href="#u1b48377b-7af8-5c8a-9a23-f9b26030ec38">18
|
7.13
|
Participate in Business Continuity (BC) planning and exercises
|
3
|
|
7.14
|
Implement and manage physical security
|
10
|
|
7.14.1
|
Perimeter security controls
|
10
|
|
7.14.2
|
Internal security controls
|
10
|
|
7.15
|
Address personnel safety and security concerns
|
16
|
|
7.15.1
|
Travel
|
16
|
|
7.15.2
|
Security training and awareness
|
16
|
|
7.15.3
|
Emergency management
|
16
|
|
7.15.4
|
Duress
|
16
|
|
Domain 8
|
Software Development Security
|
|
|
8.1
|
Understand and integrate security in the Software Development Life Cycle (SDLC)
|
20
|
|
8.1.1
|
Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)
|
20
|
|
8.1.2
|
Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
|
20
|
|
8.1.3
|
Operation and maintenance
|
20
|
|
8.1.4
|
Change management
|
20
|
|
8.1.5
|
Integrated Product Team (IPT)
|
20
|
|
8.2
|
Identify and apply security controls in software development ecosystems
|
15, 17, 20, 21
|
|
8.2.1
|
Programming languages
|
20
|
|
8.2.2
|
Libraries
|
20
|
|
8.2.3
|
Tool sets
|
20
|
|
8.2.4
|
Integrated Development Environment (IDE)
|
20
|
|
8.2.5
|
Runtime
|
20
|
|
8.2.6
|
Continuous Integration and Continuous Delivery (CI/CD)
|
20
|
|
8.2.7
|
Security Orchestration, Automation, and Response (SOAR)
|
17
|
|
8.2.8
|
Software Configuration Management (SCM)
|
20
|
|
8.2.9
|
Code repositories
|
20
|
|
8.2.10
|
Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST))
|
15
|
|
8.3
|
Assess the effectiveness of software security
|
20
|
|
8.3.1
|
Auditing and logging of changes
|
20
|
|
8.3.2
|
Risk analysis and mitigation
|
20
|
|
8.4
|
Assess security impact of acquired software
|
