Defines general GDPR security requirements and release gates for all projects to follow. In addition, an organization may define security policies as follows:

• Minimum security requirements for the release date
• IAM, privacy, key management, cryptography, and session management
• Security design best practices and templates

It may be a good practice to provide common security requirements as templates or policies for projects teams to follow. Furthermore, it will be more effective to provide or to suggest related implementation frameworks to build into products, which we will discuss in later chapters.