Disciplined Agile

Security Practices

The following process goal diagram overviews the potential activities associated with disciplined agile security. These activities are performed by, or at least supported by, your security team.

Copyright Project Management Institute All Rights Reserved Security v5.6 Ensure Security Readiness Chaos testingCollaborative security architecture and designContinuous certification and accreditation (C&A)Define security service level agreement (SLA)/service level objective (SLO)Regulatory compliance assessmentThreat modelingVulnerability assessment Enable Security Awareness CoachingCyber threat intelligenenceExecutive and business educationManage security risksSecurity awareness training Monitor Security Continuous monitoring and assessmentIntrusion detection system (IDS)Network operations center (NOC) monitoringSecurity dashboardSecurity operations center (SOC) monitoringSituational awareness Respond to Threats Cyber incident response team (CIRT)Digital forensicsEscalation managementSecurity information and event management (SIEM)Security operations center (SOC) Secure Physical Assets Access control system - ElectronicAccess control system - MechanicalAlarm systems and sensors - Physical perimeter intrusion detection system (IDS)Data loss prevention (DLP)Physical barriers (combinations)Physical identificationSecurity lightingSecurity staffVideo surveillance Secure IT Perimenter Data loss prevention (DLP)HoneypotMessage security (anti-virus/malware)Perimeter firewallPerimeter intrusion detection system (IDS)/intrusion prevention system (IPS)Secure demilitarized zone (DMZ) Secure the Network Data loss prevention (DLP)Enclave/data center firewallEnterprise intrusion detection system (IDS)/intrusion prevention system (IPS)Enterprise message securityEnterprise remote accessEnterprise wireless securityInline patchingNetwork access control (NAC)VOIP protectionWeb proxy content filtering Secure IT Endpoints Content security (anti-virus/malware)Data loss prevention (DLP)Desktop firewallEndpoint security enforcementHost intrusion detection system (IDS)/intrusion prevention system (IPS)Patch management Secure Applications Dynamic application analysisStatic code analysisPenetration testingWeb application firewall (WAF)Code review Secure Data Data at rest (DAR) / data in motion (DIM) / data in use (DIU) protectionData classificationData encryption (source and transmission)Data integrity monitoringData loss prevention (DLP)Data wiping/cleansingDatabase monitoring/scanningDatabase secure gateway/shieldEnterprise rights managementIdentity and access managementPublic key infrastructure (PKI)Static schema analysis Measure Security Attack surfaceFacility vulnerabilitiesNumber of attacksNumber of breachesPassword strengthPort probesSecurity policy violationsSoftware vulnerabilitySystems with contingency plansTrained staffVirus infections Govern Security Develop security guidanceTrack progressDevelop security metricsReview artifactsMotivate adherence to guidance

Figure 1. The Security process goal diagram (click to enlarge).

The process decision points that you need to consider for implementing effective security are: 

  • Ensure security readiness. How do you ensure that your environment has been built to withstand the evolving security threats that you face?
  • Enable security awareness. How do you help your staff to become knowledgeable about security threats, how to avoid attacks, and how to deal with them when they occur?
  • Monitor security. How do you identify when you are under attack (for most organizations the answer is constantly) and more importantly how you’re being attacked?
  • Respond to threats. When an attack occurs what will you do to address it?
  • Secure physical assets. How will you protect physical assets such as buildings, vehicles, and equipment? By implication, how will you ensure the security of your people?
  • Secure IT perimeter. How will you secure access to your IT systems?
  • Secure the network. How will you ensure the security of digital communications?
  • Secure IT endpoints. How will you secure access to devices such as phones, workstations, and other I/O devices?
  • Secure applications. How will you address security within the applications/systems of your organization?
  • Secure data. How will you ensure the validity and privacy of the data within your organization?
  • Govern security. How will you motivate, enable, and monitor security activities within your organization?