# Security, Data and Assurance ### Overview Security, data protection and assurance must be built into delivery from the beginning. They are not final-stage activities. ### Security by Phase ### Discovery Focus on identifying security, data and assurance constraints. Activities: * identify data types * identify likely access requirements * identify customer security policies * identify hosting and integration constraints * identify assurance obligations ### Alpha Focus on testing security assumptions. Activities: * explore data flow options * assess integration risks * identify threat areas * test feasibility of secure approaches * avoid unnecessary real sensitive data ### Beta Focus on implementing secure controls and producing evidence. Activities: * secure coding * code review * dependency scanning * vulnerability management * access control implementation * test evidence * security review ### Live Focus on monitoring, patching, incident response and continuous assurance. Activities: * vulnerability monitoring * access review * incident management * logging and monitoring * backup and recovery review * security reporting ### Retirement Focus on secure closure. Activities: * access removal * data deletion or retention * archive protection * integration closure * credential removal * decommissioning evidence ### Data Classification Projects should classify data before handling it. Possible classifications: * public * internal * confidential * customer confidential * personal data * sensitive operational data * special category personal data where applicable ### Access Control Access should follow: * least privilege * named accounts * multi-factor authentication where required * role-based access * time-bound access * regular review * prompt removal ### Assurance Evidence Assurance evidence may include: * security requirements * architecture decision records * data flow maps * access control matrix * vulnerability scan results * penetration test reports where applicable * remediation records * risk acceptance records * release approvals * operational readiness checklist ### Security Risk Acceptance Security risks must not be accepted informally. A risk acceptance should record: * risk description * impact * likelihood * mitigation * residual risk * accepting authority * review date * expiry or condition ### Minimum Security Questions Every project should ask: * What data will we handle? * Who needs access? * Where will data be stored? * How will data move between systems? * What logging is required? * What security controls are mandatory? * What evidence will the customer need? * What happens if there is an incident? --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://framework.aic.io/agile-delivery-playbook/operating-controls/security-data-and-assurance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.