PO.2: Implement Roles and Responsibilities¶
Ensure that everyone inside and outside of the organization involved in the SDLC is prepared to perform their SDLC-related roles and responsibilities throughout the SDLC.
PO.2.1¶
Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed.
Implementation Examples
- Example 1: Define SDLC-related roles and responsibilities for all members of the software development team.
- Example 2: Integrate the security roles into the software development team.
- Example 3: Define roles and responsibilities for cybersecurity staff, security champions, project managers and leads, senior management, software developers, software testers, software assurance leads and staff, product owners, operations and platform engineers, and others involved in the SDLC.
- Example 4: Conduct an annual review of all roles and responsibilities.
- Example 5: Educate affected individuals on impending changes to roles and responsibilities, and confirm that the individuals understand the changes and agree to follow them.
- Example 6: Implement and use tools and processes to promote communication and engagement among individuals with SDLC-related roles and responsibilities, such as creating messaging channels for team discussions.
- Example 7: Designate a group of individuals or a team as the code owner for each project.
References
PO.2.2¶
Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed.
Implementation Examples
- Example 1: Document the desired outcomes of training for each role.
- Example 2: Define the type of training or curriculum required to achieve the desired outcome for each role.
- Example 3: Create a training plan for each role.
- Example 4: Acquire or create training for each role; acquired training may need to be customized for the organization.
- Example 5: Measure outcome performance to identify areas where changes to training may be beneficial.
References
- BSAFSS: PD.2-2
- BSIMM: T1.1, T1.7, T1.8, T2.5, T2.8, T2.9, T3.1, T3.2, T3.4
- EO14028: 4e(ix)
- IEC62443: SM-4
- MSSDL: 1
- NISTCSF: PR.AT
- OWASPSAMM: EG1-A, EG2-A
- PCISSLC: 1.3
- SCAGILE: Operational Security Tasks 14, 15; Tasks Requiring the Help of Security Experts 1
- SCFPSSD: Planning the Implementation and Deployment of Secure Development Practices
- SCSIC: Vendor Software Development Integrity Controls
- SP80053: SA-8
- SP800160: 3.2.4, 3.2.6
- SP800161: SA-8
- SP800181: OV-TEA-001, OV-TEA-002; T0030, T0073, T0320; K0204, K0208, K0220, K0226, K0243, K0245, K0252; S0100, S0101; A0004, A0057
PO.2.3¶
Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development-related roles and responsibilities.
Implementation Examples
- Example 1: Appoint a single leader or leadership team to be responsible for the entire secure software development process, including being accountable for releasing software to production and delegating responsibilities as appropriate.
- Example 2: Increase authorizing officials’ awareness of the risks of developing software without integrating security throughout the development life cycle and the risk mitigation provided by secure development practices.
- Example 3: Assist upper management in incorporating secure development support into their communications with personnel with development-related roles and responsibilities.
- Example 4: Educate all personnel with development-related roles and responsibilities on upper management’s commitment to secure development and the importance of secure development to the organization.