Rationale

A Financial Services Organization involves the core business function of building systems to support financial transactions and processing. In general, this implies a greater concentration of internal and back-end systems that interface with disparate external data providers.

Initially, effort is focused on improving the Practices related to Governance since these are critical services that set the baseline for the assurance program and help meet compliance requirements for the organization.

Since building secure and reliable software proactively is an overall goal, Practices within Construction are started early on and ramped up sharply as the program matures.

Verification activities are also ramped up smoothly over the course of the roadmap to handle legacy systems without creating unrealistic expectations. Additionally, this helps ensure enough cycles are spent building out more proactive Practices.

Since a financial services organization often operates the software they build, focus is given to the Practices within Deployment during the middle of the roadmap after some initial Governance is in place but before heavy focus is given to the proactive Construction Practices.

Additional Considerations

Outsourced Development

For organizations using external development resources, restrictions on code access typically leads to prioritization of Security Requirements activities instead of Code Review activities. Additionally, advancing Threat Assessment in earlier phases would allow the organization to better clarify security needs to the outsourced developers. Since expertise on software configuration will generally be strongest within the outsourced group, contracts should be constructed to account for the activities related to Operational Enablement.

Web Services Platforms

For organizations building web services platforms, design errors can carry additional risks and be more costly to mitigate. Therefore, activities from Threat Assessment, Security Requirements, and Secure Architecture should be placed in earlier phases of the roadmap.

Organizations Grown by Acquisition

In an organization grown by acquisition, there can often be several project teams following different development models with varying degrees of security-related activities incorporated. An organization such as this may require a separate roadmap for each division or project team to account for varying starting points as well as project-specific concerns if a variety of software types are being developed.

Additional Resources