Infosec Risk Analysis for development process (includes Dev Process Documentation)

🧩 User Story

As a Product Owner I want to ensure that infosec risks within the project's scope are assessed and handled, in order to ensure adequate security posture for the product.

🎯 Goal & Context

Conduct an initial risk analysis based on the draft Risk Management Policy.

The results of this task must either have been produced in cooperation with appropriate tbd risk owner(s) or passed on to them for approval.

🛑 Boundaries & Implementation Notes

This task includes performing the tasks listed as "TODO" in the Risk Management Policy under "Risk Management Methodology":

• Define Systems in Scope of Risk Management [TODO]
• Decompose Systems [TODO]
• Define Protection Requirements for Systems [TODO]
• Based on protection requirements, determine for which systems risk analysis needs to be performed [TODO]
• Determine Delta from baseline (for BSI Grundschutz, that would be the Grundschutz-Bausteine, but we can in principle take whatever we see fit) [TODO]
• Perform risk analysis for the systems that have been determined to need it [TODO]

Also, it includes documenting the actual development process and the systems used therein. Product Owner / Scrum Master should be aware that they will be involved in this ticket, as decisions pertaining to scope, risk and process will have to be made.

If relevant, consider our concept of our in our internal Miro here.

✅ Acceptance Criteria

This issue is considered done when:

• Process as-is with details about each step is documented in Miro. Please consider recent it sec pipeline implementations with SAST.
• Risks have been assessed according to the Risk Management Policy
• Any zero- to low effort changes have been made to dev process as agreed with stakeholders.
• Documentation outlining the actual development process is written in Docusaurus
• Tickets for the implementation of further mitigations have been created.