Building Code
- 08 March, 2005 09:08
- Comments
Everyone knows it's cheaper and better to build in security from the start of a technology project. Forward-thinking companies have formalized the process; here's why you should too.
In This Story:
- How certification and accreditation processes build security into application development
- How it pays off
Two years ago, Bruce Bonsall decided to build an addition to his house. Plans in hand, Bonsall's first stop was his town's building authority to begin the permitting process. Along the way, Bonsall, the CISO for MassMutual Financial Group, got to thinking: What if there were a building permit process for IT projects?
At the time, Bonsall recalls, "too many projects were making it almost to production without adequate security consideration". On more than one occasion, tipped off by the auditing department that a new system did not adhere to security policies, Bonsall had the unappealing task of sending it back for more work - such as building in a connection to the enterprise electronic authentication system - before the application could be deployed. Needless to say, these situations left everyone unhappy.
"I wanted to create a process that adds value and gets [security] involved up front, rather than stall the project at the 11th hour," he says. Extending the building permit analogy to IT projects suddenly seemed like the ticket. "Before you start [a building project], the building inspectors want to see your plans, they want to ask you some questions about your project. As you go along, you have some inspections. When you're done, they sign off that everything was done properly and you get a certificate of occupancy. Most people are familiar with the process," says Bonsall.
Bonsall had stumbled upon a concept that got its start in the US Department of Defence roughly 15 years ago. Goaded by late 80s risk legislation, the US federal government requires its IT projects to go through a formal security certification and accreditation (SC&A) process - known by the unwieldy acronym Ditscap (see "How the Feds Do It", page 80) - from inception. "Certification is the documentation and evaluation of the system against a specific set of guidelines. Accreditation refers to the point where a decision maker outside the security organization chooses to accept whatever residual risk remains with the system. That person then has the responsibility to actively manage that risk," says Hart Rossman, chief technology officer for the enterprise security solutions business unit at Science Applications International Corporation (SAIC), which has a practice helping organizations establish SC&A programs.
Many private-sector companies have in the past shown a reluctance to invest the time necessary to build security into the IT project life cycle. Now that's changing, driven in part by the greater accountability created by the Sarbanes-Oxley Act and other regulations. Two financial services companies profiled here, MassMutual and Nationwide Mutual Insurance, provide insight into making the SC&A process work. Late application changes are costly, regardless of what industry you're in, so CIOs and CISOs may find these ideas worth imitating.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Top seven firewall capabilities for effective application control
-
Pfizer's Future Depends on IT Transformation
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Maximise Software Cost Savings by License Reharvesting, Recycling & Applying Product Use Rights
Software asset management (SAM) is a complex process that enables organisations to gain control of their software estate from both a license compliance and financial standpoint. In many organisations, SAM represents one of the few remaining ways that substantial IT savings can be realised. McKinsey and Sand-Hill Group estimate that 30% or more of IT budgets are consumed by software license and maintenance costs. By optimising the SAM process, organisations can maximise software utilisation, reduce the risk of non-compliance (audits, fees, penalties), and reduce overall IT costs by as much as 5 to 10% per year. Read on. -
Protecting Against the Leading Causes of Data Breach
This whitepaper was written for the organisation that wants to focus on prevention of data loss and doesn’t have millions to spend, but needs affordable solutions that can be implemented today to protect millions of sensitive records and dollars worth of intellectual property. This whitepaper addresses: - What organisations can do to prevent the four leading causes of data breaches - Why dedicated (pure-play) DLP solutions may not protect you from all four leading causes of data breaches - How to get prevent sensitive data leaving your organisation -
IDC Insight: V-Ray Gives Symantec NetBackup a Competitive Advantage Today and into the Future
Over a decade ago, Veritas software announced NetBackup FlashBackup to address the millions of small files problem, which had been and often remains the nemesis to fast and efficient backup of large file servers. Today, the FlashBackup technology is used to provide a logical understanding of what is stored with a VMDK- or VHD-image-level backup, without the necessity to install an agent inside each virtual machine. Read more.
-
Content Nation
-
Creating and Capturing Value
-
Geek House
-
The Mac OS X Command Line
-
Teach Yourself Visually Windows Home Server
-
Iphone Application Development All-In-One for Dummies
-
Marketing for Dummies
-
Systems Analysis and Design 3E
-
Fundamentals of Performance Evaluation of Computer and Telecommunication Systems
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment