Standard : Sensitive data and credentials are managed securely

Purpose and Strategic Importance

This standard ensures sensitive data and credentials are stored, accessed, and rotated securely using modern secrets management practices. It protects systems from breaches and supports compliance with security and privacy requirements.

Aligned to our "Data-Driven Decision-Making" and "Zero Trust Architecture" policies, this standard reduces risk exposure and builds user and stakeholder trust. Without it, systems are vulnerable to misuse, outages, and reputational damage.

Strategic Impact

Clearly defined impacts of meeting this standard include improved delivery flow, reduced risk, higher system resilience, and better alignment to business needs. Over time, teams will see reduced rework, faster time to value, and stronger system integrity.

Risks of Not Having This Standard

  • Reduced ability to respond to change or failure
  • Accumulation of technical debt or friction
  • Poor developer experience and morale
  • Decreased confidence in releases and features
  • Misalignment between technical implementation and business priorities

CMMI Maturity Model

  • Level 1 – Initial: Secrets and credentials are stored insecurely or managed manually.

  • Level 2 – Managed: Teams follow basic handling practices, but gaps remain.

  • Level 3 – Defined: Secure storage, access controls, and rotation policies are standardised.

  • Level 4 – Quantitatively Managed: Secret usage and access logs are monitored and reviewed.

  • Level 5 – Optimising: Secrets management is fully automated, auditable, and resilient to misuse.

Key Measures

  • Adoption metrics relevant to the standard (to be defined)
  • Quality, throughput, and system health metrics aligned to capability
  • Maturity scores based on structured assessment