What Is Application Security?

Regulations/Standards

A number of government regulations and industry standards such as HIPPA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley Act), GLBA (Gramm-Leach-Bliley Act), and CI DSS (Payment Card Industry Data Security Standard) affect how companies do business every day and directly influence how technology is implemented and should be protected and secured.

Regulations Explained

HIPPA

The Act requires the creation of national standards for transfer of health care data among providers, health insurance companies, and employers. HIPPA has provisions that deal with the security and privacy of health data.

SOX

The Act set up standards to be used by all U.S. public company boards, management, and public accounting firms. Particularly, the section on Corporate Responsibility requires senior executives to take personal responsibility in the truthfulness and completeness of the financial reports. The section mandates that the company's CEO and CFO attest to the accuracy of the financial data reported in the company's quarterly reports. The section on Enhanced Financial Disclosures requires tighter controls around the company's financial data and reports and mandates creation of internal controls and audits to protect this data. The Corporate Tax Returns section requires the company's CEO to sign the company's tax returns.

GLBA

The Act's Financial Privacy Rule provides directives on the collection and disclosure of privacy data (a customer's financial information). The Safeguards Rule requires all companies to put safeguards in place to protect customer information. Companies are required to have policies that protect customer's information from security threats. The Act also governs how a customer's information is gathered and disclosed.

PCI DSS

This is a standard that was created by major credit card companies to prevent credit card fraud and protect customers from security threats and vulnerabilities. Companies that process, store, and/or transmit credit card data go through regular audits that confirm whether they are compliant with PCI DSS.

Impact of Regulations and Standards

In summary, these and other regulations make it practically impossible for companies to ignore the security considerations involved in using technology. Because, in many cases, a company's executive managers have to take full responsibility for the data reported, they need to make sure that the data is absolutely accurate. And, because handling customer Personally Identifiable data is under stringent control from these laws, once again executive management has to put controls and processes in place to safeguard the data as per the regulations. As a result of this, many application security initiatives come down from company's top management down to all ranks.

Summary

In this article, you looked at the definition of Application Security and discussed how it affects companies and technologists. You looked at the legal and regulatory procedures and standards that impact application security. Future articles will look closely at application threats and will discuss what can be done to protect them in greater detail.

About the Author

Irina Medvinskaya has been involved in technology for over 10 years. She has worked on various applications supporting banking, financial, and media companies. She currently works at Guardian Life Insurance Company as a Project Manager, Application Security & Controls.

Page 2 of 2



This article was originally published on July 23, 2008