1.4 Roles

The following roles are referred to within this standard:

• IT Security Function: Organizational entity or person that is responsible for establishing and maintaining IT security requirements and checking compliance with them - e.g. by conducting security sign-offs with projects and teams. The relevant IT security function may be a security officer dedicated for a particular project or team.

• Security Champion^[1]: Team internal technical expert (e.g. developer), contact and coordinator for security within a team (e.g. a development team). The responsibilities of this role include:

  • Security contact and enabler for a specific team.

  • Understands relevant security requirements and implementation/assurance of compliance to them within a team.

  • Identifies and manages of security risks.

  • Verifies correct implementation of security-relevant requirements.

  • Continuously verifies and improves of the effectiveness of implemented security checks and controls, it's automation and periodic assessment of security findings from tools.

  • Participates at internal security discussions (e.g. security Jour Fixe) or security communities).

• Developer: (Software) developers have the following responsibilities:

  • Has general security know-how of technologies he/she is working with and keeps it up-to-date continuously.

  • Capable to avoid, find and fix vulnerabilities.

• (Development) Team: Responsible for the security of software artifacts it develops, maintains or operates. Continuously verifies and improves the effectiveness of implemented security checks and controls, it's automation and periodic assessment of security findings from tools.

References to these roles are indicated with italic formatting in this standard.

^[1] See SAFECode “Software Security Takes a Champion”, http://safecode.org/wp-content/uploads/2019/02/Security-Champions-2019-.pdf