0% found this document useful (0 votes)

58 views5 pages

SAMM Spreadsheet

N/A

Uploaded by

uberepluxee

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

58 views5 pages

SAMM Spreadsheet

N/A

Uploaded by

uberepluxee

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 5

OWASP Software Assurance Maturity Model (SAMM)

Version: 2.0

Description: Our mission is to provide an effective and measurable way for all types of organizations to analyze and improve their
software security posture. We want to raise awareness and educate organizations on how to design, develop, and deploy
secure software through our self-assessment model.

License: Creative Commons Attribution-ShareAlike 4.0 License

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/3.0/legalcode; or, (b) send a letter to Creative Commons, 171 2nd Street,
Suite 300, San Francisco, California, 94105, USA.

Element: Toolbox for v2.0

Authors: Yan Kravchenko
Contributors: The SAMM project team

Element: Toolbox for v1.5

Authors: Brian Glas

Element: Roadmap Chart Template v1.0

Author: Colin Watson
Contributors: Aidan Lynch

Element: Interview Template v1.0

Author(s): Nick Coblentz, Eoin Keary, and Seba Deleersnyder
Contributors:

SAMM The Software Assurance Maturity Model (SAMM) was created by Pravir Chandra and is now an Open Web Application
Security Project (OWASP) project.
SAMM is licensed under the Creative Commons Attribution-Share Alike 4.0 License
https://owaspsamm.org/
SAMM Assessment Interview: For

Instructions
Interview an individual based on the questions below organized according to SAMM Business Functions and Security Practices.
Select the best answer from the multiple choice drop down selections in the answer column.
Document additional information such as how and why in the "Interview Notes" column.
The formulas in hidden columns F-H will calculate the scores and update the Rating boxes and other worksheets as needed.
Once the interview is complete, go to the "Scorecard" sheet and follow instructions.

Organization:
Team/Application:
Interview Date:
Team Lead:

Contributors:

Governance
Stream Level Strategy & Metrics Answer Interview Notes Rating
1 Do you understand the enterprise-wide risk appetite for your applications?
You capture the risk appetite of your organization's executive leadership
The organization's leadership vet and approve the set of risks
You identify the main business and technical threats to your assets and data 0.00
You document risks and store them in an accessible location

2 Do you have a strategic plan for application security and use it to make decisions?
The plan reflects the organization's business priorities and risk appetite
The plan includes measurable milestones and a budget
Create and The plan is consistent with the organization's business drivers and risks
Promote The plan lays out a roadmap for strategic and tactical initiatives
You have buy-in from stakeholders, including development teams

3 Do you regularly review and update the Strategic Plan for Application Security?
You review and update the plan in response to significant changes in the business environment, the organization, or its risk appetite
Plan update steps include reviewing the plan with all the stakeholders and updating the business drivers and strategies
You adjust the plan and roadmap based on lessons learned from completed roadmap activities
You publish progress information on roadmap activities, making sure they are available to all stakeholders

Do you use a set of metrics to measure the effectiveness and efficiency of the application security program across
1 applications?
You document each metric, including a description of the sources, measurement coverage, and guidance on how to use it to explain
application security trends
Metrics include measures of efforts, results, and the environment measurement categories
Most of the metrics are frequently measured, easy or inexpensive to gather, and expressed as a cardinal number or a percentage
Application security and development teams publish metrics

Measure and 2 Did you define Key Performance Indicators (KPI) from available application security metrics?
Improve You defined KPIs after gathering enough information to establish realistic objectives
You developed KPIs with the buy-in from the leadership and teams responsible for application security
KPIs are available to the application teams and include acceptability thresholds and guidance in case teams need to take action
Success of the application security program is clearly visible based on defined KPIs

3 Do you update the Application Security strategy and roadmap based on application security metrics and KPIs?
You review KPIs at least yearly for their efficiency and effectiveness
KPIs and application security metrics trigger most of the changes to the application security strategy

Policy & Compliance Answer Interview Notes Rating

1 Do you have and apply a common set of policies and standards throughout your organization?
You have adapted existing standards appropriate for the organization’s industry to account for domain-specific considerations
Your standards are aligned with your policies and incorporate technology-specific implementation guidance 0.00
2 Do you publish the organization's policies as test scripts or run-books for easy interpretation by development teams?
You create verification checklists and test scripts where applicable, aligned with the policy's requirements and the implementation
Policy & guidance in the associated standards
Standards You create versions adapted to each development methodology and technology the organization uses

Do you regularly report on policy and standard compliance, and use that information to guide compliance improvement
3 efforts?
You have procedures (automated, if possible) to regularly generate compliance reports
You deliver compliance reports to all relevant stakeholders
Stakeholders use the reported compliance status information to identify areas for improvement

1 Do you have a complete picture of your external compliance obligations?

You have identified all sources of external compliance obligations
You have captured and reconciled compliance obligations from all sources

Do you have a standard set of security requirements and verification procedures addressing the organization's external
2 compliance obligations?

Compliance You map each external compliance obligation to a well-defined set of application requirements
Management You define verification procedures, including automated tests, to verify compliance with compliance-related requirements

Do you regularly report on adherence to external compliance obligations and use that information to guide efforts to close
3 compliance gaps?
You have established, well-defined compliance metrics
You measure and report on applications' compliance metrics regularly
Stakeholders use the reported compliance status information to identify compliance gaps and prioritize gap remediation efforts

Education & Guidance Answer Interview Notes Rating

1 Do you require employees involved with application development to take SDLC training?
Training is repeatable, consistent, and available to anyone involved with software development lifecycle
Training includes the latest OWASP Top 10 if appropriate and includes concepts such as Least Privilege, Defense-in-Depth, Fail
Secure (Safe), Complete Mediation, Session Management, Open Design, and Psychological Acceptability
Training requires a sign-off or an acknowledgement from attendees 0.00
You have updated the training in the last 12 months
Training is required during employees' onboarding process

2 Is training customized for individual roles such as developers, testers, or security champions?
Training includes all topics from maturity level 1, and adds more specific tools, techniques, and demonstrations
Training and
Training is mandatory for all employees and contractors
Awareness
Training includes input from in-house SMEs and trainees
Training includes demonstrations of tools and techniques developed in-house
You use feedback to enhance and make future training more relevant

Have you implemented a Learning Management System or equivalent to track employee training and certification
3 processes?
A Learning Management System (LMS) is used to track trainings and certifications
Training is based on internal standards, policies, and procedures
You use certification programs or attendance records to determine access to development systems and resources

1 Have you identified a Security Champion for each development team?

Security Champions receive appropriate training
Application Security and Development teams receive periodic briefings from Security Champions on the overall status of security
initiatives and fixes
The Security Champion reviews the results of external testing before adding to the application backlog

