The Technical Security domain is the only domain that requires the engagement of the App Developer and whereby publicly available information is not sufficient. Ahead of this additional layer being assessed the App Developer will provide evidence of their security practices.
Recognizing that there is a security risk associated with all apps the principle adopted in the assessment associates a differential ‘risk profile’ for each product based on:
- The technical architecture and related level of connectivity i.e. Attack Surface
- The data footprint – personal, sensitive
- The functional risk profile – i.e. simple information provision versus diagnostic or treatment support
Digital products are clustered into risk tiers that reflect an increasing risk profile. Each risk tier aligns to a differential set of requirements that incrementally increase the level of expected security assurance/credentials. In addition the assessment questions for Technical Stability reflect those aspects considered important for good Product and Service Management such as management of source code and files, and technical monitoring.