We're a small web development business and we eventually want to release web applications as well. Right now, we're doing some risk assessment and would like to know what other companies do for security and risk management. What are your risk management strategies and practices, technical and otherwise?
Here's what I have so far (and I'll keep a running list):
Technical
- Source control
- Unit testing
- Consistent coding standards
- Backups at different physical locations
- Bug tracking
- QA testing
- Security audits
Other
- Explicitly detailed contracts
- Business insurance
- Evidence based scheduling
- Weekly deliverables and customer sign-offs
- Audit trails for accountability