2 Does the organization have a Secure Software Center of Excellence (SSCE)?

The SSCE has a charter defining its role in the organization
Development teams review all significant architectural changes with the SSCE
The SSCE publishes SDLC standards and guidelines related to Application Security
Organization Product Champions are responsible for promoting the use of specific security tools
and Culture
Is there a centralized portal where developers and application security professionals from different teams and business units
3 are able to communicate and share information?
The organization promotes use of a single portal across different teams and business units
The portal is used for timely information such as notification of security incidents, tool updates, architectural standard changes, and
other related announcements
The portal is widely recognized by developers and architects as a centralized repository of the organization-specific application
security information
All content is considered persistent and searchable
The portal provides access to application-specific security metrics

Design
Threat Assessment Answer Interview Notes Rating
1 Do you classify applications according to business risk based on a simple and predefined set of questions?
An agreed-upon risk classification exists
The application team understands the risk classification
The risk classification covers critical aspects of business risks the organization is facing 0.00
The organization has an inventory for the applications in scope

2 Do you use centralized and quantified application risk profiles to evaluate business risk?
Application The application risk profile is in line with the organizational risk standard
Risk Profile The application risk profile covers impact to security and privacy
You validate the quality of the risk profile manually and/or automatically
The application risk profiles are stored in a central inventory

3 Do you regularly review and update the risk profiles for your applications?
The organizational risk standard considers historical feedback to improve the evaluation method
Significant changes in the application or business context trigger a review of the relevant risk profiles

1 Do you identify and manage architectural design flaws with threat modeling?
You perform threat modeling for high-risk applications
You use simple threat checklists, such as STRIDE
You persist the outcome of a threat model for later use
2 Do you use a standard methodology, aligned on your application risk levels?
You train your architects, security champions, and other stakeholders on how to do practical threat modeling
Your threat modeling methodology includes at least diagramming, threat identification, design flaw mitigations, and how to validate
Threat Modeling your threat model artifacts
Changes in the application or business context trigger a review of the relevant threat models
You capture the threat modeling artifacts with tools that are used by your application teams

3 Do you regularly review and update the threat modeling methodology for your applications?
The threat model methodology considers historical feedback for improvement
You regularly (e.g., yearly) review the existing threat models to verify that no new threats are relevant for your applications
You automate parts of your threat modeling process with threat modeling tools
Security Requirements Answer Interview Notes Rating
1 Do project teams specify security requirements during development?
Teams derive security requirements from functional requirements and customer or organization concerns
Security requirements are specific, measurable, and reasonable
Security requirements are in line with the organizational baseline
0.00
2 Do you define, structure, and include prioritization in the artifacts of the security requirements gathering process?
Security requirements take into consideration domain specific knowledge when applying policies and guidance to product
Software development
Requirements Domain experts are involved in the requirements definition process
You have an agreed upon structured notation for security requirements
Development teams have a security champion dedicated to reviewing security requirements and outcomes
3 Do you use a standard requirements framework to streamline the elicitation of security requirements?
A security requirements framework is available for project teams
The framework is categorized by common requirements and standards-based requirements
The framework gives clear guidance on the quality of requirements and how to describe them
The framework is adaptable to specific business requirements

1 Do stakeholders review vendor collaborations for security requirements and methodology?

You consider including specific security requirements, activities, and processes when creating third-party agreements
A vendor questionnaire is available and used to assess the strengths and weaknesses of your suppliers

Do vendors meet the security responsibilities and quality measures of service level agreements defined by the organization?
2
You discuss security requirements with the vendor when creating vendor agreements
Vendor agreements provide specific guidance on security defect remediation within an agreed upon timeframe
The organization has a templated agreement of responsibilities and service levels for key vendor security processes
You measure key performance indicators
Supplier
Security

Are vendors aligned with standard security controls and software development tools and processes that the organization
3 utilizes?
The vendor has a secure SDLC that includes secure build, secure deployment, defect management, and incident management that
align with those used in your organization
You verify the solution meets quality and security objectives before every major release
When standard verification processes are not available, you use compensating controls such as software composition analysis and
independent penetration testing

Secure Architecture Answer Interview Notes Rating

1 Do teams use security principles during design?
You have an agreed upon checklist of security principles
You store your checklist in an accessible location
Relevant stakeholders understand security principles
0.00
2 Do you use shared security services during design?
Architecture You have a documented list of reusable security services, available to relevant stakeholders
Design You have reviewed the baseline security posture for each selected service
Your designers are trained to integrate each selected service following available guidance
3 Do you base your design on available reference architectures?
You have one or more approved reference architectures documented and available to stakeholders
You improve the reference architectures continuously based on insights and best practices
You provide a set of components, libraries, and tools to implement each reference architecture

1 Do you evaluate the security quality of important technologies used for development?
You have a list of the most important technologies used in, or in support of, each application
You identify and track technological risks
You ensure the risks to these technologies are in line with the organizational baseline
2 Do you have a list of recommended technologies for the organization?
The list is based on technologies used in the software portfolio
Technology Lead architects and developers review and approve the list
Management You share the list across the organization
You review and update the list at least yearly

3 Do you enforce the use of recommended technologies within the organization?

You monitor applications regularly for the correct use of the recommended technologies
You solve violations against the list accoranding to organizational policies
You take action if the number of violations falls outside the yearly objectives
Implementation
Secure Build Answer Interview Notes Rating
1 Is your full build process formally described?
You have enough information to recreate the build processes
Your build documentation up to date
Your build documentation is stored in an accessible location
Produced artifact checksums are created during build to support later verification
0.00
You harden the tools that are used within the build process

2 Is the build process fully automated?

Build Process The build process itself doesn't require any human interaction
Your build tools are hardened as per best practice and vendor guidance
You encrypt the secrets required by the build tools and control access based on the principle of least privilege
3 Do you enforce automated security checks in your build processes?
Builds fail if the application doesn't meet a predefined security baseline
You have a maximum accepted severity for vulnerabilities
You log warnings and failures in a centralized system
You select and configure tools to evaluate each application against its security requirements at least once a year

1 Do you have solid knowledge about dependencies you're relying on?

You have a current bill of materials (BOM) for every application
You can quickly find out which applications are affected by a particular CVE
You have analyzed, addressed, and documented findings from dependencies at least once in the last three months
2 Do you handle 3rd party dependency risk by a formal process?
You keep a list of approved dependencies that meet predefined criteria
You automatically evaluate dependencies for new CVEs and alert responsible staff
You automatically detect and alert to license changes with possible impact on legal application usage
Software You track and alert to usage of unmaintained dependencies
Dependencies You reliably detect and remove unnecessary dependencies from the software

3 Do you prevent build of software if it's affected by vulnerabilities in dependencies?

Your build system is connected to a system for tracking 3rd party dependency risk, causing build to fail unless the vulnerability is
evaluated to be a false positive or the risk is explicitly accepted
You scan your dependencies using a static analysis tool
You report findings back to dependency authors using an established responsible disclosure process
Using a new dependency not evaluated for security risks causes the build to fail

