4.10 Compliance & Security - PM2 Agile Projects

## 4.10 Compliance & Security The PM2-Agile model is enterprise-aware and considers the Organisation’s policies and communications related to information systems when addressing the following aspects. - Document management. - Data protection. - Security. **Document Management** When building a solution that incorporates a document management aspect, regardless of the medium, it is important to consider the organisation’s defined procedures when implementing it. PM2-Agile recommends creating a checklist based on the defined procedures to verify if document management considerations are applicable to the project. This checklist should be used when outlining the Architecture Overview. Another key aspect of the document management approach is to guarantee as much interoperability as possible between systems and users. **Data Protection** PM2-Agile recommends that guidance on data protection is defined as part of the software engineering practices and must be aligned with the specific legislation. By default, PM2-Agile focus on the General Data Protection Regulation (Regulation (EU) 2016/679), which contains provisions and requirements related to the processing of personal data of individuals. When developing a solution, specific data processing requirements must be documented. Addressing data protection issues also requires close collaboration between several roles to ensure that the need to process personal data is properly managed. The Architecture Overview must reflect all these considerations when proposing the high-level architecture’s strategy. **Security** Because Security is a critical aspect in any organisation, PM2-Agile recommends defining a specific practice to address it when building a solution. This practice should include a Security Plan that documents all security-related activities and lists all the required actions to ensure that the system is developed in a secure environment and contains the appropriate security features. The Security Plan should define the security requirements and provide a step-by-step management plan to meet those requirements. It should also be part of an encompassing Security Certification Statement whose purpose is to test and evaluate the technical features of the system, review the related administrative, personnel, and physical safeguards anticipated for the system’s environment, and to provide senior management’s formal acceptance of all residual risks. Additional elements to add in a Security Certification Statement are the Security Test Plan and Report, and the Security Risk Assessment.