Standard : Sensitive data and credentials are managed securely

Purpose and Strategic Importance

This standard ensures sensitive data and credentials are stored, accessed, and rotated securely using modern secrets management practices. It protects systems from breaches and supports compliance with security and privacy requirements.

Aligned to our "Data-Driven Decision-Making" and "Secure by Design" policies, this standard reduces risk exposure and builds user and stakeholder trust. Without it, systems are vulnerable to misuse, outages, and reputational damage.

Strategic Impact

  • Stronger compliance with privacy and security regulations
  • Improved ability to respond to incidents with traceable credentials
  • Reduced downtime due to secrets-related failures
  • Greater trust in systems and team security posture

Risks of Not Having This Standard

  • Hardcoded or leaked credentials expose systems to breaches
  • Difficult or risky credential rotation processes
  • Compliance gaps with industry standards and regulations
  • Increased friction during incident response
  • Erosion of user trust and developer confidence

CMMI Maturity Model

Level 1 – Initial

Category Description
People & Culture Secrets are shared manually or stored in code.
Security practices are not prioritised.
Process & Governance No formal processes for secrets management.
Technology & Tools Use of plaintext files or ad-hoc mechanisms for storing credentials.
Measurement & Metrics No visibility into secrets usage or access patterns.

Level 2 – Managed

Category Description
People & Culture Teams understand basic credential hygiene.
Inconsistent practices across environments.
Process & Governance Manual processes exist for rotation and revocation.
Technology & Tools Secrets may be stored in basic tools (e.g., environment variables) with limited control.
Measurement & Metrics Some critical secrets are monitored for rotation or expiry.

Level 3 – Defined

Category Description
People & Culture Teams are trained in secure secrets handling.
Policies are communicated and adopted.
Process & Governance Standardised procedures exist for secure storage, rotation, and access control.
Technology & Tools Dedicated secrets managers (e.g., Vault, AWS Secrets Manager) are used.
Measurement & Metrics Logs track secrets access and policy adherence.

Level 4 – Quantitatively Managed

Category Description
People & Culture Teams are proactive about reducing secrets sprawl.
Security ownership is distributed.
Process & Governance Usage patterns and violations are reviewed regularly.
Policies are continuously improved.
Technology & Tools Access is governed via RBAC and automated revocation.
Integrations are secure by default.
Measurement & Metrics Secrets lifecycle metrics (e.g., rotation age, access frequency) are tracked.

Level 5 – Optimising

Category Description
People & Culture A culture of zero trust and secure automation is embedded.
Process & Governance Continuous feedback from incidents informs secrets policies.
Technology & Tools End-to-end automation manages secrets generation, rotation, revocation, and alerting.
Measurement & Metrics Anomalous access and threat patterns are detected automatically and remediated.

Key Measures

  • % of secrets stored using approved secrets management tooling
  • Average age of credentials before rotation
  • % of services with automated secret rotation enabled
  • Time to revoke exposed or outdated credentials
  • % of secrets with access logging and policy enforcement enabled