Elements and Performance Criteria
- Develop system and application security
- Identify enterprise ICT system or application security policies
- Identify security requirements for the ICT system or application
- Write an ICT system or application security plan according to the enterprise and ICT system or application security policies
- Identify standards against which to engineer the ICT system or application
- Identify criteria for performing risk based audits against the ICT system or application
- Develop processes and procedures to mitigate the introduction of vulnerabilities during the engineering process
- Integrate applicable information security requirements, controls, processes, and procedures into ICT system and application design specifications according to established requirements
- Implement system and application security
- Execute enterprise and ICT system or application security policies
- Apply and verify compliance with identified standards against which to engineer the ICT system or application
- Perform processes and procedures to mitigate the introduction of vulnerabilities during the engineering process
- Perform secure configuration management practices
- Validate that the engineered ICT system and application security controls meet the specified requirements
- Re-engineer security controls to mitigate vulnerabilities identified during the operations phase
- Ensure integration of information security practices throughout the SDLC process
- Document ICT system or application security controls addressed within the system
- Practise secure coding
- Evaluate system and application security
- Review new and existing risk management technologies to achieve an optimal enterprise risk posture
- Review new and existing ICT security technologies to support secure engineering across the SDLC phases
- Continually assess effectiveness of the information system controls based on risk management practices and procedures
- Assess and evaluate system compliance with corporate policies and architectures
- Assess system maturation and readiness for promotion to the production stage
- Collect lessons learned from integration of information security into the SDLC and use to identify improvement actions
- Collect, analyse and report performance measures