Commit 7af74803 authored by Nick Malcolm's avatar Nick Malcolm ☑️
Browse files

Update the Transition and Sunset workflows

parent 50e26b0c

content/handbook/security/product-security/security-platforms-architecture/security-interlock/prodsec-to-product-workflow/_index.md

+13 −10
Original line number Diff line number Diff line
@@ -20,9 +20,9 @@ ProdSecEng operates four complementary workflows that work together to manage th 
| # | Workflow | Purpose | Status |

|---|----------|---------|--------|

| <span style="background-color:#e1f5ff; color:#1F1E24; padding:4px 8px; border-radius:3px; display:inline-block; width:100%;">1</span> | **[Intake](#intake-workflow)** | How ProdSecEng receives, evaluates, and accepts tooling/automation work | 🚧 In development  |

| <span style="background-color:#e8f5e9; color:#1F1E24; padding:4px 8px; border-radius:3px; display:inline-block; width:100%;">2</span> | **[Maintenance & Inventory Prioritisation](#maintenance-and-inventory-prioritisation-workflow)** | Ongoing maintenance of existing tooling until product integration or sunsetting | 🚧 In development  |

| <span style="background-color:#e8f5e9; color:#1F1E24; padding:4px 8px; border-radius:3px; display:inline-block; width:100%;">2</span> | **[Maintenance & Inventory Prioritisation](#maintenance-and-inventory-prioritisation-workflow)** | Ongoing maintenance of existing tooling until product integration or sunsetting | Defined |

| <span style="background-color:#fff4e1; color:#1F1E24; padding:4px 8px; border-radius:3px; display:inline-block; width:100%;">3</span> | **[Co-create](#co-create-workflow)** | Collaborating directly with Product and Engineering; Product validation → Product integration | 🚧 In development |

| <span style="background-color:#fce4ec; color:#1F1E24; padding:4px 8px; border-radius:3px; display:inline-block; width:100%;">4</span> | **[Transition & Sunset](#transition-and-sunset-workflow)** | Migrate internal users to product feature and decommission internal tools | 🚧 In development |

| <span style="background-color:#fce4ec; color:#1F1E24; padding:4px 8px; border-radius:3px; display:inline-block; width:100%;">4</span> | **[Transition & Sunset](#transition-and-sunset-workflow)** | Migrate internal users to product feature and decommission internal tools | Defined |



### How the Workflows Connect
@@ -231,9 +231,6 @@ The tool then enters the [Maintenance workflow](#maintenance-and-inventory-prior 


## Maintenance and Inventory Prioritisation Workflow



**Status:** 🚧 In development  

**Epic:** [ProdSecEng Tooling and Automation Inventory Review](https://gitlab.com/groups/gitlab-com/gl-security/product-security/product-security-engineering/-/work_items/52)



### Purpose



The maintenance workflow is the foundational loop that runs continuously after intake and before sunsetting. It ensures ProdSecEng can effectively support existing tooling and automation while prioritizing work toward product integration.
@@ -275,8 +272,6 @@ Tools are categorized into one of the following path-forward categories: 


### SLO/RTO Commitments



SLO/RTO definitions are currently being considered. 🚧



ProdSecEng provides different levels of support based on tool criticality:



| Criticality | SLO (Response Time) | RTO (Recovery Time) | Example |
@@ -370,8 +365,6 @@ Once the product feature is deployed to production, the co-create workflow hands 


## Transition and Sunset Workflow



**Status:** 🚧 In development



### Purpose



The transition and sunset workflow manages the migration of internal users from internal tooling to product features, and the decommissioning of internal tools that are no longer needed.
@@ -385,6 +378,9 @@ This workflow is triggered in two scenarios: 


### Key Activities



[Open a new Sunset Tooling issue](https://gitlab.com/gitlab-com/gl-security/product-security/product-security-engineering/product-security-engineering-team/-/issues/new?description_template=sunset_tooling)

which will guide you through the following activities.



#### For Post-Co-create Transitions



- **Plan migration:** Define migration timeline, communication plan, and success criteria
@@ -396,7 +392,7 @@ This workflow is triggered in two scenarios: 


#### For Direct Sunsets



- **Validate sunset decision:** Confirm with stakeholders that the tool is no longer needed

- **Validate sunset decision:** Confirm with stakeholders that the tool is no longer needed.

- **Identify alternative solutions:** Document what users should do instead (use existing product feature, use different tool, etc.)

- **Communicate sunset timeline:** Give stakeholders clear notice

- **Decommission infrastructure:** Shut down infrastructure, archive repositories, update documentation
@@ -414,6 +410,13 @@ This workflow is triggered in two scenarios: 
- Documentation updated to reflect new workflows

- Lessons learned documented



### Direct Sunset Alternative: Transfer



When ProdSecEng will no longer maintain a tool and plan to sunset it,

another team might be willing to own and maintain it instead.

If another owner is found, open a

[transfer tooling issue](https://gitlab.com/gitlab-com/gl-security/product-security/product-security-engineering/product-security-engineering-team/-/issues/new?description_template=transfer_tooling).



## Related Resources



- [Product Security Engineering Mission](/handbook/security/product-security/security-platforms-architecture/product-security-engineering/)