Security and Compliance Review - Program

43 prog-security-and-compliance

Security and compliance program leadership review User Stories to ensure that additional scope in the areas of security or regulatory compliance are included within the Acceptance Criteria of each story.

Explore More.

Related Mindset:

Value-Driven

Segment:

Program

Inputs:

User stories with acceptance criteria

Outputs:

Updated and validated user stories which fully address any security and compliance concerns

The overall security and compliance review process throughout the Digital Continuum occurs as a multi-step process.

Review should happen primarily within the Portfolio and Program segments. Depending on the structure and complexity of security and/or compliance challenges, additional reviews may be needed.

Within the Program segment, this review is focused on reviewing User Stories prior to stories being submitted for inclusion into a PI Planning Event. At this point, security and compliance concerns should have been noted at the Portfolio level and mitigated through either Portfolio Enablers or additional functionality added into the Epic.

At this point, the security and compliance leadership should expect to see that those concerns identified at the Portfolio level have been mitigated through explicit acceptance criteria with the user stories.

As an example, consider this specific use case. The organization is receiving and storing sensitive data through an API endpoint which is required by both regulations and best practices to be encrypted at rest:

  • This concern was identified at the Portfolio level. The Epic for this feature was updated to include a statement clearly stating which pieces of information must be encrypted.
  • Since no data on this project was yet encrypted in this manner, a technical Enabler was created to develop an encryption approach for any sensitive data which was consistent with the organization’s standards. An additional technical Enabler was also created to facilitate the creation of automated tests to verify that the data was being stored in an encrypted state.
  • At the Program Level, security and compliance leadership first reviews the Epic and then all connected user stories to verify that acceptance criteria are included for this functionality.
  • If any concerns are seen at this level, the acceptance criteria are updated to match the organizational standard.
  • Security and compliance leaders also will attend the Sprint and Systems Demos to verify the functionality.

Just as within the Portfolio segment, the end goal of security and compliance should be a “business outcome mindset” that supports a Continuous Delivery workflow.

Common Pitfalls

While many organizations have both security and compliance workflows within their workflow, there are common pitfalls which should be avoided:

  • Extensive Story Modifications after Review - Part of the reason for the review within both the Portfolio and Program segment is to ensure that there are not extensive changes to user stories. If there are regularly changes to stories at this level, it might mean that another review needs to occur for features before the decomposition into user stories.
  • Lacking Clear Guidelines for Security or Regulatory Compliance - Just as with the Portfolio review, mature organizations should have clear and comprehensive guidelines for these areas already defined. It is understood that these guidelines will be constantly evolving, but the validation within the Program segment should consist of matching user stories and their acceptance criteria to existing guidelines.
  • Large Lead Times for Security and/or Compliance Reviews - The Program segment moves User Stories through a Program Kanban process to the PI Planning Session. Unlike the Portfolio Kanban, this process is somewhat time bound. If there is an extensive delay on this review, it could mean that a piece of functionality cannot be included for a specific Program Increment.

References