Identify standards, policies and other mandates in scope for compliance

One of the main factors for funding an application security program is compliance with information security standards, policies and regulations mandated by applicable industry standards regulatory bodies. Initially, it is important for the CISO to define what is in the scope for compliance and how it affects application security. Depending on the industry sector and the geographical location in which the organization operates, there will be several different types of security requirements that the organization needs to comply with. The impact of these requirements is also on the applications that manage and process data whose security falls under the scope of these standards and regulations. The impact on applications consists of performing scheduled risks assessment and to report the status on compliance to the auditors.
Examples of data security and privacy standards that apply to applications in the US include:

  • Payment Card Industry (PCI) Data Security Standard (DSS) for payment card merchants and processors
  • FFIEC guidelines for US financial organizations whose applications allow clients and consumers to bank online and conduct transactions such as payments and money transfers
  • FISMA law for US federal government agencies whose systems and applications need to provide information security for their operations and assets
  • HIPAA law for securing privacy of health data whose applications handle patient records in the U.S. healthcare industry
  • GLBA law for US financial institutions whose applications collect and store individuals’ personal financial information
  • US State Data Breach Disclosure laws for organizations whose applications store and process US state resident Personal Identifiable Information (PII) data when this data is lost or stolen in clear (e.g. un-encrypted)
  • FTC privacy rules for organizations whose applications handle private information of consumers in the US as well as when operating in EU countries to comply with “Safe Harbor” rules
  • OWASP provides several projects and guidance for CISOs to help develop and implement policies, standards and guidelines for application security. Please consult the Appendix B: Quick Reference to OWASP Guides & Projects for more information.

Source :