Secure Deployment Answer Interview Notes Rating

1 Do you use repeatable deployment processes?
You have enough information to run the deployment processes
Your deployment documentation up to date
Your deployment documentation is accessible to relevant stakeholders
You ensure that only defined qualified personnel can trigger a deployment
0.00
You harden the tools that are used within the deployment process

2 Are deployment processes automated and employing security checks?

Deployment
Deployment processes are automated on all stages
Process
Deployment includes automated security testing procedures
You alert responsible staff to identified vulnerabilities
You have logs available for your past deployments for a defined period of time

3 Do you consistently validate the integrity of deployed artifacts?

You prevent or roll back deployment if you detect an integrity breach
The verification is done against signatures created during the build time
If checking of signatures is not possible (e.g. externally build software), you introduce compensating measures

1 Do you limit access to application secrets according to the least privilege principle?
You store production secrets protected in a secured location
Developers do not have access to production secrets
Production secrets are not available in non-production environments
2 Do you inject production secrets into configuration files during deployment?
Secret Source code files no longer contain active application secrets
Management Under normal circumstances, no humans access secrets during deployment procedures
You log and alert when abnormal secrets access is attempted
3 Do you practice proper lifecycle management for application secrets?
You generate and synchronize secrets using a vetted solution
Secrets are different between different application instances
Secrets are regularly updated
Defect Management Answer Interview Notes Rating
1 Do you track all known security defects in accessible locations?
You can easily get an overview of all security defects impacting one application
You have at least a rudimentary classification scheme in place
The process includes a strategy for handling false positives and duplicate entries 0.00
The defect management system covers defects from various sources and activities

2 Do you keep an overview of the state of security defects across the organization?
Defect Tracking
A single severity scheme is applied to all defects across the organization
The scheme includes SLAs for fixing particular severity classes
You regularly report compliance to SLAs
3 Do you enforce SLAs for fixing security defects?
You automatically alert of SLA breaches and transfer respective defects to the risk management process
You integrate relevant tooling (e.g. monitoring, build, deployment) with the defect management system

1 Do you use basic metrics about recorded security defects to carry out quick win improvement activities?
You analyzed your recorded metrics at least once in the last year
At least basic information about this initiative is recorded and available
You have identified and carried out at least one quick win activity based on the data
2 Do you improve your security assurance program upon standardized metrics?
You document metrics for defect classification and categorization and keep them up to date
Metrics and Executive management regularly receives information about defects and has acted upon it in the last year
Feedback You regularly share technical details about security defects among teams
3 Do you regularly evaluate the effectiveness of your security metrics so that its input helps drive your security strategy?
You have analyzed the effectiveness of the security metrics at least once in the last year
Where possible, you verify the correctness of the data automatically
The metrics is aggregated with other sources like threat intelligence or incident management
You derived at least one strategic activity from the metrics in the last year

Verification
Architecture Assessment Answer Interview Notes Rating
1 Do you review the application architecture for key security objectives on an ad-hoc basis?
You have an agreed upon model of the overall software architecture
You include components, interfaces, and integrations in the architecture model
You verify the correct provision of general security mechanisms 0.00
You log missing security controls as defects

2 Do you regularly review the security mechanisms of your architecture?

You review compliance with internal and external requirements
Architecture You systematically review each interface in the system
Validation You use a formalized review method and structured validation
You log missing security mechanisms as defects

3 Do you regularly review the effectiveness of the security controls?

You evaluate the preventive, detective, and response capabilities of security controls
You evaluate the strategy alignment, appropriate support, and scalability of security controls
You evaluate the effectiveness at least yearly
You log identified shortcomings as defects

1 Do you review the application architecture for mitigations of typical threats on an ad-hoc basis?
You have an agreed upon model of the overall software architecture
Security savvy staff conduct the review
You consider different types of threats, including insider and data-related ones
2 Do you regularly evaluate the threats to your architecture?
You systematically review each threat identified in the Threat Assessment
Architecture Trained or experienced people lead review exercise
Mitigation You identify mitigating design-level features for each identified threat
You log unhandled threats as defects

3 Do you regularly update your reference architectures based on architecture assessment findings?
You assess your architectures in a standardized, documented manner
You use recurring findings to trigger a review of reference architectures
You independently review the quality of the architecture assessments on an ad-hoc basis
You use reference architecture updates to trigger reviews of relevant shared solutions, in a risk-based manner

Requirements Testing Answer Interview Notes Rating

1 Do you test applications for the correct functioning of standard security controls?
Security testing at least verifies the implementation of authentication, access control, input validation, encoding and escaping data,
and encryption controls
Security testing executes whenever the application changes its use of the controls
0.00
2 Do you consistently write and execute test scripts to verify the functionality of security requirements?
Control
You tailor tests to each application and assert expected security functionality
Verification
You capture test results as a pass or fail condition
Tests use a standardized framework or DSL
3 Do you automatically test applications for security regressions?
You consistently write tests for all identified bugs (possibly exceeding a pre-defined severity threshold)
You collect security tests in a test suite that is part of the existing unit testing framework

1 Do you test applications using randomization or fuzzing techniques?

Testing covers most or all of the application's main input parameters
You record and inspect all application crashes for security impact on a best-effort basis
2 Do you create abuse cases from functional requirements and use them to drive security tests?
Important business functionality has corresponding abuse cases
Misuse/Abuse You build abuse stories around relevant personas with well-defined motivations and characteristics
Testing You capture identified weaknesses as security requirements
3 Do you perform denial of service and security stress testing?
Stress tests target specific application resources (e.g. memory exhaustion by saving large amounts of data to a user session)
You design tests around relevant personas with well-defined capabilities (knowledge, resources)
You feed the results back to the Design practices
Security Testing Answer Interview Notes Rating
1 Do you scan applications with automated security testing tools?
You dynamically generate inputs for security tests using automated tools
You choose the security testing tools to fit the organization's architecture and technology stack, and balance depth and accuracy of
inspection with usability of findings to the organization
0.00
2 Do you customize the automated security tools to your applications and technology stacks?
Scalable
You tune and select tool features which match your application or technology stack
Baseline
You minimize false positives by silencing or automatically filter irrelevant warnings or low probability findings
You minimize false negatives by leverage tool extensions or DSLs to customize tools for your application or organizational standards
3 Do you integrate automated security testing into the build and deploy process?
Management and business stakeholders track and review test results throughout the development cycle
You merge test results into a central dashboard and feed them into defect management

1 Do you manually review the security quality of selected high-risk components?

Criteria exist to help the reviewer focus on high-risk components
Qualified personnel conduct reviews following documented guidelines
You address findings in accordance with the organization's defect management policy
2 Do you perform penetration testing for your applications at regular intervals?
Penetration testing uses application-specific security test cases to evaluate security
Deep Penetration testing looks for both technical and logical issues in the application
Understanding Stakeholders review the test results and handle them in accordance with the organization's risk management
Qualified personnnel performs penetration testing

