Q

What are compliance concerns for managing software testing processes?

Compliance regulations are constantly evolving. Learn about how best to manage software testing practices.

Compliance, once heralded by compliance officers, lawyers and auditors as the answer to information privacy and...

security challenges, has trickled down to virtually all aspects of business. Do what the government -- or industry -- regulators say or else. I'm not convinced that those in charge of managing software testing need to get caught up in all the details of the various regulations. It's nice to know the high points, and those are easily summed up here:

  • Know what's at risk
  • Document security policies and plans that will help minimize your risks
  • Enforce your policies and facilitate your plans with technology (i.e., security controls in your software)
  • Continually analyze your risks and work to make things better

If you manage or perform software testing, it'd be great to review the requirements of each regulation your organization is responsible for, such as PCI DSS and HIPAA. Once you understand the spirit of the law, you'd be best served by focusing on what you do best: finding and fixing the flaws in your software and tweaking your development, QA and security testing processes to minimize the security issues going forward. If you understand the security fundamentals (those laid out in the regulations or in standards such as ISO 27002) and end up with secure software, you'll have "compliant" software as well.

Security and compliance standards are continually evolving. HIPAA recently underwent some significant changes. The same is true for PCI DSS, which is currently in version 3.0. The various NIST Special Publications are continually updated as well. However, these changes and updates are more for clarity than for changing the spirit of the information security basics they're outlining. I recommend staying in touch with what's going on in the world of compliance, but don't obsess over it. You're just as well off reading James Martin's book Security, Accuracy, and Privacy in Computer Systems. It was published in 1973.

This was last published in March 2015

Dig Deeper on Software Security Test Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What compliance concerns does your enterprise face?
Cancel
Our organization is having the most problems with HIPAA compliance for all of the medical records we have. We are told to protect these medical records along with the personal health information. Fortunately, we have a regulatory audit logger.
Cancel
Thanks CCL36744. Hopefully you're also performing regular security testing...it's the unknown and unprotected PHI that gets businesses into a bind. It's all about the basics:
http://securityonwheels.blogspot.com/2015/02/back-to-basics-in-information-security.html
Cancel
This is going to vary by company but there are many ways a company might be concerned about compliance.

There are:

Internal Corporate Policies which may guide development.
External industry standards that you are expected to adhere too (For Example, Sarbanes Oxley, PCI, etc.)

There are process related compliance for example, Capability Maturity Model Integration.

And that's just a taste, imagine if you're agile process could be audited, your delivery and testing processes audited how much you may need to keep track.
Cancel
Thanks for your perspective, Veretax!
Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close