Should be prepared and agreed with senior management organization the following documents:
– information security policy (4.13 GOST R 56939–2016);
– guidance on the development of secure software, meeting the requirements of 4.10 GOST R 56939–2016 and harmonized with the information security policy and other governing documents of the organization.
You can create multiple development guides secure software with different scope (different software and/or software development teams). After consultation with the top management of the organization, these documents are required:
– communicate to all employees of the organization, involved in the process of developing secure software;
– make it mandatory;
– make available for review and use employees;
– keep up to date.
Create and implement a process implementation plan secure software development
Planning for the implementation of development measures secure software is carried out on the basis of information, set out in the Secure Software Development Guide. At development processes within the scope measures to develop secure software, the developer needs to develop an implementation plan. It is allowed that this plan implied the phased introduction of appropriate measures from security software development baseline (Section 5 GOST R 56939–2016) or the use of compensatory measures in in accordance with 4.5 GOST R 56939–2016. Choice of development measures secure software to be implemented in the organization, and assignment of the selected measures to a particular stage of implementation performed taking into account:
– goals for implementing measures to develop secure software;
– goals and features of the organization of internal processes software developer;
– results of information security threat analysis, relevant to the software development environment;
– the level of readiness of these processes.
Analysis of threats relevant to the software development environment information security and documentation of results analysis is performed in accordance with GOST R 58412. At the same time, the choice of measures and related justification, including why certain other measures are not to be implemented, should be documented.
For each implemented measure to develop secure software in The implementation plan should reflect
– a list of tasks to be performed to implement the measure;
– list and amount of resources required for implementationmeasures;
– expected results and deadlines for completing the task;
– employees responsible for the performance of the task.
It is allowed to draw up separate plans for a specific software and/or development teams. Implementation Guide for development of secure software, including a description of tasks, performed for implementation, and the distribution of roles and obligations related to the implementation of measures between employees, are presented in section 5. In section 5 for typical actions, performed during the implementation and implementation of measures to develop secure software, the recommended distribution is presented roles and responsibilities.
In the implementation of measures to develop secure software, employees of the software developer are involved or third party organization with the necessary competencies to solve certain problems. Annex A provides information about the roles of software developer employees, related to the implementation of measures to develop secure software.
Documented implementation plan for development measures secure software must be agreed with all stakeholders and submit for approval top management of the organization for their final decision decisions on the implementation of measures to develop secure software and allocation of necessary resources.
With the implementation plan follows familiarize all employees involved in the software development process, including for the purpose of informing them about the goals of the organization in areas of secure software development, as well as the tasks set and deadlines for their implementation.
N o t e – Agree on a plan for the implementation of development measures secure software is necessary at least with the head of software development and the head of the secure software development group (if available in organizations).
Should be prepared and agreed with senior management organizing procedures and guidelines that are consistent with requirements of GOST R 56939 and other applicable standards industries, contribute to the implementation of the development process secure software and take into account the peculiarities of the organization of internal processes, culture and values of the software developer.
After consultation with the top management of the organization, these documents are required:
– communicate to all employees of the organization, involved in the process of developing secure software;
– make it mandatory;
– make available for review and use employees;
– keep up to date.
Documents related to the implementation of development measures secure software should be developed taking into account the requirements for software developer documentation submitted for each measure on the development of secure software in section 5 of GOST R 56939-2016, and provisions of 4.12 GOST R 56939-2016. Documents recommended be placed on a common resource accessible to all stakeholders associated with software development projects.
Documents containing detailed information relating to specific project, it is recommended to place on the resource, available to all participants of the software development project. Wherein it is necessary to provide differentiation of access to information limited access on the principle of necessary knowledge and elimination of conflicts of interest by separating roles and areas of responsibility, access to information about vulnerabilities programs should be restricted.
During the implementation of measures, periodic verification of measures for the development of secure software implemented in accordance with the implementation plan. Purpose of Periodic Reviews is to track changes and determine whether whether the implementation plan for the development of secure software is being implemented properly. The frequency of inspections, as well as their order and the conditions for carrying out are indicated in the plan for the implementation of measures. The implementation plan for the development of secure software should be keep up to date and correct the results of internal audits. Identified during the development or operation of software program vulnerabilities are described in accordance with GOST R 56545. If identified during the development or operation of the software program vulnerability also exists in the software (for example, in previous version) that is already in use by users