Security and privacy assurance
You need to establish a quality assurance framework based on the severity of the consequences of a breach in security or privacy.
What you need to know
- Set up a quality assurance framework based on the severity of the consequences of a security breach.
- If you're using Agile, consider managed web application firewall services, cloud-based vulnerability testing tools, period security iterations, a security evangelist in your team and ongoing third party code review.
What the framework should do
The framework should ensure:
- security and privacy considerations are taken into account throughout all phases of development and maintenance (regardless of methodology used or whether development is outsourced)
- ongoing security and privacy management and monitoring of operational websites or services.
When you use a framework you can guarantee that a risk is acceptable to your department and that it is fit for purpose.
Goals of the framework
A quality assurance framework should:
- Identify checkpoints throughout phases of a project to ensure security and privacy concerns are assessed and treated appropriately.
- Identify responsibilities and accountabilities for each activity.
- Allow variation in completeness to accommodate projects with varying levels of risk impact.
- Establish practices for maintaining security and privacy (including incident mitigation and management) through the life of the site or service.
- Conclude with a declaration by the business owner that it is fit for purpose and that any risk associated with deploying it is acceptable to the agency, and that it will be regularly reviewed.
Example framework
You can modify the table below for your own projects.
Bold items are relevant to all projects.
Project start-up
Process | Who is responsible | Who is accountable | Who can support you |
Confirm information security classification: Identify appropriate level of classification of information held in the system |
Business owner | Chief Security Officer / Departmental Security Officer | Chief Information Security Officer (CISO) / IT Security Manager (ITSM) |
Business risk assessment: Identify business risks that will be inherited by the system |
Business owner | Deputy Chief Executive | Risk Adviser |
Privacy impact assessment: Does the system contain personal information? Determine if formal PIA is required in order to meet the Information Privacy Principles. |
Business owner | Deputy Chief Executive | Legal |
Business continuity management requirements: Determine levels of availability required |
Business owner | Deputy Chief Executive | ITSM |
Statement of applicable standards and legislation: Baseline definition of privacy and security compliance |
Business owner | ITSM | Legal |
Project initiation
Process | Who is responsible | Who is accountable | Who can support you |
Identify security functional testing requirements: Identify required controls |
IT Security Manager (ITSM) | Business owner | Project manager |
Identify security and privacy governance and management framework: Define roles and responsibilities in procedures, audit, reporting, management, and risk management, decisions on retention and disposal of information |
ITSM | Business owner | Project manager |
Design stage
Process | Who is responsible | Who is accountable |
Security risk assessment: Define technical and business risks to the system |
Project manager | Business owner |
Risk mitigation plan, based on security risk and PIA: Define measures to reduce risks to acceptable levels. Mitigations may include technical controls, processes and procedures, and information provided to the public. |
Project manager | Business owner |
Design review: Validate that system and procedures will meet baseline privacy and security requirements |
Project manager | Business owner |
Statement of work for security assurance services: Document requirements for security review and assessment |
Project manager | Business owner |
Implementation stage
Process | Who is responsible | Who is accountable |
Present-state security assessment: Independent testing to ensure security controls meet requirements as per Statement of work |
IT Security Manager (ITSM) | Chief Information Security Officer (CISO) |
Future-state security assessment: Are plans and procedures in place to protect the system in the future? |
ITSM | CISO |
Security certification: Document that baseline compliance is met and risks are mitigated or accepted |
CISO | CISO |
Closure and launch stage
Process | Who is responsible | Who is accountable |
Authorisation to operate: Formal acceptance of residual risks |
Business owner | Chief Executive |
Additional development techniques
If your department uses Agile development practices with frequent code releases you should assess the benefit of the following techniques and measures:
- Managed Web Application Firewall services can provide a layer of protection in front of the application. They are especially valuable for rapidly-iterating Agile projects.
- Vulnerability testing tools and services running on a repeating schedule can add assurance through:
- visibility of changes implemented since previous assessments
- exposing any new vulnerabilities introduced — for example, through the introduction of third party embedded code by a well-meaning content manager, changes in technology or the threat landscape or new forms of malware
- basic regression testing to identify changes that have introduced new vulnerabilities to existing code.
- There are several cloud-based services available for this purpose at relatively low cost.
- “Malicious (negative) user” stories can be added to a backlog in which stories are crafted around users with malicious intent, such as wishing to deface a site for ‘hacktivist’ purposes, or seeking to gain unauthorised access to protected information.
- Periodic security iterations whose sole focus is to minimise security and privacy risks, and minimise the ‘security debt’.
- Including a security and/or privacy evangelist on the development team.
- Ongoing third party code review, peer review and automated tools (such as Scrutinizer or Sensio for the PHP stack).
- An https-everywhere policy provides additional protection against several vulnerabilities.
- Content Security Policies implemented in HTTP headers also provides additional protection.
- Developers should be encouraged to review the guidance provided by safecode.org
Utility links and page information
Last updated