| Trustmark Definition Name | Version |
|---|---|
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to create a security assessment plan.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to implement a security assessment plan.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform integration testing/evaluation at an organization-defined level of depth and coverage.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform regression testing/evaluation at an organization-defined level of depth and coverage.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to produce the results of the security testing/evaluation.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform system testing/evaluation at an organization-defined level of depth and coverage.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform unit testing/evaluation at an organization-defined level of depth and coverage.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization: (a) Requires an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and (b) Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform penetration testing at organization-defined breadth/depth and with organization-defined constraints.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at organization-defined depth of testing/evaluation.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents the specific tool options and tool configurations used in the development process.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents, manages, and ensures the integrity of changes to the process used in development.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization reviews the development process, standards, tools, and tool options/configurations at an organization-defined frequency to determine if the process employed can satisfy organization-defined security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization requires the developer of the information system, system component, or information system service to follow a documented development process that explicitly addresses security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization reviews the development process, standards, tools, and tool options/configurations at an organization-defined frequency to determine if the standards employed can satisfy organization-defined security requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization reviews the development process, standards, tools, and tool options/configurations at an organization-defined frequency to determine if the tool options/configurations selected and employed can satisfy organization-defined security requirements.
|
1.0 |
