Security Management
Metadata
- Practice ID: TECH-SEC-01
- Status: Draft
- Version: 1.0
- Owner Role: Security Lead
- Guild: GL04 Technology Guild
- GitHub Team:
@calab-ai/practice-team-security - Entra Group:
sg-practice-security
Purpose and Objectives
This practice defines how Calab.ai designs, implements, and monitors security controls across all systems and products. It ensures the organisation maintains a strong security posture through proactive risk management, vulnerability remediation, compliance controls, and security awareness.
Security Management owns lower-level security controls and implementation. When a security concern requires changes to the platform, Security Management raises it to Platform Architecture Management for guidance — similar to how Solution Engineering Management raises platform component needs. Platform Architecture Management is accountable for ensuring the platform continues to operate when changes arise from security findings.
Scope
In Scope
- Security controls design, implementation, and monitoring
- Security risk assessments and vulnerability management
- Access control policies and identity governance
- Security incident response procedures and playbooks
- Compliance controls and audit readiness
- Security awareness training and phishing simulations
- Application security review and secure coding standards
- Third-party security assessments and vendor risk management
Out of Scope
- Platform architecture changes required by security findings (escalate to Platform Architecture Management)
- Solution design decisions with security implications (coordinate with Solution Engineering Management)
- Day-to-day infrastructure operations (owned by operations teams)
- Business continuity planning (owned by Strategy Management, GL01)
Interfaces
Dependencies (Practices We Depend On)
- Platform Architecture Management (
TECH-PLATARCH-01) — When security concerns require platform-level changes, Security Management raises to Platform Architecture for guidance on implementation - Software Engineering Management (
TECH-SE-01) — Secure coding standards, code review security requirements, SAST/DAST integration
Dependents (Practices That Depend On Us)
- Solution Engineering Management (
TECH-SOLARCH-01) — Security requirements and constraints for solution designs - Platform Architecture Management (
TECH-PLATARCH-01) — Security architecture patterns and compliance requirements - All practices — Security policies apply organisation-wide
Related Practices and Resources
Related Practices
- Platform Architecture Management — Platform-level security architecture integration
- Solution Engineering Management — Security constraints for solution patterns
- Software Engineering Management — Secure coding and SAST/DAST
Key Processes
- Security Risk Assessment Process
- Vulnerability Management Process
- Security Incident Response Process
- Access Control Review Process
- Third-Party Security Assessment Process
- Security Architecture Review Process (coordinated with Platform Architecture Management)
Key Templates
- Security Risk Assessment Template
- Vulnerability Report Template
- Security Incident Response Playbook Template
- Third-Party Security Questionnaire Template
KPIs and Success Signals
- KPI 1: Mean time to remediate critical vulnerabilities (Target: ≤72 hours)
- KPI 2: Security assessment coverage of active products (Target: ≥90%)
- KPI 3: Security incidents per quarter (Target: 0 critical, ≤2 high)
- KPI 4: Security training completion rate (Target: 100% annually)
- Success Signal 1: Proactive identification of security risks before exploitation
- Success Signal 2: Smooth escalation workflow with Platform Architecture Management
Review Cadence
- Practice Review: Monthly (security posture review)
- Artefact Review: Quarterly (policies and controls), Monthly (vulnerabilities)
- Owner: Security Lead
Change Log
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-02-23 | Build Agent | Initial creation |