This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/security-readiness-levels.md

2.3 KiB

Security Readiness Levels

Status: initial readiness model extracted from the genesis exploration

Purpose

Readiness levels make the catalog operational. They define how strong a capability or pattern must be before it is trusted for a given deployment stage.

Levels

Level Name Suitable for Minimum expectations
RL0 Experimental local prototypes no production data, no external users, no real secrets in code
RL1 Internal alpha internal use central login preferred, basic access control, secrets not committed, known risks documented
RL2 Private beta selected external users tenant model defined, isolation tested, backups configured, security logging centralized
RL3 Production paid customers MFA for privileged users, least privilege, secrets rotation, auditable admin actions, restore tested
RL4 Regulated production high-trust or regulated customers formal risk management, customer audit logs, artifact provenance, stronger data residency and deletion controls

Pattern Maturity

Pattern maturity is related to readiness, but not identical:

seed -> draft -> reviewed -> canonical -> deprecated
  • seed: captured from exploration, source notes, or external reading.
  • draft: written in the pattern template with initial mapping.
  • reviewed: checked for threat model, ownership, and verification.
  • canonical: accepted as the recommended NetKingdom pattern.
  • deprecated: retained for history but no longer recommended.

Evidence By Level

Evidence RL1 RL2 RL3 RL4
owner named required required required required
threat notes useful required required required
verification checklist useful required required required
operational runbook optional useful required required
audit hooks optional useful required required
restore or failure drill optional useful required required
standards mapping optional useful useful required

NetKingdom Default

Patterns that touch identity, authorization, secrets, tenant isolation, or privileged access should not be marked canonical below RL3 unless their production limitations are explicitly documented.