Security is one of the process blades of Disciplined DevOps. The focus of the Security process blade is to describe how to protect your organization from both information/virtual and physical threats. This includes procedures for security governance, identity and access management, vulnerability management, security policy management, incident response, and vulnerability management. As you would expect these policies will affect your organization’s strategies around change management, disaster recovery and business continuity, solution delivery, and vendor management. For security to be effective it has to be a fundamental aspect of your organizational culture.
The following process goal diagram overviews the potential activities associated with disciplined agile security. These activities are performed by, or at least supported by, your security (often called an information security or infosec) team.
Figure 1. The Security process goal diagram (click to enlarge).
The process factors that you need to consider for implementing effective security are:
- Ensure security readiness. How do you ensure that your environment has been built to withstand the evolving security threats that you face?
- Enable security awareness. How do you help your staff to become knowledgeable about security threats, how to avoid attacks, and how to deal with them when they occur?
- Monitor security. How do you identify when you are under attack (for most organizations the answer is constantly) and more importantly how you’re being attacked?
- Respond to threats. When an attack occurs what will you do to address it?
- Security physical assets. How will you protect physical assets such as buildings, vehicles, and equipment? By implication, how will you ensure the security of your people?
- Secure IT perimeter. How will you secure access to your IT systems?
- Secure the network. How will you ensure the security of digital communications?
- Secure IT endpoints. How will you secure access to devices such as phones, workstations, and other I/O devices?
- Secure applications. How will you address security within the applications/systems of your organization?
- Secure data. How will you ensure the validity and privacy of the data within your organization?
- Govern security. How will you motivate, enable, and monitor security activities within your organization?