Skip to main content

Security and privacy assurance

You need to establish a quality assurance framework based on the severity of the consequences of a breach in security or privacy.

What you need to know

  • Set up a quality assurance framework based on the severity of the consequences of a security breach.
  • If you're using Agile, consider managed web application firewall services, cloud-based vulnerability testing tools, period security iterations, a security evangelist in your team and ongoing third party code review.

What the framework should do

The framework should ensure:

  1. security and privacy considerations are taken into account throughout all phases of development and maintenance (regardless of methodology used or whether development is outsourced)
  2. ongoing security and privacy management and monitoring of operational websites or services.

When you use a framework you can guarantee that a risk is acceptable to your department and that it is fit for purpose.

Goals of the framework

A quality assurance framework should:

  1. Identify checkpoints throughout phases of a project to ensure security and privacy concerns are assessed and treated appropriately.
  2. Identify responsibilities and accountabilities for each activity.
  3. Allow variation in completeness to accommodate projects with varying levels of risk impact.
  4. Establish practices for maintaining security and privacy (including incident mitigation and management) through the life of the site or service.
  5. Conclude with a declaration by the business owner that it is fit for purpose and that any risk associated with deploying it is acceptable to the agency, and that it will be regularly reviewed.

Example framework

You can modify the table below for your own projects.

Bold items are relevant to all projects.

Project start-up

Process Who is responsible Who is accountable Who can support you

Confirm information security classification:

Identify appropriate level of classification of information held in the system

Business owner Chief Security Officer / Departmental Security Officer Chief Information Security Officer (CISO) / IT Security Manager (ITSM)

Business risk assessment:

Identify business risks that will be inherited by the system

Business owner Deputy Chief Executive Risk Adviser

Privacy impact assessment:

Does the system contain personal information? Determine if formal PIA is required in order to meet the Information Privacy Principles.

Business owner Deputy Chief Executive Legal

Business continuity management requirements:

Determine levels of availability required

Business owner Deputy Chief Executive ITSM

Statement of applicable standards and legislation:

Baseline definition of privacy and security compliance

Business owner ITSM Legal

Project initiation

Process Who is responsible Who is accountable Who can support you

Identify security functional testing requirements:

Identify required controls

IT Security Manager (ITSM) Business owner Project manager

Identify security and privacy governance and management framework:

Define roles and responsibilities in procedures, audit, reporting, management, and risk management, decisions on retention and disposal of information

ITSM Business owner Project manager

Design stage

Process Who is responsible Who is accountable

Security risk assessment:

Define technical and business risks to the system

Project manager Business owner

Risk mitigation plan, based on security risk and PIA:

Define measures to reduce risks to acceptable levels. Mitigations may include technical controls, processes and procedures, and information provided to the public.

Project manager Business owner

Design review:

Validate that system and procedures will meet baseline privacy and security requirements

Project manager Business owner

Statement of work for security assurance services:

Document requirements for security review and assessment

Project manager Business owner

Implementation stage

Process Who is responsible Who is accountable

Present-state security assessment:

Independent testing to ensure security controls meet requirements as per Statement of work

IT Security Manager (ITSM) Chief Information Security Officer (CISO)

Future-state security assessment:

Are plans and procedures in place to protect the system in the future?


Security certification:

Document that baseline compliance is met and risks are mitigated or accepted


Closure and launch stage

Process Who is responsible Who is accountable

Authorisation to operate:

Formal acceptance of residual risks

Business owner Chief Executive

Additional development techniques

If your department uses Agile development practices with frequent code releases you should assess the benefit of the following techniques and measures:

  1. Managed Web Application Firewall services can provide a layer of protection in front of the application. They are especially valuable for rapidly-iterating Agile projects.
  2. Vulnerability testing tools and services running on a repeating schedule can add assurance through:
    1. visibility of changes implemented since previous assessments
    2. exposing any new vulnerabilities introduced — for example, through the introduction of third party embedded code by a well-meaning content manager, changes in technology or the threat landscape or new forms of malware
    3. basic regression testing to identify changes that have introduced new vulnerabilities to existing code.
  3. There are several cloud-based services available for this purpose at relatively low cost.
  4. “Malicious (negative) user” stories can be added to a backlog in which stories are crafted around users with malicious intent, such as wishing to deface a site for ‘hacktivist’ purposes, or seeking to gain unauthorised access to protected information.
  5. Periodic security iterations whose sole focus is to minimise security and privacy risks, and minimise the ‘security debt’.
  6. Including a security and/or privacy evangelist on the development team.
  7. Ongoing third party code review, peer review and automated tools (such as Scrutinizer or Sensio for the PHP stack).
  8. An https-everywhere policy provides additional protection against several vulnerabilities.
  9. Content Security Policies implemented in HTTP headers also provides additional protection.
  10. Developers should be encouraged to review the guidance provided by

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated