G.2 Develop security policies

Establishing organizational roles and controls for driving internal security standards in alignment with the business purpose of the organization.

Controls

G.2.1 Upper management support

Upper management understands the business risks of insecure software and supports the resources necessary for secure software development.

G.2.2 Secure SDLC checks

Criteria throughout the SDLC are used to check the software's security during development.

G.2.3 Roles and responsibilities

Ownership for security controls throughout the SDLC at the organizational level and at the product team- and operational- level are established and visible.

G.2.4 Security code review policy

Guidelines on which code should undergo a security-focused manual or automated review are communicated.

G.2.5 Asset inventory

Hardware and software assets are inventoried to enable incident response; system analysis; traceability for critical components; and reliable identification when assets need to be changed or decommissioned.

G.2.6 Protection of information at rest

Protect the confidentiality and integrity of information at rest.