Elements and Performance Criteria
- Review organisational security policy and procedures
- Review business environment to identify existing requirements
- Determine organisational goals for legal and security requirements
- Verify security needs in a policy document
- Determine legislative impact on business domain
- Gather and document objective evidence on current security threats
- Identify options for using internal and external expertise
- Establish and document a standard methodology for performing security tests
- Develop security plan
- Investigate theoretical attacks and threats on the business
- Evaluate risks and threats associated with the investigation
- Prioritise assessment results and write security policy
- Document information related to attacks, threats, risks and controls in a security plan
- Review the security strategy with security approved key stakeholders
- Integrate approved changes into business plan and ensure compliance with statutory requirements
- Design controls to be incorporated into system
- Implement controls in a procedurally organised manner to ensure minimum risk of security breach in line with organisational guidelines
- Monitor each phase of the implementation to determine the impact on the business
- Take corrective action on system implementation breakdown
- Record implementation process
- Evaluate corrective actions for risk
- Plan risk assessment review process
- Take action to ensure confidentiality throughout all phases of design