This standard ensures all credentials are short-lived and auditable by default, limiting exposure time and enabling traceability. It reduces the blast radius of potential breaches and supports rapid incident response.
Aligned to our "Zero Trust Architecture" policy, this standard enforces secure-by-design practices for identity and access management. Without it, secrets persist longer than necessary, increasing risk and eroding system trust.
Clearly defined impacts of meeting this standard include improved delivery flow, reduced risk, higher system resilience, and better alignment to business needs. Over time, teams will see reduced rework, faster time to value, and stronger system integrity.
Level 1 – Initial: Credentials are long-lived and rarely rotated.
Level 2 – Managed: Manual processes exist for rotating and auditing secrets.
Level 3 – Defined: Expiry policies and audit logging are consistently implemented.
Level 4 – Quantitatively Managed: Secret rotation and access are monitored and reported.
Level 5 – Optimising: Secrets are ephemeral by default and rotated automatically with full observability.Secrets and tokens are issued with minimal lifetime and full traceability to reduce the blast radius of compromise.