psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
870a576aa41f4352748d27ff98463e52fb324d9a
ISMS/01-policies/secure-development-policy.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.4 KiB
Raw Blame History

Title: Secure Development Policy Document ID: [POL-SECDEV-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Secure Development Policy

Purpose

This policy defines BlackDice's high-level requirements for integrating security into software design, development, testing, and release activities.

Scope

This policy applies to source code, infrastructure as code, build pipelines, code review, deployment workflows, and related engineering activities within the ISMS scope.

Objectives

  • reduce security defects introduced during development
  • ensure security is considered throughout the software lifecycle
  • support safe and repeatable change in cloud-native environments

Principles / Policy Statements

Security requirements must be considered during design, development, testing, and release planning.

Changes to source code, application configuration, infrastructure definitions, and deployment pipelines must be subject to controlled review and approval.

Code changes affecting authentication, authorisation, data handling, cryptography, logging, or externally exposed services should receive additional security scrutiny.

Build and release processes must be designed to reduce the risk of unauthorised change, insecure dependencies, or unsafe deployment to production environments.

Development and test practices must be appropriate for BlackDice's cloud-native SaaS and Kubernetes-based operating model.

Roles and Responsibilities

  • Engineering leadership must ensure secure development expectations are embedded into delivery practices.
  • Developers must follow approved secure coding and review requirements.
  • [Role] must define supporting standards and assurance expectations.

Compliance / Exceptions

Exceptions to required development controls must be documented, approved, and reviewed based on risk.

Monitoring and Review

This policy should be monitored through code review records, pipeline assurance, vulnerability trends, incidents, and audit.

Related Documents

  • Information Security Policy
  • CI/CD Security Standard
  • Secure Code Review Standard
  • Change Management Policy

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink