Initiation

Goal: Establish security and privacy expectations and identify risks before design work begins.
Actions:

1. Appoint project sponsor, system owner and security lead.
   
2. Perform initial Threat and Privacy Risk Assessment (documented).
   
3. Define security and privacy objectives of CIA, non-repudiation and legal requirements.
   
4. Draft a Security and Privacy Plan with milestones, roles and budget for security activities.
   
5. Require security awareness briefing for project stakeholders.