Security Hazard Handling
1 min read
last change: 9-6-2023
Security Hazard
A Security Hazard is any known flaw or configuration that can lead to a Security Incident.
Security Hazards can be classified according to the Security Incident they can cause:
| severity | description | |
|---|---|---|
| 1 | Critical | Unidentified or identified people or systems are actively abusing the system with data becoming publicly available, data getting destroyed or manipulated outside system functionality or sabotaging system functionality. |
| 2 | High | Unidentified people or systems can use functionality and manipulate data outside their intended scope. |
| 3 | Medium | Identified people or systems can use functionality and manipulate data outside their intended scope. |
| 4 | Low | Identified people or systems can read data that is outside their intended scope. |
How to act when a Security Hazard has been noticed:
- Contact the Operators through Teams to understand if the issue is known.
- When the issue is not known, create a User Story.
- Add a tag to the bug: “security hazard”.
- Mention the Data Protection Officer in the description, so the DPO is informed.
- Inform the Product Owner so the normal work procedure can be followed.
- The Product Owner should be aware of the Time To Resolve requirements for Security Hazards.
Time To Resolve for Security Hazards
| severity | Time To Resolve in working days | |
|---|---|---|
| 1 | Critical | 5 days |
| 2 | High | 20 days |
| 3 | Medium | 60 days |
| 4 | Low | 240 days |
It is always possible to re-evaluate the severity before resolving a hazard.
published on: 9-6-2023