A good first step towards the implementation of a secure SDLC is to take stock of your existing applications. All applications within your organization carry with them a certain level of risk. This risk needs to be quantified in order to guide you towards making effective decisions about security tradeoffs.
Classifying your applications from a security perspective helps provide input into your asset management process. Below are some items to consider, in multiple choice format. Answers to the questions below can be assigned a specific weight. The options are listen in order of increasing weight:
- What is the scope of the application’s use?
- Internal, within a department?
- Internal, across multiple departments?
- External (customer, business partner, vendor, supplier)?
- What kind of information does this application store, process, or transmit?
- Public information?
- Customer confidential?
- What is the approximate size of the end-user base?
- Less than 50?
- Between 50 and 100?
- Between 100 and 250?
- Between 250 and 500?
- Greater than 500?
- What is the approximate budget allotted to this application?
- Less than $50,000?
- Between $50,000 and $100,000?
- Between $100,000 and $500,000?
- Between $500,000 and $1M?
- Between $1M and $5M?
- Greater than $5M?
- What kind of financial transactions are executed by this application?
- No transactions
In a future post, I’ll move into CIA considerations for assessing your application’s risk.