The 12 Principles behind the Manifesto
We still believe that the Agile Manifesto for Software Development’s principles have withstood the test of time and are completely relevant to, and perhaps always included, security and privacy. We therefore offer them here with slight refactoring to emphasize what has always been true:
- “Our highest priority,” even as security professionals, “is to satisfy the customer through early and continuous delivery of valuable software.”
- “Welcome changing” software, at any stage of the system’s lifecycle. Agile risk management “processes harness change for the customer's competitive advantage.”
- “Deliver working software frequently,” even as often as multiple times per hour, “with a preference to the shorter timescale,” without increasing security and privacy risk.
- Security & Privacy professionals, “business people, and developers must work together daily throughout the project.”
- “Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the [risk management] job done,” and implement the right controls in the right way.
- “The most efficient and effective method of conveying information to and within a development team is face-to-face conversation” or via APIs. Any GRC should be written in code with automated workflows to the greatest extent practical, not in static documents.
- Mission outcomes in prod are still “the primary measure of progress,” and risk professionals should view themselves as protagonists.
- “Agile [risk management] processes promote sustainable development” and operations. “The sponsors, [the cross-functional team], and users should be able to maintain a constant pace indefinitely.”
- “Continuous attention to technical excellence and good design,” which includes information security and privacy, “enhances agility.”
- “Simplicity--the art of maximizing the amount of work not done--is essential.”
- “The best [privacy/security] architectures, requirements, and designs emerge from self-organizing teams.”
- “At regular intervals, the [cross-functional] team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.”
This artifact draws heavily from the Manifesto for Agile Software Development, which can be found at: https://agilemanifesto.org/