| Business Function | Practice | Example Score | Illustrative Observation |
|---|
| Governance | Strategy & Metrics | 2.40 | Central KPIs exist but targets are inconsistent across business units. |
| Governance | Policy & Compliance | 2.10 | Strong baseline policies, limited automated evidence collection. |
| Governance | Education & Guidance | 1.80 | Secure coding guidance exists; role-based coaching is uneven. |
| Design | Threat Assessment | 2.00 | Threat modeling is required for Tier-1 services only. |
| Design | Security Requirements | 2.30 | Requirements are captured, but traceability to backlog is partial. |
| Design | Secure Architecture | 2.20 | Architecture reviews occur for material changes; API review coverage can improve. |
| Implementation | Secure Build | 2.50 | Branch protection and CI policies are mature; attestations not universal. |
| Implementation | Defect Management | 2.10 | Findings flow is operational, aging and exceptions need tighter governance. |
| Implementation | Secure Deployment | 2.00 | Pre-prod controls are present; release approval evidence is fragmented. |
| Verification | Design Review | 1.90 | Manual design review coverage is below target for critical products. |
| Verification | Code Review | 2.40 | Peer review is mature; security-specific review heuristics vary by team. |
| Verification | Security Testing | 2.30 | SAST/SCA/DAST are integrated; business logic testing is inconsistent. |
| Operations | Incident Management | 2.20 | PSIRT path exists, but product-specific playbooks are incomplete. |
| Operations | Environment Management | 2.40 | Cloud posture and Kubernetes baseline controls are in place. |
| Operations | Operational Management | 2.10 | Runtime telemetry exists; ownership of response evidence needs clarity. |