Compliance, once heralded by compliance officers, lawyers and auditors as the answer to information privacy and...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
security challenges, has trickled down to virtually all aspects of business. Do what the government -- or industry -- regulators say or else. I'm not convinced that those in charge of managing software testing need to get caught up in all the details of the various regulations. It's nice to know the high points, and those are easily summed up here:
- Know what's at risk
- Document security policies and plans that will help minimize your risks
- Enforce your policies and facilitate your plans with technology (i.e., security controls in your software)
- Continually analyze your risks and work to make things better
If you manage or perform software testing, it'd be great to review the requirements of each regulation your organization is responsible for, such as PCI DSS and HIPAA. Once you understand the spirit of the law, you'd be best served by focusing on what you do best: finding and fixing the flaws in your software and tweaking your development, QA and security testing processes to minimize the security issues going forward. If you understand the security fundamentals (those laid out in the regulations or in standards such as ISO 27002) and end up with secure software, you'll have "compliant" software as well.
Security and compliance standards are continually evolving. HIPAA recently underwent some significant changes. The same is true for PCI DSS, which is currently in version 3.0. The various NIST Special Publications are continually updated as well. However, these changes and updates are more for clarity than for changing the spirit of the information security basics they're outlining. I recommend staying in touch with what's going on in the world of compliance, but don't obsess over it. You're just as well off reading James Martin's book Security, Accuracy, and Privacy in Computer Systems. It was published in 1973.
Dig Deeper on Software Security Test Best Practices
Related Q&A from Kevin Beaver
The WannaCry TCP port 445 exploit returned the spotlight to Microsoft's long-abused networking port. Network security expert Kevin Beaver explains ...continue reading
Enterprise network security expert Kevin Beaver compares and contrasts the roles of an inbound firewall and an outbound firewall. Find out what the ...continue reading
Knowing how to test for security flaws is vital, but it's a complicated and changing field. Expert Kevin Beaver offers security testing basics.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.