One of the main factors for funding an application security program is compliance with information security standards, policies and regulations mandated by applicable industry standards regulatory bodies. Initially, it is important for the CISO to define what is in the scope for compliance and how it affects application security.
From an information security perspective, applications should be in scope for organizations specific vulnerability assessments and application security requirements. The security validations and certifications of applications follow specific security requirements such as the secure design, secure coding and secure operations.
Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
Implement industry standards and best practices, don’t rely on compliance
This is particularly important if a cybersecurity manager is in a heavily regulated industry and is dealing with things like credit card, health care data, or other personally identifiable information.
A covered entity or business associate must cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of the covered entity or business associate to determine whether it is complying with the applicable administrative simplification provisions.
A covered entity or business associate must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered entity or business associate has complied or is complying with the applicable administrative simplification provisions.
Develop annual compliance work plan that reflects the institution's highest risks that will be monitored by the compliance function as determined by conducting a mandatory annual risk assessment using an enterprise wide approach.
Propose modifications to the Compliance and Ethics Program, if necessary, to prevent recurrence of problems or to address new risks.
Coordinate compliance awareness education of employees, agents, and contractors through training programs, emails, printed materials, and other means.