Software Engineering Institute

Updates to this material are, in part, either adapted or excerpted from Software Security Engineering: A Guide for Project Managers. This overview defines the scope of governance concern as it applies to security. It describes some of the top-level considerations and characteristics to use as indicators of a security conscious culture and whether an effective pro-gram is in place.

Security's days as just a technical issue are done. It is becoming a central concern for leaders at the highest level of many organizations and governments, transcending national borders. Customers are demanding it as worries about privacy, the protection of personally identifiable information, and identity theft grow. Business partners, suppliers, and vendors are requiring it from one another, particularly when providing mutual network and information access. Networked efforts to steal competitive intelligence and engage in extortion are becoming more prevalent. Security breaches and data disclosure increasingly arise from criminal behavior motivated by financial gain.

Current and former employees and contractors who have or had authorized access to their organization's system and networks are familiar with internal policies, procedures, and technology and can exploit that knowledge to facilitate at-tacks and even collude with external attackers. Malicious insider acts that need to be mitigated include sabotage, fraud, theft of confidential or proprietary in-formation, and potential threats to our nation's critical infrastructure. Recent CERT research documents cases of successful insider incidents during the soft-ware development life cycle.

According to the IT Governance Institute ". . . boards of directors will increasingly be expected to make information security an intrinsic part of governance, integrated with processes they already have in place to govern other critical organizational resources."