Sm8rtHealth’s software team currently undertakes changes and additions to the Sm8rtHealth platform in accordance with the SDLC described above in 4.4 (Amber).
This programme extends the work to be undertaken by the software team (when undertaking changes and additions to the platform), as follows:
During the SDLC ‘Requirements’ phase
Based on Sm8rtHealth’s understanding of the requirements and the anticipated scope of work for Sm8rtHealth, a ‘vulnerability risk assessment’ will be carried out during the ‘Requirements’ phase of the SDLC.
The purpose of this assessment is to identify what ‘vulnerabilities’ are likely to emerge if the anticipated software changes/additions are implemented.
During the SDLC ‘Design’ and ‘Implementation’ phases
During the ‘Design’ and ‘Implementation’ phases of the SDLC, the software design and the code will be reviewed (i.e.: a cyber-security design review). The extent of the review will be driven by the ‘vulnerability risk assessment’ carried out during the previous phase.
The purpose of this review is to ensure that potential vulnerabilities are addressed and mitigated as early as possible in the SDLC through careful adherence to the ‘Secure by Design’ principles set out earlier in this document, thus ensuring that changes and additions made to Sm8rtHealth from time to time will keep the platform free from vulnerabilities.
During the SDLC ‘Test’ and ‘Deploy’ phases
During the ‘Test’ and ‘Deploy’ phases of the SDLC, security testing will be carried out as needed, based on the assessment made in the Vulnerability Risk Assessment. For example, security testing will likely be required if the scope of work involves software changes or additions that are extensive or are otherwise likely to create vulnerabilities in Sm8rtHealth. This testing may be undertaken internally, or may be externally/independently implemented, depending upon the nature of the testing required.
The purpose of this testing is to confirm (i) that the software changes did not, as implemented, increase the platform’s vulnerability and (ii) that the software changes adhered to the design principles
