Product Security Policy
Overview coming soon.
Overview coming soon.
This is a Product Security Policy. Its scope is the Product Delivery Organisation so it’s the Product Delivery Organisation that is responsible for maintaining it. Adopting this policy is the start of that. You might need to adapt some of this policy’s objectives to your needs, too, although we recommend you make any changes additive to make updating to a later version of this policy easier.
This Product Security Policy is deliberately created to be easily adoptable by as many Organisations as possible. You will have to add policy objectives that meet your Organisation’s own specific Compliance Obligations. It’s possible that we have already created extensions to this policy that meet common Compliance Obligations for Organisations that will make this easier for you. Check before authoring your own.
Your Data Processing Obligations form a core part of your Compliance Obligations and are defined separately here to ensure the policy objectives for Product Teams and the Technology Community Of Practice are as clear as possible.
A lot of money is wasted by Organisations everywhere on security initiatives that don’t address and reduce the specific risks that the Organisation needs to mitigate.
It’s the Product Delivery Organisation that must improve its approach to security continuously to address the changing risks the Organisation is carrying and the Head Of Product Delivery Organisation is accountable for this.
The Product Security Policy defines the ‘Who‘ and the ‘What‘ for the secure delivery of products by the Product Delivery Organisation and the Agreed Ways Of Working defines the ‘How‘. Aligning these is essential to manage risk in the Product Delivery Organisation and the Head Of Product Delivery Organisation is accountable for this.
Risks are carried by the Organisation as a whole and the Product Delivery Organisation manages some of those identified business risks. Ensuring that the Product Delivery Organisation is aligned with the Organisation’s approach to risks is essential and the Head Of Product Delivery Organisation is accountable for this.
A Product Delivery Organisation enters into many Third-Party Agreements to be able to efficiently carry out its responsibilities. Third-Parties are often the source of data breaches for Organisations and each additional Third-Party engaged increases the Organisation’s risk that is being introduced by the Product Delivery Organisation itself. Deliberately managing this risk is essential and the Head Of Product Delivery Organisation is accountable for this.
A Product Lead cannot perform their role without an understanding of the regulatory environment that their Product operates in. Having accountability for Product Teams understanding their Data Processing Obligations with a central compliance or security awareness team is not effective and doesn’t scale, so this framework assigns it to Product Leads, who are accountable for their Product’s and Product Team’s security.
This is one of two policy objectives that look very similar. This one ensures that data is handled in a compliant way by the Product Team, which encompasses the development, operational and administrative staff for the product. Mishandling of data by the people on the Product Team is a source of data breaches and the Product Lead is accountable for the Product Team’s manual processes handling data correctly.
This is one of two policy objectives that look very similar. This one ensures that data is handled in a compliant way by the Product, which encompasses all processes and operations of the technology Product itself. Mishandling of data by technology Products is a source of data breaches and the Product Lead is accountable for the Product’s automated processes handling data correctly.
Product Security Levels are introduced in stage 2 of this policy’s adoption. They introduce clear security requirements specific to the types of Products being developed by the Product Development Organisation and might consider:
As part of their categorisation. Ensuring these Product Security Levels correctly manage risk is essential to the Product Delivery Organisation and the Head Of Product Delivery Organisation is accountable for this.