The Product Security Policy defines the ‘Who‘ and the ‘What‘ for the secure delivery of products by the Product Delivery Organisation and the Agreed Ways Of Working defines the ‘How‘. This makes the Agreed Ways Of Working the essential ‘field guide’ and collection of standards for the whole Product Delivery Organisation.

Security and compliance typically mandate a lot of documentation and process but the Secure Delivery Framework strives to minimise this as far as possible. The Agreed Ways Of Working is one of the documents that is absolutely required for all Product Delivery Organisations.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

Security incidents, whether leading to customer data breaches or not, impact the whole Organisation’s risk management and likely must be reported to your national regulator for information rights. As the person who manages Organisation risk within the scope of the Product Delivery Organisation, the Head Of Product Delivery Organisation is accountable for security incidents being recorded.

Policy objectives that use the verb ‘Ensure‘ assign accountability to a person. This is an accountability objective. While Product Leads are accountable for all the responsibilities of a Product Team, some accountabilities are called out specifically for clarity.

It’s not scalable or effective for a Product Delivery Organisation to have a central team or person chasing dozens or even hundreds of Product Teams to ensure Agreed Ways Of Working are being followed.

A Product Team being unable to follow Agreed Ways Of Working for reasons that are communicated to, and accepted by, the Product Delivery Organisation is handled by this framework and results in either:

• The Agreed Ways Of Working being improved to cover more Product Teams’ specific needs or,
• Documented Risks being updated to capture and manage the deviation from Agreed Ways Of Working

Current measures of security in Products against the requirements of its Product Security Level best inform what the Product Delivery Organisation should be doing to improve its approach to security.

If your Product Delivery Organisation has measures showing many of a particular type of Product consistently not meeting their requirements for security then steps must be taken to improve understanding or Agreed Ways Of Working to address this.

Current measures of the processes that Product Teams are following to securely deliver Products best inform what the Product Delivery Organisation should be doing to improve their approach to security.

If your Product Delivery Organisation has measures showing many Product Teams not consistently following part of Agreed Ways Of Working then steps must be taken to improve understanding or Agreed Ways Of Working to address this.