3 Do you use the results of security testing to improve the development lifecycle?
You use results from other security activities to improve integrated security testing during development
You review test results and incorporate them into security awareness training and security testing playbooks
Stakeholders review the test results and handle them in accordance with the organization's risk management
Operations
Incident Management Answer Interview Notes Rating
1 Do you analyze log data for security incidents periodically?
You have a contact point for the creation of security incidents
You analyze data in accordance with the log data retention periods
The frequency of this analysis is aligned with the criticality of your applications
0.00
2 Do you follow a documented process for incident detection?
The process has a dedicated owner
Incident You store process documentation in an accessible location
Detection The process considers an escalation path for further analysis
You train employees responsible for incident detection in this process
You have a checklist of potential attacks to simplify incident detection

3 Do you review and update the incident detection process regularly?

You perform reviews at least annually
You update the checklist of potential attacks with external and internal data

1 Do you respond to detected incidents?

You have a defined person or role for incident handling
You document security incidents
2 Do you use a repeatable process for incident handling?
You have an agreed upon incident classification
Incident The process considers Root Case Analysis for high severity incidents
Response Employees responsible for incident response are trained in this process
Forensic analysis tooling is available

3 Do you have a dedicated incident response team available?

The team performs Root Cause Analysis for all security incidents unless there is a specific reason not to do so
You review and update the response process at least annually
Environment Management Answer Interview Notes Rating
1 Do you harden configurations for key components of your technology stacks?

You have identified the key components in each technology stack used 0.00
You have an established configuration standard for each key component
2 Do you have hardening baselines for your components?
You have assigned an owner for each baseline
Configuration The owner keeps their assigned baselines up to date
Hardening You store baselines in an accessible location
You train employees responsible for configurations in these baselines

3 Do you monitor and enforce conformity with hardening baselines?

You perform conformity checks regularly, preferably using automation
You store conformity check results in an accessible location
You follow an established process to address reported non-conformities
You review each baseline at least annually, and update it when required

1 Do you identify and patch vulnerable components?

You have an up-to-date list of components, including version information
You regularly review public sources for vulnerabilities related to your components
2 Do you follow an established process for updating components of your technology stacks?
The process includes vendor information for third-party patches
Patching and The process considers external sources to gather information about zero day attacks, and includes appropriate risk mitigation steps
Updating The process includes guidance for prioritizing component updates
3 Do you regularly evaluate components and review patch level status?
You update the list with components and versions
You identify and update missing updates according to existing SLA
You review and update the process based on feedback from the people who perform patching
Operational Management Answer Interview Notes Rating
1 Do you protect and handle information according to protection requirements for data stored and processed on each
application?
You know the data elements processed and stored by each application
You know the type and sensitivity level of each identified data element
0.00
You have controls to prevent propagation of unsanitized sensitive data from production to lower environments
2 Do you maintain a data catalog, including types, sensitivity levels, and processing and storage locations?
The data catalog is stored in an accessible location
Data Protection You know which data elements are subject to specific regulation
You have controls for protecting and preserving data throughout its lifetime
You have retention requirements for data, and you destroy backups in a timely manner after the relevant retention period ends

3 Do you regularly review and update the data catalog and your data protection policies and procedures?
You have automated monitoring to detect attempted or actual violations of the Data Protection Policy
You have tools for data loss prevention, access control and tracking, or anomalous behavior detection
You periodically audit the operation of automated mechanisms, including backups and record deletions

1 Do you identify and remove systems, applications, application dependencies, or services that are no longer used, have
reached end of life, or are no longer actively developed or supported?
You do not use unsupported applications or dependencies
You manage customer/user migration from older versions for each product and customer/user group
2 Do you follow an established process for removing all associated resources, as part of decommissioning of unused
systems, applications, application dependencies, or services?
System
Decommissioni You document the status of support for all released versions of your products, in an accessible location
ng / Legacy The process includes replacement or upgrade of third-party applications, or application dependencies, that have reached end of life
Management Operating environments do not contain orphaned accounts, firewall rules, or other configuration artifacts
3 Do you regularly evaluate the lifecycle state and support status of every software asset and underlying infrastructure
component, and estimate their end of life?
Your end of life management process is agreed upon
You inform customers and user groups of product timelines to prevent disruption of service or support
You review the process at least annually
SAMM Assessment Scorecard: For

Notes:
Data in this worksheet is automatically imported from the Interview and Roadmap worksheets and will automatically update when
changed in the respective worksheets. This is mostly a read-only worksheet, changes should be made in Interview or Roadmap
worksheets.

Organization:
Team/Application:
Interview Date:
Team Lead:
Contributors:

Current Maturity Score Current Maturity Score Current Maturity Score

Maturity
Business Business
Security Practices Score 1 2 3 Score
Functions Functions GovernanceDesign ImplementatiVerification Operations
Governance Strategy & Metrics 0.00 0.00 0.00 0.00 Governance 0.00 Governance Strategy & Metrics 0.00 0.00 0.00 0.00 0.00

Governance Policy & Compliance 0.00 0.00 0.00 0.00 Design 0.00 Governance Policy & Compliance 0.00 0.00 0.00 0.00 0.00

Governance Education & Guidance 0.00 0.00 0.00 0.00 Implementation 0.00 Governance Education & Guidance 0.00 0.00 0.00 0.00 0.00
Strategy & Metrics
Design Threat Assessment 0.00 0.00 0.00 0.00 Verification 0.00 Operational Management Policy & Compliance Design Threat Assessment 0.00 0.00 0.00 0.00 0.00
3.00
Design Security Requirements 0.00 0.00 0.00 0.00 Operations 0.00 Environment Management Education & Guidance Design Security Requirements 0.00 0.00 0.00 0.00 0.00

Design Secure Architecture 0.00 0.00 0.00 0.00 Overall 0.00 Design Secure Architecture 0.00 0.00 0.00 0.00 0.00
1.00
Incident Management Threat Assessment
Implementation Secure Build 0.00 0.00 0.00 0.00 Implementation Secure Build 0.00 0.00 0.00 0.00 0.00

Implementation Secure Deployment 0.00 0.00 0.00 0.00 Implementation Secure Deployment 0.00 0.00 0.00 0.00 0.00
-1.00

Implementation Defect Management 0.00 0.00 0.00 0.00 Security Testing Security Requirements Implementation Defect Management 0.00 0.00 0.00 0.00 0.00

Verification Architecture Assessment 0.00 0.00 0.00 0.00 Verification Architecture Assessment 0.00 0.00 0.00 0.00 0.00
Requirements Testing Secure Architecture
Verification Requirements Testing 0.00 0.00 0.00 0.00 Verification Requirements Testing 0.00 0.00 0.00 0.00 0.00

Verification Security Testing 0.00 0.00 0.00 0.00 Architecture Assessment Secure Build Verification Security Testing 0.00 0.00 0.00 0.00 0.00

