Security Hazard Handling
A Security Hazard is any known flaw or configuration that can lead to a Security Incident.
Security Hazards can be classified according to the Security Incident they can cause:
|Unidentified or identified people or systems are actively abusing the system with data becoming publicly available, data getting destroyed or manipulated outside system functionality or sabotaging system functionality.
|Unidentified people or systems can use functionality and manipulate data outside their intended scope.
|Identified people or systems can use functionality and manipulate data outside their intended scope.
|Identified people or systems can read data that is outside their intended scope.
How to act when a Security Hazard has been noticed:
- Contact the Operators through Teams to understand if the issue is known.
- When the issue is not known, create a User Story.
- Add a tag to the bug: “security hazard”.
- Mention the Data Protection Officer in the description, so the DPO is informed.
- Inform the Product Owner so the normal work procedure can be followed.
- The Product Owner should be aware of the Time To Resolve requirements for Security Hazards.
Time To Resolve for Security Hazards
|Time To Resolve in working days
It is always possible to re-evaluate the severity before resolving a hazard.