Review Culture & Organization, level 1

Author: vbakke

src/assets/YAML/default/CultureAndOrganization/Design.yaml

@@ -87,25 +87,6 @@ Culture and Organization:
       comments: ""
     Conduction of simple threat modeling on technical level:
       uuid: 47419324-e263-415b-815d-e7161b6b905e
-      risk:
-        Technical related threats are discovered too late in the development and
-        deployment process.
-      measure:
-        Threat modeling of technical features is performed during the product
-        sprint planning.
-      difficultyOfImplementation:
-        knowledge: 2
-        time: 3
-        resources: 1
-      usefulness: 3
-      level: 1
-      implementation:
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/whiteboard
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/miro-or-any-other-c
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/draw-io
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/threat-modeling-play
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-samm
-        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/threat-matrix-for-storage
       description: |
         # OWASP SAMM Description
         Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment.
@@ -149,6 +130,26 @@ Culture and Organization:
         GraphQL queries are dynamically translated to SQL, Elasticsearch and NoSQL queries. Access to data is protected with basic auth set to _1234:1234_ for development purposes.
 
         Source: OWASP Project Integration Project
+      risk:
+        Technical related threats are discovered too late in the development and deployment process.
+      measure: |
+        Perform threat modeling of technical features during product sprint planning using simple checklists and diagrams. Document identified threats and mitigations for new or changed functionality.
+      assessment: |
+        - Evidence of threat modeling activities exists for high-risk applications, including annotated diagrams and documented threats/mitigations.
+        - Activities are performed during sprint planning and involve relevant stakeholders. Outcomes are recorded and accessible for review.
+      level: 1
+      difficultyOfImplementation:
+        knowledge: 2
+        time: 3
+        resources: 1
+      usefulness: 3
+      implementation:
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/whiteboard
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/miro-or-any-other-c
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/draw-io
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/threat-modeling-play
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-samm
+        - $ref: src/assets/YAML/default/implementations.yaml#/implementations/threat-matrix-for-storage
       references:
         samm2:
           - D-TA-2-B

src/assets/YAML/default/CultureAndOrganization/EducationAndGuidance.yaml

@@ -4,19 +4,23 @@ Culture and Organization:
   Education and Guidance:
     Ad-Hoc Security trainings for software developers:
       uuid: 12c90cc6-3d58-4d9b-82ff-d469d2a0c298
-      risk:
-        Understanding security is hard and personnel needs to be trained on it.
-        Otherwise, flaws like an SQL Injection might be introduced into the software
-        which might get exploited.
-      measure:
-        Provide security awareness training for all personnel involved in software
-        development Ad-Hoc.
+      description: |
+        Ad-hoc security training provides basic awareness of software security risks and best practices to developers and other personnel involved in software development. These trainings are delivered as needed, without a fixed schedule, to address immediate knowledge gaps or respond to emerging threats.
+      risk: |
+        Without any security training, personnel may lack awareness of common software vulnerabilities (such as SQL Injection and vulnerable dependencies), increasing the risk of introducing exploitable flaws into applications.
+      measure: |
+        Provide security awareness training for all personnel involved in software development on an ad-hoc basis, ensuring that relevant topics are covered when new risks or needs are identified.
+      assessment: |
+        - Conduct security training for developers and relevant personnel
+        - Participants can identify common software security risks addressed in the training
+        - Training materials are available
+        - Attendance records are available
+      level: 1
       difficultyOfImplementation:
         knowledge: 2
         time: 1
         resources: 1
       usefulness: 3
-      level: 1
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-juice-shop
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-cheatsheet-series
@@ -407,18 +411,20 @@ Culture and Organization:
       comments: ""
     Security consulting on request:
       uuid: 0b28367b-75a0-4bae-a926-3725c1bf9bb0
-      risk:
-        Not asking a security expert when questions regarding security appear
-        might lead to flaws.
-      measure:
-        Security consulting to teams is given on request. The security consultants
-        can be internal or external.
+      level: 1
+      description: |
+        Security consulting on request allows teams to seek expert advice on security-related questions or challenges as they arise. This support can be provided by internal or external security consultants and helps address specific concerns during software development.
+      risk: |
+        If teams do not consult security experts when questions arise, security flaws may be introduced or remain undetected, increasing the risk of vulnerabilities in the software.
+      measure: |
+        Make security consulting available to teams on request, ensuring that expert advice is accessible when needed to address security concerns during development.
+      assessment: |
+        Records show that teams have access to security consulting services and have used them when needed. Documentation of consultations and resulting actions is available for review.
       difficultyOfImplementation:
         knowledge: 3
         time: 1
         resources: 1
       usefulness: 3
-      level: 1
       implementation:
         - $ref: src/assets/YAML/default/implementations.yaml#/implementations/owasp-cheatsheet-series
       references:

src/assets/YAML/default/CultureAndOrganization/Process.yaml

@@ -58,24 +58,23 @@ Culture and Organization:
       comments: ""
     Definition of simple BCDR practices for critical components:
       uuid: c72da779-86cc-45b1-a339-190ce5093171
-      description:
-        A _Business Continuity and Disaster Recovery_ (BCDR) is a plan and a process
-        that helps a business to return to normal operations if a disaster occurs.
-      risk:
+      description: |
+        Business Continuity and Disaster Recovery (BCDR) is a plan and a process that enable an organization to quickly restore normal operations after a disruptive event, such as a cyberattack or natural disaster.
+      risk: |
         If the disaster recovery actions are not clear, you risk slow reaction and remediation delays.
         This applies to cyber attacks as well as natural emergencies, such as a power outage.
-      measure:
-        By understanding and documenting a business continuity and disaster
-        recovery (BCDR) plan, the overall availability of systems and applications
-        is increased. Success factors like responsibilities, Service Level Agreements,
-        Recovery Point Objectives, Recovery Time Objectives or Failover must be fully
-        documented and understood by the people involved in the recovery.
+      measure: |
+        Develop, document, and communicate a BCDR plan for all critical components. The plan must define roles and responsibilities, Service Level Agreements (SLAs), Recovery Point Objectives (RPOs), Recovery Time Objectives (RTOs), and failover procedures. Ensure all relevant personnel are trained and the plan is reviewed and updated regularly.
+      assessment: |
+        - The organization has a documented BCDR plan covering all critical components.
+        - The plan clearly defines responsibilities, SLAs, RPOs, RTOs, and failover steps. 
+        - Relevant staff are aware of the plan, and evidence of regular review and testing is available.
+      level: 1
       difficultyOfImplementation:
         knowledge: 4
         time: 3
         resources: 2
       usefulness: 4
-      level: 1
       implementation: []
       references:
         samm2: []