rvlsoft - Fotolia
Compliance, once heralded by compliance officers, lawyers and auditors as the answer to information privacy and security challenges, has trickled down to virtually all aspects of business. Do what the government -- or industry -- regulators say or else. I'm not convinced that those in charge of managing software testing need to get caught up in all the details of the various regulations. It's nice to know the high points, and those are easily summed up here:
- Know what's at risk
- Document security policies and plans that will help minimize your risks
- Enforce your policies and facilitate your plans with technology (i.e., security controls in your software)
- Continually analyze your risks and work to make things better
If you manage or perform software testing, it'd be great to review the requirements of each regulation your organization is responsible for, such as PCI DSS and HIPAA. Once you understand the spirit of the law, you'd be best served by focusing on what you do best: finding and fixing the flaws in your software and tweaking your development, QA and security testing processes to minimize the security issues going forward. If you understand the security fundamentals (those laid out in the regulations or in standards such as ISO 27002) and end up with secure software, you'll have "compliant" software as well.
Security and compliance standards are continually evolving. HIPAA recently underwent some significant changes. The same is true for PCI DSS, which is currently in version 3.0. The various NIST Special Publications are continually updated as well. However, these changes and updates are more for clarity than for changing the spirit of the information security basics they're outlining. I recommend staying in touch with what's going on in the world of compliance, but don't obsess over it. You're just as well off reading James Martin's book Security, Accuracy, and Privacy in Computer Systems. It was published in 1973.
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading