MassMutual's SC&A (security certification and accreditation) process:1. An IT person sends a request for an IT building permit to the information security department. An infosec "consultant" goes through a short triage, and either sends the project for more evaluation or gives it a green light if the security risk is minimal. 2. The assigned consultant helps the project manager with a more detailed security questionnaire. The answers help the security consultant categorize the project as high-, medium- or low-risk. 3. The consultant continues to meet with the IT project team during development or vendor selection, checking the work against documented in-house security policies. 4. After basic system testing, the project applies for a certificate of occupancy, then heads into the quality assurance phase of testing.5. After Q\/A, the CISO signs the certificate of occupancy, and the application or system is placed in the production environment.