Our Assessment Plan includes:

Governance Assessment:
Leadership team involvement, policy and standard engaged, Law and regulation involved.
Stakeholder evaluation.

Physical security assessment:
Equipment management, Mobile computing, Physical and environmental security.

Secure SDLC assessment:
Review if security is enforced at each level of a product development.
Training: developer/testers trained on Code Security training.

Requirements:
Review security and privacy requirements.

Design:
Review Design requirement, surface attack analyze and threat modeling.

Implementation:
Static code analysis.

Verification:
Dynamic code analysis, fuzz testing, attack surface review.

Release:
Incident response plan.

Response:
Test incident response plans.

Data Risk assessment:
Data-at-rest
Data-in-transit