PO — Prepare the Organization
13 tasks in the Prepare the Organization group
PO.1.1Identify and document all security requirements for the organization’s software development infrastructures and processes, and maintain the requirements over time.
PO.1.2Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time.
PO.1.3Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization’s own software. [Formerly PW.3.1]
PO.2.1Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed.
PO.2.2Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed.
PO.2.3Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development-related roles and responsibilities.
PO.3.1Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other.
PO.3.2Follow recommended security practices to deploy, operate, and maintain tools and toolchains.
PO.3.3Configure tools to generate artifacts of their support of secure software development practices as defined by the organization.
PO.4.1Define criteria for software security checks and track throughout the SDLC.
PO.4.2Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria.
PO.5.1Separate and protect each environment involved in software development.
PO.5.2Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.