Post-Release Support (PRSA1–5) 239
• Privacy experts should be directly involved in all incidents that fall
into the P1 and P2 categories described earlier in this book.
• Additional development, quality assurance, and security resources
appropriate for potential post-release privacy issue discovery issues
should be identified during the SDL process to be participate in
post-release privacy incident response issues.
• Software develop organizations should develop their own privacy
response plan or modify the Microsoft SDL Privacy Escalation
Response Framework (Appendix K)
5
for their own use. This should
include risk assessment, detailed diagnosis, short-term and long-
term action planning, and implementation of action plans. As with
the PSIRT responses outlined above, the response might include
creating a patch or other risk-remediation procedures, replying to
media inquiries, and reaching out to the external discoverer.
8.2.3 Optimizing Post-Release Third-Party Response
Collaboration between different teams and stakeholders provides the
best possible chance of success in post-release response. The collective of
software security champions, software security evangelists, and an ongo-
ing formal software security programmatic relationship with the software
development product managers and quality team to support and collabo-
rate with the centralized software security team as proposed in this book
provides several distinct advantages over solely dedicated teams to handle
post-release PSIRT and privacy support:
• Direct PSIRT and privacy response ownership is achieved by imbed-
ding these functions into the engineering and development groups
directly responsible for fixing the product directly affected by the
discovered vulnerability or privacy issue.
• Direct knowledge of the code, architecture, and overall software
product design and functionality with a direct influence on the
remediation process will result in increased efficiency, control,
and response over an external organizational entity without direct
knowledge of the product. Essentially, this removes the middleman
and streamlines the process.
• This process provides for better return on investment for both the
PSIRT and the privacy response function through the leverage