# Initiation

**Goal:** Establish security and privacy expectations and identify risks before design work begins.

**Actions:**

1. Appoint project sponsor, system owner and security lead.
2. Perform initial Threat and Privacy Risk Assessment (documented).
3. Define security and privacy objectives of CIA, non-repudiation and legal requirements.
4. Draft a Security and Privacy Plan with milestones, roles and budget for security activities.
5. Require security awareness briefing for project stakeholders.