Nationwide Insurance's application security process:1. The sponsor of the proposed IT project fills out a 20-question security questionnaire that specifies the type of information involved, the criticality of the systems and connectivity with other platforms, outside systems and the like. 2. An information security consultant reviews the questionnaire and assigns the project a risk level based on weighted criteria. 3. The consultant checks in with the IT project team throughout development and also determines which security criteria are appropriate, based on the type of project and the degree of security risk. 4. With development complete, the consultant certifies in a document that the project has addressed all relevant security measures.5. An accrediting authority (outside of security) decides whether to assume the residual risk inherent in the system. If the accreditation goes through, the system is deployed. 6. The accrediting authority has responsibility throughout the system's lifecycle, checking periodically to ensure that the level of attendant risk has not increased.