Security & Risk Management group) 1. Authentication/authorization decisions 2. System and data access 3. System and application changes, especially privileged changes 4. Data changes (CRUD) 5. Invalid CREATE SELF-SERVICE ACCESS TO TELEMETRY AND INFORMATION RADIATORS i. Spread the information – anyone who wants or needs the information can readily access it without production access or other privileged

existing enterprise architectures, frameworks, standards, or interfaces?  Can the development team access architecture documents and systems?  Are owners/representatives from these enterprise areas involved want to [goal], so I can [reason].24 For example, “As a registered user, I want to log in so I can access subscriber-only content.” User stories should have the following characteristics:  Concise changes made within a sprint? What is the process to review/approve?  Does the government have access or insight into the development environment (code, metrics)?  At the end of a sprint, does the

Route Adds – requires heightened security access  Database Data Script Execution  Load Balancer Node Disablement  OS and Security Patching  Requesting access to technology specific dashboards and consoles

container security, east/west traffic management, a zero-trust model, a whitelist, Role-Based Access Control (RBAC), continuous monitoring, signature-based continuous scanning using Common Vulnerabilities

monitor it more I need… • a Log Aggregation and Search service, but to install it I need… • root access on a bunch of servers, but I need more servers so I need… • an Infrastructure as a Service platform