What are the top compliance concerns for managing software testing processes? Have there been any recent changes to security and compliance standards?
Quality managers face significant challenges in today’s marketplace. Security and compliance standards are constantly changing, whether due to client expectations, an increasingly hostile threatscape, or evolving government and industry standards. The test manager’s three biggest concerns regarding security standards should be 1) keeping up with evolving standards, 2) educating their team on standards as well as related testing techniques and 3) juggling this with internal schedule and feature requirement pressures.
Keeping up with evolving standards can quite literally be a full-time job. As a security and testing professional, I must admit to many a night spent reading Federal regulations, industry trade journals, and Web articles outlining the latest requirements to impact my industry. It’s an endless task and the pace of change quite likely exceeds that of evolving technology (as difficult as that may be to believe). A good manager knows when to divide and conquer, which is the first strategy for keeping current. Pick an individual or a group of individuals and assign them responsibility for being up-to-date with various security-related topics, whether that is understanding and supporting the organization’s security development lifecycle or staying current with government or industry regulations. Another strategy is to belong to standards organizations which gather and publish regular updates on changing requirements. Finally, attending security-related conferences and webinars will help by concentrating research and education opportunities into short bursts.
Keeping teams educated is an important step in maintaining currency. There are simply too many regulations for one person to keep track of. By spreading knowledge around the team through brown bags, quarterly updates and annual refreshers, a testing manager benefits from having multiple people familiar with requirements. If one person overlooks a requirement, the chances are another person will raise concerns. Educating a team is also a good method for distributing the education workload. Another challenge is educating testing organizations on how to perform security-related testing, whether it is testing that given technical requirements have been properly implemented or even penetration testing products. The manager needs to secure appropriate budget and adequate training opportunities to cover these training needs and seek out testers with a passion for security to fill the roles.
As a test manager, I suffered from short cycles, insufficient staff and rapidly changing technologies. I was responsible for continually juggling these priorities and meeting project deadlines. A key strategy in meeting this challenge was formalizing security compliance issues as technical requirements or as user stories and technical debt. By getting team consensus on requirements up-front, the emotion of schedule pressure was generally removed and teams made an educated decision regarding tradeoffs. Executive decision-makers could be brought into the conversation and could provide the strategic leadership necessary to resolve conflict in an efficient manner.
Staying current, educating teams and documenting security-related requirements are critical steps in ensuring projects remain compliant and up-to-date.
This was first published in March 2012