Product Security Insights
Product Security Insights are a collection of knowledge about how your organisation delivers secure Products and the measures that show secure products are being delivered.
Expand the policy objectives on the right for more information on who maintains Product Security Insights and what they must contain.
The Secure Delivery Framework specifies who is accountable and responsible for security at all levels. To be accountable or responsible for something, you must meet four requirements:
- Understand what you’re accountable or responsible for
- Have information that shows what you’re accountable or responsible for is being satisfactorily done
- Have time in your working day to do what you’re responsible for or ensure what you’re accountable for is being done
- If you’re accountable for ensuring something is being done, you must have decision-making oversight of the group responsible for doing it
The Technology Community Of Practice is required to maintain Product Security Insights. This collection of knowledge includes what has to be done by Product Teams and the Product Delivery Organisation to deliver secure products and the measures that show secure products are being delivered. This is how the framework ensures that requirements 1 and 2 are met.
To provide Product Security Insights for the entire organisation, you can use a combination of a wiki-style knowledge base and a dashboarding tool. This tool must enable you to collect and collate metrics from multiple sources into a unified, aggregated view at the required levels.
Alternatively, the Secure Delivery Platform provides the necessary Product Security Insights functionality as part of its comprehensive platform for securing your Product Delivery Organisation.
This framework requires that Product Security Insights include measurements of Agreed Ways of Working (how we build secure Products) and measurements of Product Security Levels (what our Products need to be secure).For more details on what they contain, see their respective pages in the Policy Viewer.
Each Product Team’s way of working and their Product’s security level requirements have measurable outputs that must be included in Product Security Insights. Doing so ensures that every responsible group and accountable decision-maker can fulfill their roles effectively.