Operations Incident Management 0.00 0.00 0.00 0.00 Defect Management Secure Deployment Operations Incident Management 0.00 0.00 0.00 0.00 0.00

Operations Environment Management 0.00 0.00 0.00 0.00 Operations Environment Management 0.00 0.00 0.00 0.00 0.00
SAMM Current Score
Operations Operational Management 0.00 0.00 0.00 0.00 Operations Operational Management 0.00 0.00 0.00 0.00 0.00

Phase 1 Maturity Score Phase 1 Maturity Score Phase 1 Maturity Score

Governance Policy & Compliance 0.00 0.00 0.00 0.00 Design 0.00 Governance Policy & Compliance 0.00 0.00 0.00 0.00 0.00
Strategy & Metrics
Governance Education & Guidance 0.00 0.00 0.00 0.00 Implementation 0.00 Operational Management Policy & Compliance Governance Education & Guidance 0.00 0.00 0.00 0.00 0.00
3.00
Design Threat Assessment 0.00 0.00 0.00 0.00 Verification 0.00 Design Threat Assessment 0.00 0.00 0.00 0.00 0.00
Environment Management Education & Guidance
Design Security Requirements 0.00 0.00 0.00 0.00 Operations 0.00 Design Security Requirements 0.00 0.00 0.00 0.00 0.00

Design Secure Architecture 0.00 0.00 0.00 0.00 Overall 0.00 1.00 Design Secure Architecture 0.00 0.00 0.00 0.00 0.00
Incident Management Threat Assessment
Implementation Secure Build 0.00 0.00 0.00 0.00 Implementation Secure Build 0.00 0.00 0.00 0.00 0.00

Implementation Secure Deployment 0.00 0.00 0.00 0.00 Implementation Secure Deployment 0.00 0.00 0.00 0.00 0.00
-1.00

Implementation Defect Management 0.00 0.00 0.00 0.00 Security Testing Security Requirements Implementation Defect Management 0.00 0.00 0.00 0.00 0.00

Verification Architecture Assessment 0.00 0.00 0.00 0.00 Verification Architecture Assessment 0.00 0.00 0.00 0.00 0.00

Verification Requirements Testing 0.00 0.00 0.00 0.00 Verification Requirements Testing 0.00 0.00 0.00 0.00 0.00
Requirements Testing Secure Architecture

Verification Security Testing 0.00 0.00 0.00 0.00 Verification Security Testing 0.00 0.00 0.00 0.00 0.00

Operations Incident Management 0.00 0.00 0.00 0.00 Architecture Assessment Secure Build Operations Incident Management 0.00 0.00 0.00 0.00 0.00

Operations Environment Management 0.00 0.00 0.00 0.00 Defect Management Secure Deployment Operations Environment Management 0.00 0.00 0.00 0.00 0.00
Phase I Score
Operations Operational Management 0.00 0.00 0.00 0.00 Operations Operational Management 0.00 0.00 0.00 0.00 0.00

Phase 2 Maturity Score Phase 2 Maturity Score Phase 2 Maturity Score

Implementation Secure Deployment 0.00 0.00 0.00 0.00 Implementation Secure Deployment 0.00 0.00 0.00 0.00 0.00
-1.00
Implementation Defect Management 0.00 0.00 0.00 0.00 Security Testing Security Requirements Implementation Defect Management 0.00 0.00 0.00 0.00 0.00

Verification Architecture Assessment 0.00 0.00 0.00 0.00 Verification Architecture Assessment 0.00 0.00 0.00 0.00 0.00

Verification Requirements Testing 0.00 0.00 0.00 0.00 Verification Requirements Testing 0.00 0.00 0.00 0.00 0.00
Requirements Testing Secure Architecture

Verification Security Testing 0.00 0.00 0.00 0.00 Verification Security Testing 0.00 0.00 0.00 0.00 0.00

Operations Incident Management 0.00 0.00 0.00 0.00 Architecture Assessment Secure Build Operations Incident Management 0.00 0.00 0.00 0.00 0.00

Operations Environment Management 0.00 0.00 0.00 0.00 Defect Management Secure Deployment Operations Environment Management 0.00 0.00 0.00 0.00 0.00
Phase II Score
Operations Operational Management 0.00 0.00 0.00 0.00 Operations Operational Management 0.00 0.00 0.00 0.00 0.00

Phase 3 Maturity Score Phase 3 Maturity Score Phase 3 Maturity Score

Verification Architecture Assessment 0.00 0.00 0.00 0.00 Verification Architecture Assessment 0.00 0.00 0.00 0.00 0.00

Verification Requirements Testing 0.00 0.00 0.00 0.00 Verification Requirements Testing 0.00 0.00 0.00 0.00 0.00
Requirements Testing Secure Architecture

Verification Security Testing 0.00 0.00 0.00 0.00 Verification Security Testing 0.00 0.00 0.00 0.00 0.00

Operations Incident Management 0.00 0.00 0.00 0.00 Architecture Assessment Secure Build Operations Incident Management 0.00 0.00 0.00 0.00 0.00

Operations Environment Management 0.00 0.00 0.00 0.00 Defect Management Secure Deployment Operations Environment Management 0.00 0.00 0.00 0.00 0.00
Phase III Score
Operations Operational Management 0.00 0.00 0.00 0.00 Operations Operational Management 0.00 0.00 0.00 0.00 0.00

Phase 4 Maturity Score Phase 4 Maturity Score Phase 4 Maturity Score

Maturity
Business Business
Security Practices Score 1 2 3 Score Governance Design Implementation
V erificationOperations
Functions Functions
Governance Strategy & Metrics 0.00 0.00 0.00 0.00 Governance 0.00 Governance Strategy & Metrics 0.00 0.00 0.00 0.00 0.00

Verification Architecture Assessment 0.00 0.00 0.00 0.00 Verification Architecture Assessment 0.00 0.00 0.00 0.00 0.00

Verification Requirements Testing 0.00 0.00 0.00 0.00 Verification Requirements Testing 0.00 0.00 0.00 0.00 0.00
Requirements Testing Secure Architecture

Verification Security Testing 0.00 0.00 0.00 0.00 Verification Security Testing 0.00 0.00 0.00 0.00 0.00

Operations Incident Management 0.00 0.00 0.00 0.00 Architecture Assessment Secure Build Operations Incident Management 0.00 0.00 0.00 0.00 0.00

Operations Environment Management 0.00 0.00 0.00 0.00 Defect Management Secure Deployment Operations Environment Management 0.00 0.00 0.00 0.00 0.00
Phase IV Score
Operations Operational Management 0.00 0.00 0.00 0.00 Operations Operational Management 0.00 0.00 0.00 0.00 0.00
SAMM Assessment Interview: For

Organization:
Team/Application:
Interview Date:
Team Lead:
Contributors:

Governance Current Phase I Phase II Phase III Phase IV

Stream Level Strategy & Metrics Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
1 Do you understand the enterprise-wide risk appetite for your applications?
Do you have a strategic plan for application security and use it to make
Create and 2 decisions?
Promote
Do you regularly review and update the Strategic Plan for Application
3
Security?

