Closed jlyon closed 7 years ago
jlyon
commented
7 years ago Also, more generally, the first control in each family is kind of repetitive (come up with a policy, review it with some frequency). Do you think there is a good way to handle that other than just repeating ourselves over and over?
cc @aschmoe
gregelin
commented
7 years ago @jlyon, yes, combine whole families.
The controls as written are insanely granular, written to cover all eventualities. This creates a recurring cost for each team/project mentally re-package the granularity into something sensible.
We want to do some pre-assembly of the parts via the user stories. We want to do smart integration to reduce the recurring costs.
It's better to have the stories make sense and be operational than it is to match the stories, or story families, one to one with the controls.
@gregelin in https://docs.google.com/spreadsheets/d/1LjOoaIOjgY5U2LCM_bTS0BT-7aanbLz2nULdnuVfMpc/edit#gid=1610625244 under CA, the DOD mentions that their security assessment plan was a part of their security plan (PL family).
Do you think we should combine these into one larger stories, or do we generally want to keep the families separate?