Establish and implement strategies and capabilities for secure, standardized, and compliant application deployment. Automate where possible.
The strategies should include:
- Defined security and automation requirements based on an organization's application deployment needs and standards.
- Defined roles and responsibilities between security, application teams, and other stakeholder groups.
- Identification and integration with existing application deployment processes.
- Customization of secure application deployment for deployment types such as operating systems, network connections, configuration, etc.
- Logging and monitoring of secure application deployment so that data issues can be promptly addressed by the appropriate people (incident or forensics).
- Metrics to effectively measure deployment success.
The capabilities should be based on the organization's SSDLC and should include, for instance:
- Defined and approved list of deployment and automation technologies.
- Enablement for team members (e.g., developers, administrators, etc.) to dynamically address security issues when needed.
The strategies and capabilities should be reviewed periodically by senior management.
- Examine policy and procedures for implementation of application deployment.
- Determine if segregation of duties (role and responsibilities) is clearly defined among security and application teams.
- Determine if Identification and integration process is defined and verified for application deployment processes.
- Evaluate the extent of automation deployed, and criteria used.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.