

What you can do?
Doug follows Jamie’s advice and contacts the Digital Assurance Team, to start planning for security testing for his project.
But is there anything he should do before security testing can start?


That’s right.
Scoping activities for security testing can’t commence until Doug has:
- Completed the development work - the Digital Assurance team should be testing the final product.
- Written the final solution design documentation.
- Received in-principle agreement from any impacted third-party providers that they will authorise the test to proceed on their solution.
- Checked which assessments he needs to complete as a prerequisite for testing. (Examples of assessments that may apply include a Privacy Impact Assessment (PIA) and Technology Risk Assessment (TRA) / Risk in Change or Network Impact Assessment).
- Onboarded internal developers to the application security self-assessment tools as appropriate.
Not quite.
Scoping activities for security testing can’t commence until Doug has:
- Completed the development work - the Digital Assurance team should be testing the final product.
- Written the final solution design documentation.
- Received in-principle agreement from any impacted third-party providers that they will authorise the test to proceed on their solution.
- Checked which assessments he needs to complete as a prerequisite for testing. (Examples of assessments that may apply include a Privacy Impact Assessment (PIA) and Technology Risk Assessment (TRA) / Risk in Change or Network Impact Assessment).
- Onboarded internal developers to the application security self-assessment tools as appropriate.