Requirements Test Report
Metrics Report

Is there any deliverable I am missing?

Regards

Vicente

On Fri, Dec 11, 2009 at 4:23 PM, Colin Watson <colin.watson at owasp.org> wrote:
> Dear all
>
> I have created an initial spreadsheet as per Pravir's suggestion,
> including the separate activities - attached.
>
> Perhaps we can divide up the ISM3 v2.3 (the current version) processes
> amongst those of us with time to look at this?  Processes ordered/case
> as per v2.3 document contents:
>
> GP-1 Knowledge management
> GP-2 ISM System and Business Audit
> GP-3 ISM Design and Evolution
> SSP-1 Report to stakeholders
> SSP-3 Strategic vision
> SSP-4 Define Division of Duties roles
> SSP-6 Allocate resources for information security
> TSP-1 Report to strategic management
> TSP-2 Manage allocated resources
> TSP-3 Define Security Targets and Security Objectives
> TSP-6 Security Architecture
> TSP-4 Service Level Management
> TSP-13 Insurance Management
> TSP-7 Background Checks
> TSP-8 Personnel Security
> TSP-9 Security Personnel Training
> TSP-10 Disciplinary Process
> TSP-11 Security Awareness
> TSP-14 Information Operations
> OSP-1 Report to tactical management
> OSP-2 Security Procurement
> OSP-3 Inventory Management
> OSP-4 Information Systems Environmental Change Control
> OSP-5 Environment Patching
> OSP-6 Environment Clearing
> OSP-7 Environment Hardening
> OSP-8 Software Development Lifecycle Control
> OSP-9 Security Measures Change Control
> OSP-16 Segmentation and Filtering Management
> OSP-17 Malware Protection Management
> OSP-11 Access control
> OSP-12 User Registration
> OSP-14 Physical Environment Protection Management
> OSP-26 Enhanced Reliability and Availability Management
> OSP-10 Backup Management
> OSP-15 Operations Continuity Management
> OSP-27 Archiving Management
> OSP-19 Internal Technical Audit
> OSP-20 Incident Emulation
> OSP-21 Information Quality and Compliance Probing
> OSP-22 Alerts Monitoring
> OSP-28 External Events Detection and Analysis
> OSP-23 Internal Events Detection and Analysis
> OSP-24 Handling of incidents and near incidents
> OSP-25 Forensics
>
> We should also decide on the approach.  Are we trying to find all ISM3
> processes that might include something relevant to each SAMM objective
> or activity, or something else?  A process like "OSP-8 Software
> Development Lifecycle Control" might be mapped to every SAMM activity
> perhaps, and "OSP-24 Handling of incidents and near incidents" might
> only be mapped to VM1, VM2 and VM3 activities?
>
> Do we need to consider the Maturity Levels (Basic, SME, eCommerce, etc)?
>
> While going through ISM3, would it be worth mapping to ASVS at the same time?
>
> Colin
>
> _______________________________________________
> SAMM mailing list
> SAMM at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/samm
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp-samm-mappings-ism3-vac.xls
Type: application/vnd.ms-excel
Size: 47616 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/samm/attachments/20091215/4a09f4fb/attachment-0001.xls 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OSP-8.odt
Type: application/vnd.oasis.opendocument.text
Size: 11897 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/samm/attachments/20091215/4a09f4fb/attachment-0001.bin 