Initiation

Goal: Establish security and privacy expectations and identify risks before design work begins. 

 Actions: 

 

 Appoint project sponsor, system owner and security lead. 

 Perform initial Threat and Privacy Risk Assessment (documented). 

 Define security and privacy objectives of CIA, non-repudiation and legal requirements. 

 Draft a Security and Privacy Plan with milestones, roles and budget for security activities. 

 Require security awareness briefing for project stakeholders.