Secure by Design

Secure by Design leverages a standardized intake form for security domains to identify the scope, inherent risk, and project requirements. Utilizing a consolidated intake form enables the identification of relevant security domains, establishing a detailed and standardized security approach.

After the intake form is submitted, a record is created to track security activities and outcomes throughout the project’s life cycle. Information collected during intake is used to automate requirement assignments based on an organization’s Common Controls Framework (CCF). A consolidated intake process allows for a standardized record of IT assets and their controls implementation.

Tasks are automatically created across security domains based on information provided during intake, establishing a central platform where multiple teams can track the completion of security activities, store design documentation, and view the status of control implementation.

Tasks across multiple security domains are assigned and prioritized based on an IT asset’s risk level and are centrally managed to enable transparency and tracking. Security domains may be customized based on business requirements and may include data security, privacy, vendor risk, application security, and security architecture. The assignment, status, and service level agreements (SLAs) for security tasks are stored centrally for enhanced governance.

The assessment framework and methodology should be standardized and mapped to a defined control library. Assessments are used to gather information from the project team at intuitive points in the design process. Assessments might include security architecture review, threat modeling, data security and privacy review, vulnerability testing, and vendor risk assessment.

Integration of the assessment framework with a predefined set of security controls aligns assessments with established security standards and leading practices. Assessment responses are sent directly to the relevant teams for review, and security controls are automatically generated and tailored to the project’s scope based on security assessment data.

Assigned security requirements and controls should be based on risk and predefined by policy. Secure by Design leverages policy-as-code to automate policy checks and compliance-as-code to provide automated governance to enforce organizational policies and demonstrate alignment with regulatory and business requirements.

Standardized implementation of security requirements offers consistency and adherence to established standards and leading practices. Before deployment, project teams should share how each requirement was met for their project, for consistent enforcement of security controls across the organization’s IT project portfolio.

With Authorization to Operate (ATO), approval is granted for release after review of the implemented security controls assigned to the project during intake. Approvals should be manually enforced through review boards/tollgates and automated in deployment pipelines.

An automated security process that can provide visibility into the implementation of security controls against predefined requirements. Enforcing the approval process prior to releasing projects to production enhances security, streamlines the release process, and can provide consistent compliance with security standards.