Home » Data Protection » Application Security

In Depth

Security Certification and Accreditation Programs Help Build Secure Applications

Everyone knows it's cheaper and better to build in security from the start of a technology project. Following the federal government's lead, forward-thinking companies have formalized the SC&A process. Here's why you should too.

By Lauren Gibbons Paul

Page 2

And change is a two-way street. Bonsall's group altered its process to better meet the IT group's needs. When IT building permits first began, everyone who wanted to buy a product, build an application or outsource a system had to spend at least an hour filling out a detailed questionnaire, including information such as what kind of data was involved and which platforms the new application would touch. After some feedback (read: complaints), Bonsall put in a preliminary step called triage. Anyone with a project in the works now calls or e-mails one of the security consultants, who quickly determines whether the project is completely innocuous (if there is no confidential information and the project will not affect the infrastructure at all, for example) or whether it merits closer scrutiny. About 15 percent of proposed projects skate past the full-blown review, saving everyone time and paperwork.

Responsiveness and a willingness to tweak the process go far toward establishing information security as a trusted corporate adviser rather than a cop or enforcer. That is key, according to Jack Jones, CISO and associate vice president for Nationwide Mutual Insurance. Jones implemented an SC&A process four years ago. "We'd rather play the role of counselor," he says. "It isn't that difficult because no one likes the stress and conflict associated with all those 11th-hour crises. We worked hard to make it streamlined rather than a boat anchor.... We have become a member of the team rather than the enemy."To Each His OwnEach organization implements SC&A in its own way (see the boxes on this page).

Though Nationwide started its SC&A in 2000, it is only in the past two years that the process has matured and become part of its system development lifecycle. Jones leads a team of 100 in information security; between 25 and 30 people work exclusively on SC&A. This year about 800 projects (including significant hardware purchases as well as packaged and homegrown applications) will go through the SC&A process. Each project is assigned a consultant who will be part of the project, ideally from concept to retirement. Each consultant owns from six to 20 projects at a time, the high end of that range being for short periods when a business unit has a particular push for new applications. The consultants are first and foremost security expertsgenerally holding CISSP or GIAC certification, not formal project management certificationbut Jones notes that they also require excellent communication and people skills.