This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

When a critical vulnerability is made known in a Third-Party Product Component that a Product Team is using there’s very little time to respond to the situation and upgrade the Third-Party Product Component before the Product is compromised. Typically, the first broadly-scanning exploits for the vulnerability are detected across the internet within 24 hours so fixing the issue the same day of it being reported or, at most, within the first 48 hours is essential.

High-profile customer data breaches have shown repeatedly that if a central team is tasked with knowing of these vulnerabilities and ensuring they get fixed by the Product Teams then the response time is too slow and the Product Delivery Organisation has a serious security incident with a potential large financial penalty. Product Teams know what Third-Party Product Components they’re using and what versions. They are best placed to know and respond to critical vulnerabilities. The Product Lead is accountable for this happening.

A Product Delivery Organisation enters into many Third-Party Agreements to be able to efficiently carry out its responsibilities. Third-Parties are often the source of data breaches for Organisations and each additional Third-Party engaged increases the Organisation’s risk that is being introduced by the Product Delivery Organisation itself. Deliberately managing this risk is essential and the Head Of Product Delivery Organisation is accountable for this.

Your Data Processing Obligations form a core part of your Compliance Obligations and are defined separately here to ensure the policy objectives for Product Teams and the Technology Community Of Practice are as clear as possible.

A Product Lead cannot perform their role without an understanding of the regulatory environment that their Product operates in. Having accountability for Product Teams understanding their Data Processing Obligations with a central compliance or security awareness team is not effective and doesn’t scale, so this framework assigns it to Product Leads, who are accountable for their Product’s and Product Team’s security.

This is one of two policy objectives that look very similar. This one ensures that data is handled in a compliant way by the Product Team, which encompasses the development, operational and administrative staff for the product. Mishandling of data by the people on the Product Team is a source of data breaches and the Product Lead is accountable for the Product Team’s manual processes handling data correctly.

This is one of two policy objectives that look very similar. This one ensures that data is handled in a compliant way by the Product, which encompasses all processes and operations of the technology Product itself. Mishandling of data by technology Products is a source of data breaches and the Product Lead is accountable for the Product’s automated processes handling data correctly.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Security Levels for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

Current measures of security in Products against the requirements of its Product Security Level best inform what the Product Delivery Organisation should be doing to improve its approach to security.

If your Product Delivery Organisation has measures showing many of a particular type of Product consistently not meeting their requirements for security then steps must be taken to improve understanding or Agreed Ways Of Working to address this.

A lot of money is wasted by Organisations everywhere on security initiatives that don’t address and reduce the specific risks that the Organisation needs to mitigate.

It’s the Product Delivery Organisation that must improve its approach to security continuously to address the changing risks the Organisation is carrying and the Head Of Product Delivery Organisation is accountable for this.

Current measures of the processes that Product Teams are following to securely deliver Products best inform what the Product Delivery Organisation should be doing to improve their approach to security.

If your Product Delivery Organisation has measures showing many Product Teams not consistently following part of Agreed Ways Of Working then steps must be taken to improve understanding or Agreed Ways Of Working to address this.

This Product Security Policy is deliberately created to be easily adoptable by as many Organisations as possible. You will have to add policy objectives that meet your Organisation’s own specific Compliance Obligations. It’s possible that we have already created extensions to this policy that meet common Compliance Obligations for Organisations that will make this easier for you. Check before authoring your own.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.