:closed_lock_with_key: Probably the most boring-but-necessary repo on GitHub. If you care about the security/privacy of your data...! :white_check_mark:
What are the Roles and Responsibilities in our organisation?
So far I have:
Management/Leadership team
The Management/Leadership team is ultimately responsible for the information
security in the organization; it is not "outsourced" to anyone else.
Day-to-day responsibility for checking that process/procedures for information
security are followed/met belongs to the data controller.
Data Controller
The Data Controller is the person in the organization who is registered/named
with the Information Commissioner's Office (UK) and responsible for
ensuring that
Data protection principles
are followed.
Application Developers
Application developers are responsible for implementing the code and systems
which have the protection of people's personal data at heart.
Additionally developers should make reasonable efforts to keep their
knowledge and skill current and keep track of security reports/advisories
which are relevant to the code which has been included/used in the application.
Developer Security Checklist
Minimise the amount of sensitive Personally Identifiable Information (PII)
stored by the application/database (e.g: if you don't need Social Security number don't ask for it!)
Where PII is required for the functionality of the App, Encrypt as much as possible/practical.
Never store PII in a session token (JWT) or localStorage (where it can be "stolen" by an "XSS" attack)
Always use strong passwords for all systems & services.
Always use multi-factor authentication for Gmail, GitHub & AWS to limit the risk of
a malicious user gaining access to these mission-critical systems.
Under no circumstances should a developer merge her/his own change/feature/bugfix.
Quality Assurance
The Quality Assurance (QA) person (or team) is responsible for
checking/testing features of the application while they are being built
and before they are released to the "live" environment.
QA is the "gate keeper" between application developers and end-users.
QA should not write code unless the team is small and the QA/developer
role are being alternated.
What are the Roles and Responsibilities in our organisation?
So far I have:
Management/Leadership team
The Management/Leadership team is ultimately responsible for the information security in the organization; it is not "outsourced" to anyone else.
Day-to-day responsibility for checking that process/procedures for information security are followed/met belongs to the
data controller.Data Controller
The Data Controller is the person in the organization who is registered/named with the Information Commissioner's Office (UK) and responsible for ensuring that Data protection principles are followed.
Application Developers
Application developers are responsible for implementing the code and systems which have the protection of people's personal data at heart.
Additionally developers should make reasonable efforts to keep their knowledge and skill current and keep track of security reports/advisories which are relevant to the code which has been included/used in the application.
Developer Security Checklist
localStorage(where it can be "stolen" by an "XSS" attack)Under no circumstances should a developer merge her/his own change/feature/bugfix.
Quality Assurance
The Quality Assurance (QA) person (or team) is responsible for checking/testing features of the application while they are being built and before they are released to the "live" environment. QA is the "gate keeper" between application developers and end-users.
QA should not write code unless the team is small and the QA/developer role are being alternated.