Update Security Policies planning and testing processes

Why is this change being made?

We would like to update our current refining and verification processes to include updating manual test coverage and consider database review during the refinement. With the proposed steps we would like to focus on these improvements.

From %15.10 retrospective:

📈 Consider database performance during refinement

While working on Support Role Based Approval Action for Scan Res... (gitlab-org&8018 - closed) we decided not to show the users count in the dropdown as the DB query to get the numbers were not performant. We did see better results by adding an index, but it was still not god enough.

With the tools like postgres.ai and db-console we could consider DB performance analysis during refinement itself and get feedback from maintainers (@Andysoiron and @bala.kumar). This could improve the efficiency.

📈 Better test coverage

We discovered a several bugs as a customer has been running a PoC:

• For "schedule" type policies, only the last sch... (gitlab-org/gitlab#393962 - closed)
• Users unable to schedule a policy to run agains... (gitlab-org/gitlab#396727 - closed)
• Scan Result Policy editor UI is incorrectly val... (gitlab-org/gitlab#396840 - closed)

These aren't new behaviors, but as more customers use our features in new ways, we'll likely discover more cases we had not considered.

@alan Already has an OKR for expanding our test coverage and I think this is an example where tests can help ensure a smoother onboarding for new customers.

The team has been very responsive in addressing the issues as they come up, so that's also a 👍 👍

Author Checklist

• Provided a concise title for this Merge Request (MR)
• Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
  • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
• Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
  • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
  • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • The when to get approval handbook section explains the workflow in more detail
• If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
  • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

---