Preface
This is the first edition of CSA EXP 200, Evaluation of software development and cybersecurity programs. This Express Document is not a consensus product; that is, it is not a standard, and it has not been formally reviewed or approved by a CSA Technical Committee.
The purpose of this Express Document is to provide guidance on the development of a method to evaluate the software development practices and the related cybersecurity practices of an organization that is producing products for the Internet of Things (IoT) product space.
Governments, businesses, and consumers are looking to the rapid adoption of IoT products and services to automate tasks and provide efficiencies in many market areas. While these technologies can dramatically advance the capabilities of those users and businesses, they pose a potential cyber and privacy risk to the end user. The end user is typically under the assumption that these products have undergone some level of security testing and evaluation. This includes these products pose no direct risk to them nor their businesses. However, given the significant increase in purpose-built malware for IoT and related products including the sizable increase of botnet activity of weaponized devices, many products/services would indicate that many of these products have not been designed or tested for security.
Scope
1.1
This Document describes a methodology for assessing the product software and cybersecurity maturity of an organization. It provides the evaluators and vendors a means to determine the maturity of the organization and products/solutions being developed regardless of business sector. It covers the entire product system life cycle from conception to full commissioning and on to end of life. Its premise is an effective executive business decision to establish a comprehensive maturity model approach to cybersecurity
This Document applies to all IoT and related products/solutions.
1.2
In this Document, shall is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the document; should is used to express a recommendation or that which is advised but not required; and may is used to express an option or that which is permissible within the limits of the Document.
Notes accompanying clauses do not include requirements or alternative requirements; the purpose a note accompanying a clause is to separate from the text explanatory or informative material.
Notes to tables and figures are considered part of the table or figure and may be written as requirements.
Annexes are designated normative (mandatory) or informative (non-mandatory) to define their application.