i. Educate development teams on how to create a secure system.
ii. Develop and/or refine infrastructure security architecture.
iii. List technical and non-technical security controls.
iv. Perform architecture walkthrough.
v. Create a system-level security design.
vi. Create high-level non-technical and integrated technical security designs.
vii. Perform a cost/benefit analysis for design components.
viii. Document the detailed technical security design.
ix. Perform a design review, which must include, at a minimum, technical reviews of application and infrastructure, as well as a review of high-level processes.
x. Describe detailed security processes and procedures, including: segregation of duties and segregation of development, testing and production environments.
xi. Design initial end-user training and awareness programs.
xii. Design a general security test plan.
xii. Update the organization’s policies, standards, and procedures, if appropriate.
xiv. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
xv. Design and establish separate development and test environments.