rvlsoft - Fotolia


What are compliance concerns for managing software testing processes?

Compliance regulations are constantly evolving. Learn about how best to manage software testing practices.

Compliance, once heralded by compliance officers, lawyers and auditors as the answer to information privacy and security challenges, has trickled down to virtually all aspects of business. Do what the government -- or industry -- regulators say or else. I'm not convinced that those in charge of managing software testing need to get caught up in all the details of the various regulations. It's nice to know the high points, and those are easily summed up here:

  • Know what's at risk
  • Document security policies and plans that will help minimize your risks
  • Enforce your policies and facilitate your plans with technology (i.e., security controls in your software)
  • Continually analyze your risks and work to make things better

If you manage or perform software testing, it'd be great to review the requirements of each regulation your organization is responsible for, such as PCI DSS and HIPAA. Once you understand the spirit of the law, you'd be best served by focusing on what you do best: finding and fixing the flaws in your software and tweaking your development, QA and security testing processes to minimize the security issues going forward. If you understand the security fundamentals (those laid out in the regulations or in standards such as ISO 27002) and end up with secure software, you'll have "compliant" software as well.

Security and compliance standards are continually evolving. HIPAA recently underwent some significant changes. The same is true for PCI DSS, which is currently in version 3.0. The various NIST Special Publications are continually updated as well. However, these changes and updates are more for clarity than for changing the spirit of the information security basics they're outlining. I recommend staying in touch with what's going on in the world of compliance, but don't obsess over it. You're just as well off reading James Martin's book Security, Accuracy, and Privacy in Computer Systems. It was published in 1973.

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What compliance concerns does your enterprise face?
Our organization is having the most problems with HIPAA compliance for all of the medical records we have. We are told to protect these medical records along with the personal health information. Fortunately, we have a regulatory audit logger.
Thanks CCL36744. Hopefully you're also performing regular security testing...it's the unknown and unprotected PHI that gets businesses into a bind. It's all about the basics:
This is going to vary by company but there are many ways a company might be concerned about compliance.

There are:

Internal Corporate Policies which may guide development.
External industry standards that you are expected to adhere too (For Example, Sarbanes Oxley, PCI, etc.)

There are process related compliance for example, Capability Maturity Model Integration.

And that's just a taste, imagine if you're agile process could be audited, your delivery and testing processes audited how much you may need to keep track.
Thanks for your perspective, Veretax!