1
Do you use a set of metrics to measure the effectiveness and efficiency of the 0.00 0.00 0.00 0.00 0.00
application security program across applications?
Measure and Did you define Key Performance Indicators (KPI) from available application
2 security metrics?
Improve
Do you update the Application Security strategy and roadmap based on
3 application security metrics and KPIs?

Stream Level Policy & Compliance Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
Do you have and apply a common set of policies and standards throughout
1 your organization?
Policy & Do you publish the organization's policies as test scripts or run-books for
2 easy interpretation by development teams?
Standards
Do you regularly report on policy and standard compliance, and use that
3 information to guide compliance improvement efforts?
0.00 0.00 0.00 0.00 0.00
1 Do you have a complete picture of your external compliance obligations?
Do you have a standard set of security requirements and verification
Compliance 2 procedures addressing the organization's external compliance obligations?
Management
Do you regularly report on adherence to external compliance obligations and
3 use that information to guide efforts to close compliance gaps?

Stream Level Education & Guidance Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
Do you require employees involved with application development to take
1 SDLC training?
Training and Is training customized for individual roles such as developers, testers, or
2 security champions?
Awareness
Have you implemented a Learning Management System or equivalent to track
3 employee training and certification processes?

1 Have you identified a Security Champion for each development team?

0.00 0.00 0.00 0.00 0.00
Does the organization have a Secure Software Center of Excellence (SSCE)?
2
Organization and
Culture Is there a centralized portal where developers and application security
3 professionals from different teams and business units are able to
communicate and share information?

Design Current Phase I Phase II Phase III Phase IV

Stream Level Threat Assessment Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
Do you classify applications according to business risk based on a simple and
1 predefined set of questions?
Application Risk
Do you use centralized and quantified application risk profiles to evaluate
Profile 2 business risk?
3 Do you regularly review and update the risk profiles for your applications?

1
Do you identify and manage architectural design flaws with threat modeling? 0.00 0.00 0.00 0.00 0.00
Do you use a standard methodology, aligned on your application risk levels?
Threat Modeling 2
Do you regularly review and update the threat modeling methodology for your
3 applications?

Stream Level Security Requirements Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
1 Do project teams specify security requirements during development?
Do you define, structure, and include prioritization in the artifacts of the
Software 2 security requirements gathering process?
Requirements
Do you use a standard requirements framework to streamline the elicitation of
3 security requirements?

1
Do stakeholders review vendor collaborations for security requirements and 0.00 0.00 0.00 0.00 0.00
methodology?
Do vendors meet the security responsibilities and quality measures of service
Supplier Security 2 level agreements defined by the organization?
Are vendors aligned with standard security controls and software
3 development tools and processes that the organization utilizes?

Stream Level Secure Architecture Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
1 Do teams use security principles during design?
Architecture
2 Do you use shared security services during design?
Design
3 Do you base your design on available reference architectures?

1
Do you evaluate the security quality of important technologies used for
development?
0.00 0.00 0.00 0.00 0.00
Technology
Management 2 Do you have a list of recommended technologies for the organization?
Do you enforce the use of recommended technologies within the
3
organization?

Implementation
Current Phase I Phase II Phase III Phase IV
Stream Level Secure Build Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
1 Is your full build process formally described?
Build Process 2 Is the build process fully automated?
3 Do you enforce automated security checks in your build processes?

1 Do you have solid knowledge about dependencies you're relying on? 0.00 0.00 0.00 0.00 0.00
Software 2 Do you handle 3rd party dependency risk by a formal process?
Dependencies Do you prevent build of software if it's affected by vulnerabilities in
3 dependencies?

Stream Level Secure Deployment Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
1 Do you use repeatable deployment processes?
Deployment
2 Are deployment processes automated and employing security checks?
Process
3 Do you consistently validate the integrity of deployed artifacts?

1
Do you limit access to application secrets according to the least privilege
principle?
0.00 0.00 0.00 0.00 0.00
Secret
Management Do you inject production secrets into configuration files during deployment?
2
3 Do you practice proper lifecycle management for application secrets?

Stream Level Defect Management Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
1 Do you track all known security defects in accessible locations?
Do you keep an overview of the state of security defects across the
Defect Tracking 2 organization?
3 Do you enforce SLAs for fixing security defects?

1
Do you use basic metrics about recorded security defects to carry out quick
win improvement activities?
0.00 0.00 0.00 0.00 0.00
Metrics and Do you improve your security assurance program upon standardized metrics?
2
Feedback
Do you regularly evaluate the effectiveness of your security metrics so that its
3 input helps drive your security strategy?

Verification Current Phase I Phase II Phase III Phase IV

Stream Level Architecture Assessment Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
Do you review the application architecture for key security objectives on an
1 ad-hoc basis?
Architecture
Validation 2 Do you regularly review the security mechanisms of your architecture?
3 Do you regularly review the effectiveness of the security controls?

1
Do you review the application architecture for mitigations of typical threats on 0.00 0.00 0.00 0.00 0.00
an ad-hoc basis?
Architecture
2 Do you regularly evaluate the threats to your architecture?
Mitigation
Do you regularly update your reference architectures based on architecture
3 assessment findings?

Stream Level Requirements Testing Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
Do you test applications for the correct functioning of standard security
1 controls?
Control
Do you consistently write and execute test scripts to verify the functionality of
Verification 2 security requirements?
3 Do you automatically test applications for security regressions?
0.00 0.00 0.00 0.00 0.00
1 Do you test applications using randomization or fuzzing techniques?
Misuse/Abuse Do you create abuse cases from functional requirements and use them to
2 drive security tests?
Testing
3 Do you perform denial of service and security stress testing?

Stream Level Security Testing Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
1 Do you scan applications with automated security testing tools?
Do you customize the automated security tools to your applications and
Scalable 2 technology stacks?
Baseline
Do you integrate automated security testing into the build and deploy
3
process?

1
Do you manually review the security quality of selected high-risk 0.00 0.00 0.00 0.00 0.00
components?
Deep Do you perform penetration testing for your applications at regular intervals?
2
Understanding
Do you use the results of security testing to improve the development
3 lifecycle?

Operations Current Phase I Phase II Phase III Phase IV

Stream Level Incident Management Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
1 Do you analyze log data for security incidents periodically?
Incident
2 Do you follow a documented process for incident detection?
Detection
3 Do you review and update the incident detection process regularly?

1 Do you respond to detected incidents?

0.00 0.00 0.00 0.00 0.00
Incident
2 Do you use a repeatable process for incident handling?
Response
3 Do you have a dedicated incident response team available?

Stream Level Environment Management Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
Do you harden configurations for key components of your technology stacks?
1
Configuration
Hardening 2 Do you have hardening baselines for your components?
3 Do you monitor and enforce conformity with hardening baselines?

