Skip to content
- Rather than reducing variability (options) from the beginning, the approach should embrace variability and remain flexible to support changing requirements. When there is uncertainty and change happens throughout the development process, the team needs to be directed by a beacon, regardless of variability, and this beacon should be the enterprise’s security policy.
- Corporate security policy should be the beacon that guides the enterprise’s security principles and risk appetite. This policy needs to be articulated and enforced at all levels of the enterprise.
- A well defined security policy provides direction and provides a path for the team to navigate as it embraces variability and flexibility in product development.
- If the security policy is too specific, that path will be too narrow, limiting the team’s ability to embrace variability and flexibility. In contrast, if the security policy is too general, it will create ambiguity and confusion. Therefore, it is important that the policy provide clear direction on what the enterprise wants to achieve while allowing flexibility in the application of security controls.
Food for Thoughts - What are criteria do you think is necessary for a Security Policy provide clear security principles while allowing flexibility in the applications of security controls?
- What are areas in the Security Policy which flexibility should not be allowed?
