• United States



SC&A: How MassMutual Builds Secure Applications

Feb 01, 20051 min
Application Security

MassMutual's SC&A (security certification and accreditation) process:

MassMutual’s SC&A (security certification and accreditation) process:

1. An IT person sends a request for an IT building permit to the information security department. An infosec “consultant” goes through a short triage, and either sends the project for more evaluation or gives it a green light if the security risk is minimal.

2. The assigned consultant helps the project manager with a more detailed security questionnaire. The answers help the security consultant categorize the project as high-, medium- or low-risk.

3. The consultant continues to meet with the IT project team during development or vendor selection, checking the work against documented in-house security policies.

4. After basic system testing, the project applies for a certificate of occupancy, then heads into the quality assurance phase of testing.

5. After Q/A, the CISO signs the certificate of occupancy, and the application or system is placed in the production environment.