Security & Compliance
< Back to Article ListIS-15 Development Guidelines
Last updated: 24 October 2024 at 11:48:40 UTC by Russell Briggs
Development Guidelines
Document Ref No |
IS-15 |
Version No |
V1 |
Last review date |
23/10/2021 |
Approved by |
Dom Tyler |
Next review |
23/10/2022 |
1. Purpose, scope and users
Recycly is committed to producing high quality, secure code with a view to protecting customer data and fulfilling customer contractually agreed requirements. The guidelines below should be followed for all development and infrastructure projects regardless of size.
Users of this document are all Recycly employees involved in the development process.
2. Guidelines
In summary, any software or infra release to a production environment should be documented. This should contain details of key acceptance criteria for testing and should demonstrate it has been through an appropriate testing cycle.
- Ensure security requirements, and service availability are also considered and recorded along with business functionality requirements. Ask:
- XXX[1] [2]
- Where and how is it being stored?
- Will this application be available to the public?
- What security controls does the application require?
- How will we test it?
- How will we deploy the release, and do we need to arrange planned system downtime?
- What is the level of post deployment testing needed?
- What is our plan if live issues are encountered?
- Complete a DPIA when personal data is being processed.
- Perform Threat Modelling on new applications to identify risks before implementation.
- All code should be stored in private repositories and should be peer reviewed where possible.
- Automated tests should be created for new features where possible.
- How much automation is acceptable? Cover key functionality? (API/UI tests?)
- Automated security tests?
- Security testing should be performed on new features after they have been committed.
- Review features once exploratory testing has been completed.
- The risks of the release process should be considered with the team, and if downtime is needed this should be agreed with the Customer. The specific risks should be documented along with any specific post deployment testing
- Once deployed to the live environment, the team should check any automated health checks along with identified post deployment checks to ensure a fully successful release.
3. Document management
This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.
4. Version history
Summary of Change |
Date of Change |
Author |
Version Nog |
First Draft |
23/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|
What was here?
Does it contain sensitive data or PII?