1 Do you identify and patch vulnerable components?

0.00 0.00 0.00 0.00 0.00
Patching and Do you follow an established process for updating components of your
2 technology stacks?
Updating
3 Do you regularly evaluate components and review patch level status?

Stream Level Operational Management Answer Rating Answer Rating Answer Rating Answer Rating Answer Rating
Do you protect and handle information according to protection requirements
1 for data stored and processed on each application?
Do you maintain a data catalog, including types, sensitivity levels, and
Data Protection 2 processing and storage locations?
Do you regularly review and update the data catalog and your data protection
3 policies and procedures?

Do you identify and remove systems, applications, application dependencies,

1 or services that are no longer used, have reached end of life, or are no longer
actively developed or supported?
0.00 0.00 0.00 0.00 0.00
System Do you follow an established process for removing all associated resources,
Decommissionin as part of decommissioning of unused systems, applications, application
2
g / Legacy dependencies, or services?
Management
Do you regularly evaluate the lifecycle state and support status of every
3 software asset and underlying infrastructure component, and estimate their
end of life?
Software Assurance Maturity Model (SAMM) Roadmap

Security Practice
Phase 1 Phase 2 Phase 3 Phase 4
1.2
1.00
0.80
0.60
0.40
0.20
Strategy & metrics
0.00
1 2 3 4 5 6 7 8 9

1.00
0.80
0.60
0.40
0.20
Policy & Compliance
0.001
1 2 3 4 5 6 7 8 9
1.00
0.80
0.60
0.40
0.20
Education & Guidance 0.00
1 2 3 4 5 6 7 8 9

1.00
0.80
0.60
0.40
Threat Assessment 0.20
0.00
1 2 3 4 5 6 7 8 9
1.00
0.8
0.80
0.60
0.40
Security Requirements 0.20
0.00
1 2 3 4 5 6 7 8 9

1.00
0.80
0.60
0.40
Secure Architecture 0.20
0.00
1 2 3 4 5 6 7 8 9
1.00
0.6
0.80
0.60
0.40
Secure Build 0.20
0.00
1 2 3 4 5 6 7 8 9

1.00
0.80
0.60
0.40
Secure Deployment 0.20
0.00
1 2 3 4 5 6 7 8 9
1.00
0.80
0.60
0.4
0.40
Defect Management 0.20
0.00
1 2 3 4 5 6 7 8 9

