Note: This notes were strongly inspired by the following books: CSSLP Certification All in one and Official (ISC)2 Guide to the CSSLP CBK, Second Edition
- completion criteria – are all the functional and security requirements completed as expected.
- change management – is there a process in place to handle change requests.
- approval to deploy/release – have all of the required authorities sign off.
- risk acceptance and exception policy – is the residual risk acceptable or tracked as an exception.
- documentation – are all the necessary documentation in place.
- validation & verification (V&V) – Validation means that the software meets the specified user requirements. Verification describes proper software construction. V&V is not an ad hoc process but it is a very structured and systematic approach to evaluate the software technical functionality. The evaluation can be divided in two main activities:
- design (review).
- code (review).
- error detection (tests).
- acceptance (tests).
- independent third party (tests).
- certification and accreditation – Certification is the technical verification of the software functional and assurance level. Accreditation is management’s formal acceptance of the system after an understanding of the risks to that system.