The SW-CCM, or SCCM has the following stages, phases, or levels:
- Initial – good practices are disorganized and chaotic; poorly controlled.
- Repeatable – reactive practices and a bit more organized but not necessarily defined.
- Defined – formal practices/processes that are well-understood and proactive.
- Managed – quantitative, measured, calculatable, and assessable.
- Optimizing – practices/processes are continuously optimized and improved
Taking the first letter of each level, create an imaginary friend named “IRDMO”.
Change management concepts
Sometimes called “changeman”, or change control, this is a structured methodology for when applications need to be changed. The purpose is to prevent the creation of accidental or deliberate security vulnerabilities. Three main philosophies of change management might include:
- Quality assurance for change
- The change flow – submission, approval, testing, implementation, recordation (SATIR) – think of a satyr from the Narnia series who changes into stone after disobeying the White Witch.
- Backout plan for when/if the requested change does not “Pan” out (in Greek mythology, Pan is a satyr-like creature).
Here are a few different approaches to change management:
Integrated product team (IPT) – a group of stakeholders with varying skillsets who work together on the change and are accountable for the outcome.
Integrated product and process development (IPPD) – the combination of product design and process design.
DevOps – business driven approach that combines lean and agile principles where development and operations work together and includes other lines of business/stakeholders. It has the following elements:
- Testability – develop/test against simulated production systems
- Deployability – deploy with automated processes that are iterative, repeatable, frequent, and reliable.
- Monitorability – monitor the application early on to address issues early on.
- Modifiability – allows for efficient feedback by creating effective communication channels.