Home » Data Protection » Application Security

In Depth

Security Certification and Accreditation Programs Help Build Secure Applications

Everyone knows it's cheaper and better to build in security from the start of a technology project. Following the federal government's lead, forward-thinking companies have formalized the SC&A process. Here's why you should too.

By Lauren Gibbons Paul

Page 3

The conclusion of the process is also important. At MassMutual, when the consultant signs off on the appropriate measures being in place, Bonsall comes back to sign the certificate of occupancy, then the application or system is ready to be placed into production. Bonsall's group consulted on about 360 projects last year.

Nationwide's final step, called accreditation, has a twist that borrows from the federal government's model. Here, a decision-maker from outside the security domain (such as the CIO or a business executive) attests that security has been accounted for and then accepts the responsibility for tracking and managing the residual risk in running the system. No matter how much security is built in, every application or system has some leftover risk. "Some security executives believe businesspeople can't make the right decision about taking on information security risk. I believe those decisions should be made by businesspeople because risk is a business issue. Our job is to give them enough information to make an informed decision," says Jones. Even at the end of a lengthy certification process, the deciding authority might make a decision that you don't agree with. "There are times when we provide the information, and we personally believe they are not making the right call," says Jones. That's OK, because "they understand the project's reward component; we don't have visibility into that. At the end of the day, these are business decisions."

MassMutual's process has not been in place long enough for Bonsall to have metrics on money or time saved. Bonsall believes he will have that evidence within the next year. Jones, who has been at this roughly twice as long, sees many benefits. For one thing, with each new project everyone learns more about security. "The IT people begin to absorb what we're doing and come to understand our perspective. They have become much more self-sufficient over time so the issues that we do see are much less problematic," he says.

Also, Nationwide tracks its SC&A efforts in a knowledge base. Jones now has the luxury of showing his boss, the vice president of IT risk management, how many projects started out high-risk that were labeled low-risk by the end of the process. (Nationwide declines to make the numbers public.) He can also pull up the number of pending and completed projects and how much time each took. Says Jones, "We have a tremendous amount of information about how we're managing this process. Now we can show management our value proposition."