What you need to know

• Set up a quality assurance framework based on the severity of the consequences of a security breach.
• If you're using Agile, consider managed web application firewall services, cloud-based vulnerability testing tools, period security iterations, a security evangelist in your team and ongoing third party code review.

What the framework should do

The framework should ensure:

1. security and privacy considerations are taken into account throughout all phases of development and maintenance (regardless of methodology used or whether development is outsourced)
2. ongoing security and privacy management and monitoring of operational websites or services.

When you use a framework you can guarantee that a risk is acceptable to your department and that it is fit for purpose.

Goals of the framework

A quality assurance framework should:

1. Identify checkpoints throughout phases of a project to ensure security and privacy concerns are assessed and treated appropriately.
2. Identify responsibilities and accountabilities for each activity.
3. Allow variation in completeness to accommodate projects with varying levels of risk impact.
4. Establish practices for maintaining security and privacy (including incident mitigation and management) through the life of the site or service.
5. Conclude with a declaration by the business owner that it is fit for purpose and that any risk associated with deploying it is acceptable to the agency, and that it will be regularly reviewed.

Example framework

You can modify the table below for your own projects.

Bold items are relevant to all projects.

Project start-up

Process	Who is responsible	Who is accountable	Who can support you
Confirm information security classification: Identify appropriate level of classification of information held in the system	Business owner	Chief Security Officer / Departmental Security Officer	Chief Information Security Officer (CISO) / IT Security Manager (ITSM)
Business risk assessment: Identify business risks that will be inherited by the system	Business owner	Deputy Chief Executive	Risk Adviser
Privacy impact assessment: Does the system contain personal information? Determine if formal PIA is required in order to meet the Information Privacy Principles.	Business owner	Deputy Chief Executive	Legal
Business continuity management requirements: Determine levels of availability required	Business owner	Deputy Chief Executive	ITSM
Statement of applicable standards and legislation: Baseline definition of privacy and security compliance	Business owner	ITSM	Legal

Project initiation

Process	Who is responsible	Who is accountable	Who can support you
Identify security functional testing requirements: Identify required controls	IT Security Manager (ITSM)	Business owner	Project manager
Identify security and privacy governance and management framework: Define roles and responsibilities in procedures, audit, reporting, management, and risk management, decisions on retention and disposal of information	ITSM	Business owner	Project manager

Design stage

Process	Who is responsible	Who is accountable
Security risk assessment: Define technical and business risks to the system	Project manager	Business owner
Risk mitigation plan, based on security risk and PIA: Define measures to reduce risks to acceptable levels. Mitigations may include technical controls, processes and procedures, and information provided to the public.	Project manager	Business owner
Design review: Validate that system and procedures will meet baseline privacy and security requirements	Project manager	Business owner
Statement of work for security assurance services: Document requirements for security review and assessment	Project manager	Business owner

Implementation stage

Process	Who is responsible	Who is accountable
Present-state security assessment: Independent testing to ensure security controls meet requirements as per Statement of work	IT Security Manager (ITSM)	Chief Information Security Officer (CISO)
Future-state security assessment: Are plans and procedures in place to protect the system in the future?	ITSM	CISO
Security certification: Document that baseline compliance is met and risks are mitigated or accepted	CISO	CISO

Closure and launch stage

Process	Who is responsible	Who is accountable
Authorisation to operate: Formal acceptance of residual risks	Business owner	Chief Executive

Additional development techniques

If your department uses Agile development practices with frequent code releases you should assess the benefit of the following techniques and measures:

1. Managed Web Application Firewall services can provide a layer of protection in front of the application. They are especially valuable for rapidly-iterating Agile projects.
2. Vulnerability testing tools and services running on a repeating schedule can add assurance through:
   1. visibility of changes implemented since previous assessments
   2. exposing any new vulnerabilities introduced — for example, through the introduction of third party embedded code by a well-meaning content manager, changes in technology or the threat landscape or new forms of malware
   3. basic regression testing to identify changes that have introduced new vulnerabilities to existing code.
3. There are several cloud-based services available for this purpose at relatively low cost.
4. “Malicious (negative) user” stories can be added to a backlog in which stories are crafted around users with malicious intent, such as wishing to deface a site for ‘hacktivist’ purposes, or seeking to gain unauthorised access to protected information.
5. Periodic security iterations whose sole focus is to minimise security and privacy risks, and minimise the ‘security debt’.
6. Including a security and/or privacy evangelist on the development team.
7. Ongoing third party code review, peer review and automated tools (such as Scrutinizer or Sensio for the PHP stack).
8. An https-everywhere policy provides additional protection against several vulnerabilities.
9. Content Security Policies implemented in HTTP headers also provides additional protection.
10. Developers should be encouraged to review the guidance provided by safecode.org