Framework capability areas
Risk Management
Area Overview
Risk management is a dynamic and integral part of product development and management. It’s not a one-time activity but a continuous process that evolves with the product and the surrounding threat landscape. By effectively managing risks, organizations can not only protect their products but also support their overall business objectives and maintain customer trust.
These capabilities ensure you can identify, assess, and mitigate risks associated with product security. A Risk Management approach is crucial in today's landscape where products, especially digital or software-based ones, face a myriad of security threats that can impact not only the product's functionality and integrity but also the organization's reputation and customer trust.
Benefits
- Enhanced Product Security: By systematically managing risks, the security of the product is significantly enhanced.
- Informed Decision Making: It provides stakeholders with crucial information, aiding in making informed decisions about product development and security investment.
- Regulatory Compliance: Helps in meeting legal and regulatory requirements, reducing the risk of penalties or legal issues.
- Customer Trust and Brand Protection: A secure product fosters customer trust and protects the brand's reputation.
Organisational Operating Model [PSCF‑RM‑OOM]
The capability to evaluate and apply fair and scalable accountabilities and reponsibilities for capabilities across the delivery organisation.
Capability Overview
Enable the definition and refinement of the internal structure of a product delivery organization introduces the vital capability of Organizational Operating Model (OOM). This capability plays a pivotal role in facilitating well-defined structures, streamlined processes, and collaborative ways of working, all aimed at crystallizing the accountabilities and responsibilities within the organization.
At the heart of OOM lies the articulation of roles and responsibilities, ensuring every team member understands their contribution to the organization's success. This clarity is not just about internal coherence; it extends to delineating a transparent and accountable framework that resonates with external regulatory expectations. A key aspect of OOM is ensuring that the model is not just robust but also adaptable, capable of scaling and evolving in harmony with the organization's growth and the dynamic regulatory landscape.
Involvement of leadership and stakeholders is crucial in OOM. These key players must possess a deep understanding of the organization's goals, the intricacies of product delivery, and the regulatory requirements that shape the industry landscape. They are instrumental in addressing 'what if' scenarios that might challenge the existing operational model, ensuring the organization remains resilient and responsive to change.
Choosing the right structure and processes to focus on within the OOM is essential. While it might be tempting to cover every conceivable aspect, the priority should be on those areas that significantly influence accountability, transparency, and compliance, ensuring a robust, compliant, and efficient operating model.
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | Y |
| OWASP SAMM | N |
| NIST SSDF | Y |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y |
Continuous Capability Improvement [PSCF‑RM‑CI]
The capability to evaluate capabilities in this framework that require improvement and apply improvements over time.
Capability Overview
Your capacity for Continuous Capability Improvement reflects the ability of your organisation to systematically evaluate and enhance the security aspects of product delivery. This capability is essential for keeping pace with the ever-evolving landscape of technological advancements and changing work practices.
As the world and technology evolve, so must our security practices to prevent the emergence of new vulnerabilities. This involves not only adapting to new technologies and methodologies but also proactively anticipating future changes and challenges. The importance of continuous improvement in security measures is a vital aspect of product development and management, ensuring that what is secure today remains secure tomorrow. This capability, like all others in the realm of product security, requires ongoing development and refinement to effectively protect against emerging threats and to align with the latest technological innovations.
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | Y |
| OWASP SAMM | Y |
| NIST SSDF | Y |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y |
Third-Party Components [PSCF‑RM‑TPC]
The capability to evaluate and select third-party component suppliers.
Capability Overview
Recognizing that it is impractical to build every component in-house, this capability involves making informed decisions about utilizing third-party solutions, such as databases, cloud-based services, secrets storage, etc.
The core challenge here is to determine which third-party components are secure and suitable for use. This decision-making process might involve creating and maintaining an approved list of components that meet security standards (the 'allow' list) or a list of prohibited components (the 'deny' list).
Understanding the importance of having a robust process to assess and authorize third-party components ensures that your product's security is not compromised. Consider how you managing these lists, including how to handle exceptions and ensure that all necessary components are evaluated for security before use.
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | N |
| OWASP SAMM | Y |
| NIST SSDF | Y |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y | Y |
Third-Party Software Development Services [PSCF‑RM‑TPD]
The capability to evaluate and select secure third-party development services suppliers.
Capability Overview
This capability is vital when outsourcing software creation, as it involves ensuring that these external parties not only meet but ideally exceed your organization's standards for quality and security.
A crucial aspect of this process is establishing clear communication and collaboration methods with the third-party developers, especially considering the sensitivity and confidentiality of the projects, which often include intellectual property and new product development.
It is important to clearly define ownership and usage rights in contractual agreements and maintain a balance between confidentiality, availability, and integrity. This ensures that the third-party services are fully aligned with your organizational goals and deliver the desired outcomes promptly, maintaining a competitive edge in the market.
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | N |
| OWASP SAMM | Y |
| NIST SSDF | N |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y | Y |
Third-Party Software-as-a-Service [PSCF‑RM‑TPS]
The capability to evaluate and select secure SaaS offerings from third parties.
Capability Overview
Choosing Software as a Service (SaaS) providers is more complex than selecting general third-party components due to the critical nature of the services provided and the intricacies of contractual agreements. This capability is essential for integrating business-critical systems like Identity Providers (IdPs), online log management services, or Content Delivery Networks (CDNs) into an organization's operations. These services, often crucial for automation or computational tasks, are not typically core to a business but are fundamental to its smooth functioning.
