In contemporary software development projects and computing tasks,
security concerns have an increasing effect, and sometimes even guide
both the design and the project's processes. In certain environments,
the demand for the security becomes the main driver of the development.
In these cases, the development of the product requires special security
arrangements for development and hosting, and specific
security-oriented processes for governance. Compliance with these
requirements using agile development methods may not only be a chance to
improve the project efficiency, but can in some cases, such as in the
case discussed in this paper, be an organizational requirement. This
paper describes a case of building a secure identity management system
and its management processes, in compliance with the Finnish
government's VAHTI security instructions. The building project was to be
implemented in accordance to the governmental security instructions,
while following the service provider's own management framework. Project
itself was managed with Scrum. The project's steering group required
the use of Scrum, and this project may be viewed as a showcase of
Scrum's suitability to multi-teamed, multi-site, security
standard-compliant work. We also discuss the difficulties of fulfilling
strict security regulations regarding both the development process and
the end product in this project, and the difficulties utilizing Scrum to
manage a multi-site project organization. Evaluation of the effects of
the security work to project cost and efficiency is also presented.
Finally, suggestions to enhance the Scrum method for security-related
projects are made.