1.00
0.80
0.60
0.40
Architecture Assessment 0.20
0.00
1 2 3 4 5 6 7 8 9

0.2
1.00
0.80
0.60
0.40
Requirements Testing 0.20
0.00
1 2 3 4 5 6 7 8 9

1.00
0.80
0.60
0.40
Security Testing 0.20
0.00
1 2 3 4 5 6 7 8 9

1.000
1 2 3
0.80
0.60
0.40
0.20

Workato Ipaas Architecture Deep Dive
No ratings yet
Workato Ipaas Architecture Deep Dive
22 pages
SIAM Pitch Material - SIAM Pitch Deck
100% (1)
SIAM Pitch Material - SIAM Pitch Deck
25 pages
Tcs Apex Dev Sales Deck v1.2
No ratings yet
Tcs Apex Dev Sales Deck v1.2
27 pages
EPAM People Management & Excellence
No ratings yet
EPAM People Management & Excellence
33 pages
CMMI DAR Effectively Apply The Decision Analysis and Resolution (DAR) Process
100% (1)
CMMI DAR Effectively Apply The Decision Analysis and Resolution (DAR) Process
26 pages
ERM Toolkit Summary For Website
No ratings yet
ERM Toolkit Summary For Website
22 pages
Software Security Assurance Guide
No ratings yet
Software Security Assurance Guide
19 pages
Maturity Model Assessment
No ratings yet
Maturity Model Assessment
7 pages
Blue and Pink Modern Mobile Apps Presentation
No ratings yet
Blue and Pink Modern Mobile Apps Presentation
23 pages
WAR Optimization & Integration Guide
No ratings yet
WAR Optimization & Integration Guide
8 pages
A Nist CSF Assessment
No ratings yet
A Nist CSF Assessment
248 pages
E-Commerce Revenue Analysis
No ratings yet
E-Commerce Revenue Analysis
9 pages
03 SecurityAwarenessMaturityModel IndicatorsMatrix
No ratings yet
03 SecurityAwarenessMaturityModel IndicatorsMatrix
7 pages
Hoc Practices, To Formally Defined Steps, To Managed Result Metrics, To Active
No ratings yet
Hoc Practices, To Formally Defined Steps, To Managed Result Metrics, To Active
5 pages
Cybersecurity Course for Professionals
100% (1)
Cybersecurity Course for Professionals
25 pages
WP Creating Maintaining Soc PDF
No ratings yet
WP Creating Maintaining Soc PDF
15 pages
Incident - MGMT Service - Support - Assessment
No ratings yet
Incident - MGMT Service - Support - Assessment
46 pages
Program Management
No ratings yet
Program Management
114 pages
Digital Transformation for CRM Pros
No ratings yet
Digital Transformation for CRM Pros
65 pages
OSCA-AOS Transition Plan - V2
No ratings yet
OSCA-AOS Transition Plan - V2
11 pages
Software Security Maturity Guide
No ratings yet
Software Security Maturity Guide
32 pages
AI Generated Cybersecurity Prompts
No ratings yet
AI Generated Cybersecurity Prompts
5 pages
03 Sample IT Cost Forecasting and Budgeting Workbook
No ratings yet
03 Sample IT Cost Forecasting and Budgeting Workbook
106 pages
Excel Performance Dashboard Template
100% (1)
Excel Performance Dashboard Template
1 page
ServiceNow - Scope of Work For MY Suppliers - 172124 - Updated21Dec2024
No ratings yet
ServiceNow - Scope of Work For MY Suppliers - 172124 - Updated21Dec2024
137 pages
Features Roadmap Template: Click Here To Create in Smartsheet
No ratings yet
Features Roadmap Template: Click Here To Create in Smartsheet
3 pages
Task Management Tracker - Aryal
No ratings yet
Task Management Tracker - Aryal
5 pages
Swift Independent Assessment Guide
No ratings yet
Swift Independent Assessment Guide
38 pages
CapTech Agile Maturity Measurement Tool 6.7.17
No ratings yet
CapTech Agile Maturity Measurement Tool 6.7.17
20 pages
ITAM - HAM - Process Guide - Yokohama
No ratings yet
ITAM - HAM - Process Guide - Yokohama
83 pages
NIST - SP - 800-53B - Introductory - Course - v1 - Download
No ratings yet
NIST - SP - 800-53B - Introductory - Course - v1 - Download
34 pages
MarkoHurst Site Search Analytics Emetrics Madrid
No ratings yet
MarkoHurst Site Search Analytics Emetrics Madrid
46 pages
Service Management Framework
No ratings yet
Service Management Framework
7 pages
CGAP CCemtricity 1
No ratings yet
CGAP CCemtricity 1
58 pages
Data Breach Investigations Report 2017
No ratings yet
Data Breach Investigations Report 2017
8 pages
Unit1 - Introduction To Service Management
No ratings yet
Unit1 - Introduction To Service Management
55 pages
Merging W A SPAC and Preparing For Life As A Public Company MB PWC 2021
No ratings yet
Merging W A SPAC and Preparing For Life As A Public Company MB PWC 2021
59 pages
ICS SICS Framework Infographic
100% (1)
ICS SICS Framework Infographic
1 page
ABC Valuation Analysis
No ratings yet
ABC Valuation Analysis
19 pages
ISO, CMMI and PMBOK Risk Management A Comparative Analysis
No ratings yet
ISO, CMMI and PMBOK Risk Management A Comparative Analysis
11 pages
WP SN Platform Technical Overview
No ratings yet
WP SN Platform Technical Overview
14 pages
MAN Appendix 17-D Information Security Assessment VDA en November-2017 v1.0
No ratings yet
MAN Appendix 17-D Information Security Assessment VDA en November-2017 v1.0
39 pages
IAG Business Analysis Benchmark 2009
No ratings yet
IAG Business Analysis Benchmark 2009
34 pages
BIM CMM v1.9
No ratings yet
BIM CMM v1.9
6 pages
Project Proposal For ISO27001 Implementation 27001academy EN
No ratings yet
Project Proposal For ISO27001 Implementation 27001academy EN
12 pages
Privacy Information Management Systems: Protect Comply Thrive
No ratings yet
Privacy Information Management Systems: Protect Comply Thrive
9 pages
The Strategy of IT Interprise in The Cloud Computing Era: Presented By: Nguyen Dieu Linh
No ratings yet
The Strategy of IT Interprise in The Cloud Computing Era: Presented By: Nguyen Dieu Linh
41 pages
Transition Manager Guidebook
No ratings yet
Transition Manager Guidebook
38 pages
Current State (As-Is) Assessment - IfDS (Published 2014-04-14)
No ratings yet
Current State (As-Is) Assessment - IfDS (Published 2014-04-14)
57 pages
10 Cyber Security Trends For 2025
No ratings yet
10 Cyber Security Trends For 2025
18 pages
IT Automation for Overloaded Teams
No ratings yet
IT Automation for Overloaded Teams
22 pages
Wealthtech Solutions for HNWIs
No ratings yet
Wealthtech Solutions for HNWIs
8 pages
MedTech Industry Challenges & Growth 2024
No ratings yet
MedTech Industry Challenges & Growth 2024
56 pages
ISF - Time To Grow - Using Maturity Models To Create and Protect Value - Report - Ed2-1
No ratings yet
ISF - Time To Grow - Using Maturity Models To Create and Protect Value - Report - Ed2-1
52 pages
AWS Re:invent 2023 - Improve Operational Efficiency and Resilience With AWS Support
No ratings yet
AWS Re:invent 2023 - Improve Operational Efficiency and Resilience With AWS Support
49 pages
SDM Workshop for Aspiring Managers
No ratings yet
SDM Workshop for Aspiring Managers
4 pages
05 PI Planning Simulation Remote Aid (5.1.1)
No ratings yet
05 PI Planning Simulation Remote Aid (5.1.1)
77 pages
31st March
No ratings yet
31st March
1 page
Owasp Samm Toolkit v2.0.6
No ratings yet
Owasp Samm Toolkit v2.0.6
5 pages
Owasp Samm Toolkit v2.0.6
No ratings yet
Owasp Samm Toolkit v2.0.6
7 pages
Spur Gear PDF
No ratings yet
Spur Gear PDF
8 pages
CD Lab Exam
No ratings yet
CD Lab Exam
3 pages
Free Incoming Inspection Template
No ratings yet
Free Incoming Inspection Template
5 pages
CHEMISTRY Exam
No ratings yet
CHEMISTRY Exam
8 pages
Polymer Report
No ratings yet
Polymer Report
15 pages
Rabbit Silage Study
No ratings yet
Rabbit Silage Study
36 pages
Akshatha Paper
No ratings yet
Akshatha Paper
7 pages
NTA IGNOU PHD Entrance Exam Syllabus
No ratings yet
NTA IGNOU PHD Entrance Exam Syllabus
85 pages
Sale of Goods Act 1930 Overview
No ratings yet
Sale of Goods Act 1930 Overview
27 pages
GoAnywhere System Architecture Guide
No ratings yet
GoAnywhere System Architecture Guide
29 pages
Clinical Microbiology MCQ Practice Test
100% (4)
Clinical Microbiology MCQ Practice Test
13 pages
Iseg Datasheet BPS en
No ratings yet
Iseg Datasheet BPS en
12 pages
Blocked Credit Under GST
No ratings yet
Blocked Credit Under GST
15 pages
Cost Concepts Quiz
No ratings yet
Cost Concepts Quiz
11 pages
SARA-R5 ATCommands UBX-19047455
No ratings yet
SARA-R5 ATCommands UBX-19047455
558 pages
U.S.S. Europa Starship Specs
No ratings yet
U.S.S. Europa Starship Specs
1 page
(Mycology Series 16) D.H. Howard-Pathogenic Fungi in Humans and Animals-Marcel Dekker (2003)
100% (2)
(Mycology Series 16) D.H. Howard-Pathogenic Fungi in Humans and Animals-Marcel Dekker (2003)
804 pages
Angelica Resume
No ratings yet
Angelica Resume
1 page
FLC Provider Database
0% (1)
FLC Provider Database
15 pages
A212 - MC 10 - PROVISIONS, CLCA - Student
No ratings yet
A212 - MC 10 - PROVISIONS, CLCA - Student
4 pages
Economics Module Handbook
No ratings yet
Economics Module Handbook
36 pages
Consent Document For Enrolling Adult Participants in A Research Study
No ratings yet
Consent Document For Enrolling Adult Participants in A Research Study
3 pages
Worksheet - Chapter 11 - Biotechnology - Principles and Processes
No ratings yet
Worksheet - Chapter 11 - Biotechnology - Principles and Processes
3 pages
Splenomegaly: Clinical Insights
No ratings yet
Splenomegaly: Clinical Insights
57 pages
HR Synopsis
No ratings yet
HR Synopsis
11 pages
Endeavor
No ratings yet
Endeavor
2 pages
Human Resource Management System (HRMS) : Department of Personnel
No ratings yet
Human Resource Management System (HRMS) : Department of Personnel
19 pages
Reviewer On Police Photography by Mr. Herbert Tunac, RMT, MSMT
No ratings yet
Reviewer On Police Photography by Mr. Herbert Tunac, RMT, MSMT
4 pages
Ilovepdf Merged
No ratings yet
Ilovepdf Merged
86 pages
Lesson Plan
No ratings yet
Lesson Plan
8 pages