Review should happen primarily within the Portfolio and Program segments. Depending on the structure and complexity of security and/or compliance challenges, additional reviews may be needed.
Within the Program segment, this review is focused on reviewing User Stories prior to stories being submitted for inclusion into a PI Planning Event. At this point, security and compliance concerns should have been noted at the Portfolio level and mitigated through either Portfolio Enablers or additional functionality added into the Epic.
At this point, the security and compliance leadership should expect to see that those concerns identified at the Portfolio level have been mitigated through explicit acceptance criteria with the user stories.
As an example, consider this specific use case. The organization is receiving and storing sensitive data through an API endpoint which is required by both regulations and best practices to be encrypted at rest:
- This concern was identified at the Portfolio level. The Epic for this feature was updated to include a statement clearly stating which pieces of information must be encrypted.
- Since no data on this project was yet encrypted in this manner, a technical Enabler was created to develop an encryption approach for any sensitive data which was consistent with the organization’s standards. An additional technical Enabler was also created to facilitate the creation of automated tests to verify that the data was being stored in an encrypted state.
- At the Program Level, security and compliance leadership first reviews the Epic and then all connected user stories to verify that acceptance criteria are included for this functionality.
- If any concerns are seen at this level, the acceptance criteria are updated to match the organizational standard.
- Security and compliance leaders also will attend the Sprint and Systems Demos to verify the functionality.
Just as within the Portfolio segment, the end goal of security and compliance should be a “business outcome mindset” that supports a Continuous Delivery workflow.