Process from DSOMM framework

SAMMY works best on screens 1024px wide or larger.

O-PR: Process

Maturity Level 1

Maturity Level 2

Maturity Level 3

Definition of simple BCDR practices for critical components

O-PR-1-1: Definition of simple BCDR practices for critical components

By understanding and documenting a business continuity and disaster recovery (BCDR) plan, the overall availability of systems and applications is increased. Success factors like responsibilities, Service Level Agreements, Recovery Point Objectives, Recovery Time Objectives or Failover must be fully documented and understood.

Description

A Business Continuity and Disaster Recovery (BCDR) is a plan and a process that helps a business to return to normal operations if a disaster occurs.

Risk: If the disaster recovery actions are not clear, you risk slow reaction and remediation delays. This applies to cyber attacks as well as natural emergencies, such as a power outage.

Determining the protection requirement

O-PR-2-1: Determining the protection requirement

Defining the protection requirement. The protection requirements for an application should consider: - Processed data criticality - Application accessibility (internal vs. external) - Regulatory compliance - Other relevant factors

Description

Defining the protection requirement. The protection requirements for an application should consider:

Processed data criticality
Application accessibility (internal vs. external)
Regulatory compliance
Other relevant factors

Risk: Not defining the protection requirement of applications can lead to wrong prioritization, delayed remediation of critical security issues, increasing the risk of exploitation and potential damage to the organization.

Approval by reviewing any new version

O-PR-3-1: Approval by reviewing any new version

On each new version (e.g. Pull Request) of source code or infrastructure components a security peer review of the changes is performed (two eyes principle) and approval given by the reviewer.

Description

On each new version (e.g. Pull Request) of source code or infrastructure components a security peer review of the changes is performed (two eyes principle) and approval given by the reviewer.

Risk: An individual might forget to implement security measures to protect source code or infrastructure components.

Definition of a change management process

O-PR-3-2: Definition of a change management process

Each change of a system is automatically recorded and adequately logged.

Description

Each change of a system is automatically recorded and adequately logged.

Risk: The impact of a change is not controlled because these are not recorded or documented.