Security and privacy assurance
- Set up a quality assurance framework based on the severity of the consequences of a security breach
- If using Agile development practices, consider using managed web application firewall services, cloud-based vulnerability testing tools, period security iterations, including a security evangelist in your team and on-going third party code review.
The business owners, managers and administrators of government websites and services need to establish a quality assurance framework for the site/service based on the severity of the consequences of a breach in security or privacy.
The framework should be designed to ensure:
- security and privacy considerations are taken into account throughout all phases of the development and maintenance lifecycle of websites or services (regardless of methodology used, or whether development is outsourced)
- on-going security and privacy management and monitoring of operational websites or services.
The framework will enable you to guarantee that any risk associated with it is acceptable to your department and that it is fit for departmental purposes.
The goals of a quality assurance framework
A quality assurance framework (see example below) should:
- Identify checkpoints throughout phases of a project to ensure security and privacy concerns are assessed and treated appropriately.
- Identify responsibilities and accountabilities for each activity.
- Allow variation in completeness to accommodate projects with varying levels of risk impact.
- Establish practices for maintaining security and privacy (including incident mitigation and management) through the life of the site or service.
- Conclude with a declaration by the business owner of the site/service/system that it is fit for purpose and that any risk associated with deploying it is acceptable to the agency, and that it will be regularly reviewed.
An example of a quality assurance framework
The table below presents an example of project activities which can inform a project quality assurance process for a security certification.
You can review, modify and complete this for your own project depending on its level of associated risk impacts. Note that the bolded items in each project phase should be present for all projects.
|Confirm information security classification - Identify appropriate level of classification of information held in the system||BO||CSO / DSO||CISO / ITSM|
|Business risk assessment - Identify business risks that will be inherited by the system||BO||DCE||RA|
|Privacy impact assessment - Does the system contain personal information? Determine if formal PIA is required in order to meet the Information Privacy Principles.||BO||DCE||Legal|
|Business continuity management requirements - Determine levels of availability required||BO||DCE||ITSM|
|Statement of applicable standards and legislation - Baseline definition of privacy and security compliance||BO||ITSM||Legal|
|Identify security functional testing requirements - Identify required controls||ITSM||BO||PM|
|Identify security and privacy governance and management framework - Define roles and responsibilities in procedures, audit, reporting, management, and risk management, decisions on retention and disposal of information||ITSM||BO||PM|
|Security risk assessment - Define technical and business risks to the system||PM||BO|
|Risk mitigation plan, based on security risk and PIA - Define measures to reduce risks to acceptable levels. Mitigations may include technical controls, processes and procedures, and information provided to the public.||PM||BO|
|Design review - Validate that system and procedures will meet baseline privacy and security requirements||PM||BO|
|Statement of work for security assurance services - Document requirements for security review and assessment||PM||BO|
|Present-state security assessment - Independent testing to ensure security controls meet requirements as per Statement of work||ITSM||CISO|
|Future-state security assessment - Are plans and procedures in place to protect the system in the future?||ITSM||CISO|
|Security certification - Document that baseline compliance is met and risks are mitigated or accepted||CISO||CISO|
|Authorisation to operate - Formal acceptance of residual risks||BO||CE||--|
Key: Business Owner. (BO); Chief Security Officer / Departmental Security Officer (CSO/DSO); Project Manager (PM); Risk Adviser (RA).
Additional development techniques
If your department uses Agile development practices with frequent code releases you should assess the benefit of the following techniques and measures:
- Managed Web Application Firewall services can provide a layer of protection in front of the application. They are especially valuable for rapidly-iterating Agile projects.
- Vulnerability testing tools and services running on a repeating schedule can add assurance through:
- visibility of changes implemented since previous assessments
- exposing any new vulnerabilities introduced – e.g. through the introduction of third party embedded code by a well-meaning content manager, changes in technology or the threat landscape or new forms of malware
- basic regression testing to identify changes that have introduced new vulnerabilities to existing code.
There are several cloud-based services available for this purpose at relatively low cost.
- “Malicious (negative) user” stories can be added to a backlog in which stories are crafted around users with malicious intent, such as wishing to deface a site for ‘hacktivist’ purposes, or seeking to gain unauthorised access to protected information.
- Periodic security iterations whose sole focus is to minimise security and privacy risks, and minimise the ‘security debt’.
- Including a security and/or privacy evangelist on the development team.
- Ongoing third party code review, peer review and automated tools (such as Scrutinizer or Sensio for the PHP stack).
- An https-everywhere policy provides additional protection against several vulnerabilities.
- Content Security Policies implemented in HTTP headers also provides additional protection.
- Developers should be encouraged to review the guidance provided by safecode.org.
- Last modified: