Control Objectives:
1.1 Overall responsibility for the security of the software vendor’s products and services is assigned by the vendor’s senior leadership team.
Test Requirements:
1.1 The assessor shall examine vendor evidence and interview the individual or individuals assigned overall responsibility for the security of the vendor’s products and services to confirm the following:
- Accountability for ensuring the security of the software vendor’s products and services is formally assigned to an individual or team by the software vendor’s senior leadership.
- Responsibilities include keeping senior leadership informed of security updates, issues, and other matters related to the security of the software vendor’s products and services.
- Updates are provided to senior leadership at least annually on the performance of and changes to the software vendor’s software security policy and strategy described in Control Objective 2.
Guidance:
The formal assignment of responsibility by the software vendor’s senior leadership team ensures strategic-level visibility into and influence over the vendor’s software security practices. Senior leadership typically represents those individuals or teams with the responsibility and authority to make strategic business decisions for the software vendor organization. In many cases, senior leadership teams are comprised of members of the executive team such as the chief executive officer (CEO), chief financial officer (CFO), chief technology officer (CTO), chief information officer (CIO), chief risk officer (CRO), or similar roles, but that is not the case in all organizations. The distinct structure of the senior leadership team is ultimately determined by the software vendor.
Assignment of overall responsibility for the vendor’s software security program should include the authority to enforce and execute the organization’s software security strategy. Without appropriate authority, those responsible for the security of the software vendor’s products and services cannot be reasonably held accountable for ensuring the organization’s security strategy is followed. Those responsible for the vendor’s software security should provide periodic updates on the state of the vendor’s software security program and the performance of its strategy to senior leadership. This allows senior leadership to ensure the strategy is being properly prioritized and resourced, and that changes required as a result of its performance are approved in a timely manner.
Evidence to support this control objective might include job descriptions, organization charts, presentations, audio recordings, senior leadership meeting minutes, reports, e-mails, formal communications from senior leadership to the rest of the organization, or any other records that clearly reflect the formal assignment of responsibility and authority, and communications between senior leadership and those responsible for the vendor’s software security program regarding program performance.
