Architecture Governance

Set of tools which can be used for developing a broad range of different architecture perspectives integrated usually as a common Architecture Framework.
Elements that the governance process must cover are:

  • Describe a method for defining an information system in terms of a set of building blocks
  • Show how the building blocks fit together
  • Technical roadmap for the standards list
  • Contain a set of tools, and enforce a technology standards list
  • Provide a common vocabulary
  • Governance processes to ensure that existing solutions and new IT services are aligned witht he framework.

Cloud Controls Matrix (CCM) Data

Array

RM-04 | Release Management | Outsourced Development

Control Specification +-

A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all outsourced software development. The development of all outsourced software shall be supervised and monitored by the organization and must include security requirements, independent security review of the outsourced environment by a certified individual, certified security training for outsourced software developers, and code reviews. Certification for the purposes of this control shall be defined as either a ISO/IEC 17024 accredited certification or a legally recognized license or certification in the legislative jurisdiction the organization outsourcing the development has chosen as its domicile.

Architectural Relevance +-

PhysicalNetworkComputeAppData
False True True True True

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True True

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
SA-12
SA-13

NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-9

NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12

3.6.7
6.4.5.2
7.1.3
8.5.1
9.1
9.1.2
9.2b
9.3.1
10.5.2
11.5
12.3.1
12.3.3

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

C.2.4, G.4, G6, I.1, I.4.4, I.4.5, I.2.7.2, I.2.8, I.2.9, I.2.15, I.2.18, I.2.22.6, I.2.7.1, I.2.13, I.2.14, I.2.17, I.2.20, I.2.22.2, I.2.22.4, I.2.22.7, I.2.22.8, I.2.22.9, I.2.22.10, I.2.22.11, I.2.22.12, I.2.22.13, I.2.22.14, I.3, J.1.2.10, L.7, L.9, L.10

C.2
I.1
I.2
I.4

Jericho ForumNERC CIP

Commandment #1
Commandment #2
Commandment #3

Array

Release Management (RM) | ID #RM-04.1

Do you have controls in place to ensure that standards of quality are being met for all software development?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2

NIST SP800-53 R3 SA-4
NIST SP800-53 R3 SA-5
NIST SP800-53 R3 SA-8
NIST SP800-53 R3 SA-9
NIST SP800-53 R3 SA-10
NIST SP800-53 R3 SA-11 NIST SP800-53 R3 SA-12 NIST SP800-53 R3 SA-13

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 3.6.7
PCI DSS v2.0 6.4.5.2
PCI DSS v2.0 7.1.3
PCI DSS v2.0 8.5.1
PCI DSS v2.0 9.1
PCI DSS v2.0 9.1.2
PCI DSS v2.0 9.2b
PCI DSS v2.0 9.3.1
PCI DSS v2.0 10.5.2
PCI DSS v2.0 11.5
PCI DSS v2.0 12.3.1
PCI DSS v2.0 12.3.3

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Release Management (RM) | ID #RM-04.2

Do you have controls in place to detect source code security defects for any outsourced software development activities?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2

NIST SP800-53 R3 SA-4
NIST SP800-53 R3 SA-5
NIST SP800-53 R3 SA-8
NIST SP800-53 R3 SA-9
NIST SP800-53 R3 SA-10
NIST SP800-53 R3 SA-11 NIST SP800-53 R3 SA-12 NIST SP800-53 R3 SA-13

FedRAMPPCI_DSSBITSGAPP

PCI DSS v2.0 3.6.7
PCI DSS v2.0 6.4.5.2
PCI DSS v2.0 7.1.3
PCI DSS v2.0 8.5.1
PCI DSS v2.0 9.1
PCI DSS v2.0 9.1.2
PCI DSS v2.0 9.2b
PCI DSS v2.0 9.3.1
PCI DSS v2.0 10.5.2
PCI DSS v2.0 11.5
PCI DSS v2.0 12.3.1
PCI DSS v2.0 12.3.3

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True