SECURE DEVELOPMENT POLICY
|
Document Identification |
HSNZ/POL/35 |
|
|
Document Name |
Secure Development Policy |
|
|
Master Copy |
CISO |
|
|
Version Number |
1.2 |
|
|
Date Of Release |
15 Aug 2023 |
|
|
Prepared By |
Eparama Tuibenau |
CISO |
|
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
|
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
|
From |
To |
||||||
|
1 |
1.0 |
- |
CISO |
MD |
Current |
04 Jul 2021 |
No changes made |
|
1 |
1.0 |
1.1 |
CISO |
MD |
Reviewed |
28 Jul 2022 |
Annual review |
|
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
|
Date |
Document Status |
|
04 Jul 2021 |
Reviewed |
|
28 Jul 2022 |
Reviewed |
| 15 Aug 2023 | Current |
Table of Contents
1 Purpose
2 Scope
3 Input
4 Output
5 Interacting Process
6 Abbreviations, Acronyms and Definitions
7 Procedure
8 Monitoring the Process
9 Records
- PURPOSE
The purpose of this document is to establish and maintain a policy for Secure Development procedures for HealthSafe NZ. - SCOPE
These procedures applies to all aspects of Secure Development procedures - ABBREVIATIONS, ACRONYMS AND DEFINITIONS
|
Abbreviation |
Description |
|
FH |
Functional Head |
|
IT |
Information Technology Department |
|
TL |
Team Lead |
|
CISO |
Chief Information Security Officer |
4 INPUT
HealthSafe NZ will be responsible for the safety of all information that is stored or accessed through the various development environments.
5 OUTPUT
All users shall comply with the secure development policy in order to secure the information and intellectual property
6 INTERACTING PROCESS
Functional Head
7 PROCEDURE
HealthSafe NZ’s development process is based on Agile methodology utilising JIRA to follow this process. The following is an explanation of how HealthSafe NZ currently manages this process and each member of the HealthSafe team needs to be well aware of this mechanism in order to perform their tasks efficiently.
Current roles:
- Product Owner
- Developers
- Quality Assurance
- Business Analyst
Sprint Planning (SP)
The first step is picking up the high priority level tasks from the Backlog (a list of necessary properties that have to be implemented during the development process).
- The product owner is a person responsible for this. He/she bases on information from customers, the situation on the market and competition requirements and knows which functions or priorities of the product are the most needed.
Next points to discuss on the SP meeting:
- The delivery date.
- The number and functionality of release.
- The most important releases (selection).
- The list of packets (objects) for backlog items.
- The project team structure.
- Necessary tools.
- Risk control.
- Release plans
After the planning there is a time for the system architecture. The HealthSafe production team reviews the backlog, thinks about what changes have to be made to implement new properties and designs the implementation process. Sometimes, there is a need to make some changes, refine the old product, gain some additional knowledge, analyse, solve problems or issues which appear during the process. At the end there are review meetings during which the teams exchange information , present progress and problems , reassign changes as required.
*Allocated buffer time for SP stage: 0.67 SP (2 hours) per person (each Sprint).
Stand-up Meetings (SUM)
The SUM meetings are usually time restricted between 5 and 15 minutes and documented via Slack channel ‘hs-stand-up’ to remind people to keep this information updated on a daily basis. The stand-up automated bot questions are sometimes also referred to as the "stand-up", "morning roll-call" or "daily scrum".
Before starting every day work in the stand-up reminders every person of the team says what he/she did yesterday, what will do today, and any problems they have encountered (if any).
Sprint Duration vs. Features Delivery (SD vs. FD)
The SD may last from 1 to 4 weeks (usually it's 2 weeks) and the duration should be constant in every cycle. However this requirement is not strict and sometimes the time of each sprint is different. The duration influences the speed and intensity of the process. The risk of going over schedule is monitored at all times.
"Support"
Allocated buffer time for Support: 2.7 SP per person - 8 Hours (each Sprint).
- This includes phone calls, email and text answers with Clients and H&S Team.
"Extra Requests" (ER)
The extra-requests are based on priority and the process of attending the extra-request is as following:
- A team member receives an extra-request.
- The extra-request is High Priority (this means that it’s on top of any current task).
- The extra-request fits in the allocated time for extra-requests.
- The team member perform the extra-request.
- The extra-request does NOT fits in the allocated time for extra-requests.
- Any current task assigned to the team member needs to be moved to the next Sprint.
- The extra-request is Medium/Low Priority task:
- The extra-request fits in the allocated time for extra-requests.
- The team member perform the extra-request.
- The extra-request does NOT fits in the allocated time for extra-requests.
- The extra-request is moved for the next Sprint.
"Sprint Review Meeting" and "Sprint Retrospective Meeting"
- The team show the results of the sprint and than the Product Owner assess if the goal has been achieved.
- The ScrumMaster and team decide which tasks were made appropriate and talk about how to make the process more effective.
"The Postgame Phase" (closure phase)
The management ends the development process and the product is being prepared for a release. This includes:
- Integration
- Testing
- User documentation
- Training
- Marketing material preparation.
A different Sprint could be separately created for this phase including different team members (QA, BA, Marketing Team, etc).
8 MONITORING PROCESS
- The IT Department Monitors these process via JIRA project management tool
9 RECORDS
- JIRA release notes
- JIRA backlog