Many standards and laws regulate security issues for companies. Often, however, what's expected is unclear -- especially when it comes to application security. But that is starting to change, as regulations begin including application security
Requires Free Membership to View
mandates.Here's a look at some of those standards and regulations and articles on how to comply with them.
If you know of an article, tip, tool or code sample that should be included, send me an e-mail with the information and I'll add it. -- Michelle Davidson, Site Editor.
| Regulations and security basics |
- How do regulations affect application security?
- How do government regulations address application security?
- Explainer: Security standards and frameworks
- Funding, testing shortfalls threaten compliance
- Identity management critical to improve security
- Sun, SAP help businesses comply with government, security policies
- Podcast: Regulatory requirements and their impact on you
-
Data breach disclosure laws Twenty-six states, plus Puerto Rico, now have data breach notification laws. The U.S. government is also working on a federal law.
- Understanding data breach disclosure
- Enacted state security breach notification laws
- The changing landscape in early 2006
- Three new state laws expand data breach obligations
- Data breach legislation could affect Web site development
- Strategic security: How to survive data breach laws
- Breach notification laws: When should companies tell all?
- Data privacy compliance in the application testing environment
- Schneier on Security: Identity-theft disclosure laws
- Bill puts cops first in data leak notification
- Groups slam data breach notification bill
IEEE P1074 IEEE P1074 gives project leaders a plan for including all aspects of the software development life cycle (SDLC) when making security-related decisions. It puts projects in enterprise business context, and it provides the framework for coordinating software security efforts across all disciplines and over the lifetime of the software.
- IEEE P1074-2005: Roadmap to Optimizing Security in the System and Software Life Cycle (PDF)
- IEEE flags security as software life cycle requirement
- The benefits of adopting IEEE P1074-2005 (PDF)
- Building better applications: Beyond secure coding
- Book: Quality Software Project Management
ISO 17799 ISO17799, is a detailed security standard. It is organized into ten major sections, each covering a different topic or area: business continuity planning, system access control, system development and maintenance, physical and environmental security, compliance, personnel security, security organization, computer & operations management, asset classification and control, security policy.
- The ISO 17799 Information Security Portal
- ISO 17799 Central
- ISO/IEC 17799: 2005 Information technology - Security techniques - Code of practice for information security management
- ISO 17799 FAQ
- ISO 17799 Open Guide (Wiki)
- The ISO17799 Toolkit
- The ISO 17799 Toolkit
- Compliance tools
- ISO 17799 checklist
Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act of 1999, is a federal law enacted in the U.S. to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting.
- Gramm-Leach-Bliley security requirements (PDF)
- Making Gramm-Leach-Bliley security compliance fast and easy
- Tips for Gramm-Leach-Bliley compliance
- How to comply with the information security requirements of the Gramm-Leach-Bliley Act (PDF)
- Schneier on Security: Unfortunate court ruling regarding Gramm-Leach-Bliley
HIPAA HIPAA seeks to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. The Act mandates: standardized formats for all patient health, administrative, and financial data; unique identifiers (ID numbers) for each healthcare entity, including individuals, employers, health plans and health care providers; and security mechanisms to ensure confidentiality and data integrity for any information that identifies an individual.
- Office for Civil Rights - HIPAA
- HIPAA advisory
- HIPAA security rule
- The HIPAA security and privacy rules -- intersections and dependencies
- HIPAA security resources
- A guide to security readiness (PDF)
- Emergency preparedness planning and response
- HIPAA models, samples and templates
- HIPAA blog
PCI Data Security Standard The PCI Data Security Standard was developed by Visa and MasterCard, and endorsed by other payment providers including American Express, Diner's Club and Discover. This Standard included the requirements of Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SDP). The Standard basically requires merchants and member service providers (MSPs) who store, process or transmit cardholder data to build and maintain a secure IT network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, and regularly monitor and test networks.
- PCI Security Standard, Entire Manual (PDF)
- Payment Card Industry (PCI) Frequently Asked Questions
- Complying with the PCI Data Security Standard
- PCI compliance: Don't become another headline
- Credit card security rules to get update
- Retailers feel security heat
- Demystifying the PCI Data Security Standard for merchants
- Ten pitfalls to avoid in PCI Data Security Standard compliance
- OWASP Guide 2.0.1 (PDF) -- PCI compliance, page 53
- PCI Auditor Community Site
Sarbanes-Oxley Act Public companies that are subject to the U.S. Sarbanes Oxley Act of 2002 are required to adopt the following control frameworks: the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework and the IT Governance Institute's Control Objectives for Information and Related Technology (COBIT). In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.
COSO Internal Control Integrated Framework states that internal control is a process — established by an entity's board of directors, management, and other personnel — designed to provide reasonable assurance regarding the achievement of stated objectives.
COBIT approaches IT control by looking at information -- not just financial information -- that is needed to support business requirements and the associated IT resources and processes.
- Sarbanes-Oxley (SOX) -- Impact on security in software
- Web application security and Sarbanes-Oxley compliance
- The connection between SOX and security
- Webcast: How-to guide -- SOX and vulnerability remediation
- Webcast: How-to guide -- SOX, ID management and access control
- Sarbanes-Oxley for IT security?
- Sarbanes-Oxley compliance with RBAC
- Sarbanes-Oxley Act Forum
- The Sarbanes-Oxley Compliance Toolkit
- COSO & COBIT Center
- Overview: The COSO framework then and now
- COSO Internal Control — Integrated Framework (Summary)
- Enterprise Risk Management (ERM) COSO Framework Summary (PDF)
- FAQs for COSO's Enterprise Risk Management — Integrated Framework
- COBIT 4.0
- COBIT FAQ
- OWASP Guide 2.0.1 (PDF) -- COBIT information found on pages 101-248
- COBIT Forums and Information
- COBIT made easy: The Control-IT Toolkit
[Return to Table of Contents]Expert Advice on Application Security Standards & Regulations
Do you have a question about application security standards and regulations that you're having trouble getting answered? SearchAppSecurity.com experts Jeremiah Grossman and Caleb Sima can help. Read advice they have given or submit your own questions.
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send site editor Michelle Davidson an e-mail at mdavidson@techtarget.com and let her know what they are.
This was first published in July 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation