In Tenacy, projects follow a sequential lifecycle based on industry best practices:
Each stage corresponds to a security activity. The current stage is highlighted.
You can move to the next stage (but not a later stage) by clicking on it, at which point you will be asked for the actual end date of the current stage.
You can also revert to a previous stage by clicking on it.
Initiate
In this stage, a project analysis determines:
A potential review of the criticality of the associated perimeter (including application or provider)
Applicable requirements within the project, in the form of questionnaires and policies associated with the perimeter (note: assigning to a grouping of perimeters facilitates this management)
Security validation tests to be performed before production.
Tests tab
The Tests tab identifies the security tests to be conducted. To add a test, click on the button:
Test scores will typically be recorded during the Validation stage.
Requirements
This stage involves identifying necessary actions in terms of information security. This identification is done by evaluating compliance against security requirements and listing actions needed to correct observed gaps.
Evaluations tab
You can create evaluation campaigns for relevant policies using the button:
Two main choices are available for configuring evaluations:
Action Configuration
You can allow or require the entry of actions for non-compliant responses, creating an action plan for the project to be tracked later.
2. Evolutionary Evaluation or Re-evaluation
💡You can choose to keep the evaluation open throughout the project. If corrective actions are identified during the evaluation, a review of the evaluation will be proposed once these actions are completed. Compliance evolves over time, but the initial compliance level is not maintained. This is the recommended option.
Alternatively, you can choose to close the initial campaign to freeze the result.
If you want to see the change after the corrective actions, you must launch a new evaluation campaign, and completing the actions will not directly affect the evaluation during the project's duration.
Reuse of Results
If evaluations have already been conducted on certain policies (within the same project or previous projects), the results can be transferred.
Launching Evaluations
To start an evaluation, click on the context icon under the Evaluations tab:
Then click on the line to conduct the evaluation. The process is the same as for evaluations within campaigns.
You can view detailed evaluation results at any time by clicking on the context icon:
Actions tab
💡It is crucial during the evaluation phase to capture necessary compliance actions, as these will be tracked in subsequent phases.
Identified actions are listed under the Actions tab.
Click on an action to modify it.
Design
At the beginning of the Design phase, evaluations should be completed, and all actions required to address gaps should be identified.
This phase ensures that required actions are properly planned for execution in the Construction phase.
By the end of this phase, all actions should be planned.
Build
At the beginning of the Build phase, all actions should be planned.
This phase involves tracking the execution of identified actions to correct gaps.
By the end of this phase, all actions should be completed.
Validation
In this stage, construction is typically finished, and the application is available in an environment for performing any required tests. Based on the evaluation, gap correction, and test scores, the security contact provides an opinion on the application's readiness for production.
Recording Test Results
The Tests tab contains the list of tests to be performed. For each test, you can enter a score (on a scale from 0 to 100, with 100 being the ideal result).
Detailed test result files can be added for reference in the Files tab.
Additional Actions
At this stage, construction actions should be completed, but corrective actions may still be necessary, especially after tests, such as fixing vulnerabilities or flaws.
Actions can be added from the Actions tab using the button:
Security position
The security position can have three values:
Unfavorable: It is recommended not to put the application into production as is because the risks are unacceptable.
With Reservation: The application can go into production, but risks remain that should be corrected within a reasonable timeframe.
Favorable: The application can go into production as is.
When entering an opinion of With Reservation or Unfavorable, you will be prompted to specify an explanatory message, which will be automatically added to the activity stream.
💡If a non-external project manager (user account) is defined for the project, they will immediately receive an email notification of the security opinion with the associated message.
Production
In this stage, the project is expected to go into production. Security activities may include resolving any remaining reservations by closing the last actions.
Remaining actions can be tracked in the Actions tab, and new actions can be created.
The security contact can update the security opinion (e.g., from With Reservation to Favorable).
Then, additional tests may also be performed.
Follow-up
The Follow-up stage is optional. If all actions are completed, the project is directly closed after the Production phase. If there are open actions, the project enters the Follow-up stage. It is in production, but there are still actions to address.
During follow-up, you can still modify the security opinion, create or update actions.
A button allows you to close the project at any time, even if there are ongoing actions:
The actions will remain in their state at the time of closure. Evaluation campaigns will be closed.
🔎You can view a closed project, but you cannot modify associated information (evaluations, test scores, security opinion, etc.).
Activity Stream
An activity stream, accessible via the button, allows for exchanging comments and includes all status changes, security decisions, and test score entries.