Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED//LES
UNCLASSIFIED//LES Page21
8 APPENDIXB:RISKS
Thissectionidentifiesandquantifiesanyknownrisksthatmaybeassociatedwiththisproduct
developmenteffort.Thisisnotan enumerationofpossiblerisksin thedeploymentand/oruseofth e
productitself.
Anychangeinkeypersonnel
o PossibleMitigation:Ensurethatsufficientdocumentationofeachphaseof thesoftware
developmentlifecycleiscreatedsuchthatitwouldbepossibleforanotherpersonof
similartechnicalexpertiseandba ckgroundastheindividualvacatingtheteamtofillthe
vacancyinareasonabletimeperiod.
Thetimebetweentheacceptanceofthesoftwarerequirementsandthedeliveryofthe
implementationistoolong.Ifdurin gthedevelopmentperiodcustomerneedshavechanged
thenfeaturesmaybeimplemented thatarenolongernecessaryordoneinamannerthatisno
longeruseful.
o PossibleMitigation:Implementshortfeedbackcyclesmeasuringnomore30days.This
couldbeaSCRUMlikeprocesswhereproductteammeetswiththecustomerto
formallyagreetoafeature/bugfi xlistforthequarter.Internallyth eproductteamthen
divides this work into monthly sprints which produce completed product
fixes/enhancementsina30‐daytime‐box.Itisunknownwhetherformaltestingshould
beinvolvedat themonthlyorquarterlylevel.
Thecustomersprioritizationchan gesoutsideofthisspecificeffort,eitherincreasingor
decreasingtheresourcesde dicat edtothisproductand/orincreasingordecreasingtheurgency
ofdeliveryofthisproduct
o PossibleMitigation:Again,useshortfeedbackcyclestoallowthischangeinpriorityto
bereacteduponassoonaspossible.Additionally,makesureallbugs andfeaturesare
welldocumentedandtrackedinabugtrackingsystem.Thiswillal lowtheproductteam
torespondtoapotentialincreaseinurgencyand/orresourcesontheprojectaswellas
provideacontinuouspausepointiftheurgencyand/o resourcesontheprojectare
suddenlyreduced.
Dependenceonthird‐partysoftware.Purchasing,bugfixing,integration ,etc.
o PossibleMitigation:????