The selection process requires careful consideration because these SaaS offerings will handle sensitive data and play a significant role in the overall security of the product. When choosing SaaS providers, ensure they align with your organization's security needs and business goals. It is important to understand the various offerings in the market and make informed decisions based on the security, reliability, and compatibility of these services with the business's requirements.
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | Y |
| OWASP SAMM | N |
| NIST SSDF | N |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y | Y |
Compliance Obligations [PSCF‑RM‑CO]
The capability to define, understand and apply your obligations for compliance to your product delivery process.
Capability Overview
Internal compliance encompasses voluntary standards an organization might adopt, like ISO27001 or SOC 2, which are chosen for their value in enhancing operations or customer trust. External compliance, on the other hand, involves adhering to legal and industry-specific regulations, such as the Data Security Standard (PCI-DSS) for businesses involved in the Payment Card Industry. Failure to comply can lead to legal issues or loss of operational licenses.
This capability requires a thorough understanding of what each set of compliance obligations entails, ensuring that an organization not only recognizes its required obligations but also implements the necessary practices to meet them. It also involves evaluating the cost-effectiveness and value of complying with internal standards, a critical factor in strategic decision-making and resource allocation
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | Y |
| OWASP SAMM | Y |
| NIST SSDF | Y |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y |
Data Processing Obligations [PSCF‑RM‑DPO]
The capability to define, understand and apply your obligations for data processing to your product delivery process.
Capability Overview
Part of an organization's broader compliance obligations, requiring a clear understanding of the specific regulations that apply, such as the General Data Processing Rules (GDPR) for businesses operating in Europe. It is important to comprehending the full scope of data processing, including the nature of the data, its intended use, and the adherence to specific requirements of regulations like GDPR. You must also be aware of any third-party entities involved in data processing and ensure their compliance with relevant regulations. This capability is crucial for organizations to meet regulatory standards and avoid potential legal complications.
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | Y |
| OWASP SAMM | Y |
| NIST SSDF | Y |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y |
Business Impact Assessment [PSCF‑RM‑BIA]
The capability to analyse the business value of products and the effects security disruptions to that product will have on business.
Capability Overview
Analyzing the business value of products and the impact of security disruptions centres around the vital process of Business Impact Assessment (BIA) within a product delivery organization.
This capability involves assessing how different levels of security incidents can affect the value and operations of a product. A crucial aspect of BIA is determining the appropriate level of detail for the assessment, ensuring it's sufficient to understand the impact without losing sight of the overall business value. Another key factor is the involvement of someone who can represent and articulate the business interests effectively. This person should have an in-depth understanding of the product or service to address potential 'what if' scenarios. The choice of scenarios to be discussed in the BIA is also critical. While it's not necessary to cover every possible scenario, the focus should be on those most relevant and likely to impact the business, ensuring a thorough and meaningful assessment.
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | Y |
| OWASP SAMM | Y |
| NIST SSDF | N |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y |
Data Protection Impact Assessment [PSCF‑RM‑DIA]
The capability to analyse the potential impact to the data subject that a failure of data protection would have.
Capability Overview
Navigating the intricate landscape of data handling and processing, especially under the stringent regulations of GDPR, introduces the imperative capability of Data Protection Impact Assessment (DPIA) within a product delivery organization.
This capability is centered on meticulously evaluating the data processing activities of a product and understanding the potential privacy impacts these activities may have on individuals. A pivotal aspect of DPIA is the depth and thoroughness of the assessment, ensuring it's comprehensive enough to cover all relevant data processing nuances without overshadowing the primary objective of safeguarding personal data. It's crucial to involve someone with a profound comprehension of the GDPR's requirements and the specific data processing activities of the product. This individual should be adept at dissecting and addressing potential data protection risks and envisaging 'what if' scenarios related to data breaches or misuse. Selecting the most pertinent and impactful data processing activities to assess is also paramount. While it may not be feasible to scrutinize every minor processing detail, the focus should be on those activities that pose significant privacy risks, thereby ensuring a robust and meaningful DPIA.
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | Y |
| OWASP SAMM | N |
| NIST SSDF | N |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y |
Threat Intelligence [PSCF‑RM‑TI]
The capability to define and understand criminal abuses your product might be exposed to and apply this understanding to product delivery.
Capability Overview
Defining and understanding criminal abuses a product might face, and applying this knowledge to product delivery, revolves around developing a comprehensive threat intelligence capability.
This involves a deep understanding of the product, user activities, and the potential threat actors and their methods. The capability spans various levels of threat intelligence, including operational intelligence which offers technical data feeds for immediate threats, tactical intelligence that requires more specific interpretation and evaluation related to the product and market, and strategic intelligence that encompasses broader geopolitical and industry-wide events.
Effective threat intelligence is crucial in proactively identifying and mitigating potential risks to the product, but it also requires careful balancing of resources and expertise to manage the associated costs. This capability is integral in ensuring the security and integrity of the product in a dynamic threat landscape
Compliance Requirement
| Regulation or Standard | Required |
|---|---|
| GDPR | N |
| OWASP SAMM | Y |
| NIST SSDF | Y |
Accountability
| Organisational Lead | Product Lead | Technical Lead |
|---|---|---|
| Y |
Responsibility
| Leadership | Product | Development | Operations |
|---|---|---|---|
| Y |