Apps and Tools Policy
At Figuro, we rely on various services and tools to develop, deploy, and maintain our products. To ensure consistency and security, we have established the following guidelines for the engineering team:
Selection of Services and Tools.
All services and tools used in the development process should be approved by the management team. We prioritize tools that have a proven track record, are well-maintained, and have a strong user community. Whenever possible, we prefer open-source tools that can be customized to fit our needs.
Documentation.
Documentation is a key aspect of our development process. All tools and services should have clear and up-to-date documentation. The engineering team is responsible for keeping the documentation for their respective projects accurate and comprehensive.
Security.
We take security seriously and prioritize tools and services that have strong security features. The engineering team should follow secure coding practices and ensure that all data is protected throughout the development and deployment process.
Integration.
We use multiple tools and services in our development process. It is important that they are integrated in a way that minimizes manual work and avoids data inconsistencies. The engineering team should work closely with the DevOps team to ensure seamless integration of all tools and services.
Cost.
While cost is not the only factor to consider, it is important to ensure that services and tools are cost-effective. The engineering team should regularly review the usage of all services and tools and optimize them for cost efficiency.
Risk Assessment.
The following table summarizes the risks associated with the use of third-party services and tools. The risks are categorized by their impact and likelihood, and the overall risk is determined by multiplying the impact and likelihood.
| Risk | Description | Impact | Likelihood | Mitigation | Overall Risk |
|---|---|---|---|---|---|
| Unauthorized access to customer data | Unauthorized access to customer data by an attacker or an insider threat | 🔴 | 🟡 | Regular security audits and data encryption | 🔴 |
| Service interruption | Service interruption due to a failure in the provider's infrastructure or maintenance | 🔴 | 🔴 | Redundancy and SLA enforcement | 🔴 |
| Non-compliance with legal regulations | Failure to meet legal requirements and regulations | 🔴 | 🟠 | Regular compliance audits and training | 🔴 |
| Data loss or corruption | Data loss or corruption due to a failure in the provider's infrastructure or a disaster | 🔴 | 🟠 | Redundancy and disaster recovery plan | 🟠 |
| Inadequate capacity to scale | Inadequate capacity to handle the load of the customer's application | 🔴 | 🟠 | Autoscaling, load testing | 🟠 |
| Vendor lock-in | Dependency on the provider's platform or services, with high switching costs | 🟡 | 🟠 | Use industry standard technologies and formats | 🟠 |
| Deprecation of the service | Deprecation of the service by the provider | 🟠 | 🟡 | Regular review of the service and company | 🟠 |
| Breach of SLA | Breach of SLA terms by the provider | 🟠 | 🟡 | Compensation for SLA breaches | 🟡 |
| Integration difficulties | Integration difficulties due to the provider's platform or services | 🟠 | 🟡 | Standard APIs and documentation | 🟡 |
| Performance issues | Performance issues due to the provider's platform or services | 🟠 | 🟡 | Regular monitoring and optimization | 🟡 |
| Documentation or customer support | Inadequate documentation or customer support | 🟠 | 🟡 | Documenting our own processes | 🟢 |
- 🛑 High: Risk needs immediate attention and mitigation efforts to avoid potential damage.
- 🟠 Medium: Risk needs to be monitored and addressed with mitigation efforts in place.
- 🟡 Low: Risk can be accepted with mitigation measures in place or monitored for changes.
- 🟢 Negligible: Risk can be accepted with no mitigation measures in place.
Each service or tool should be assessed for its risks and the overall risk should be determined. The engineering team should work with the management team to determine the appropriate risk level for each service or tool.
By following these guidelines, we can ensure that our development process is efficient, secure, and cost-effective.