SECURITY RESOURCES > COMPLIANCE BULLETIN
These library resources require an Ounce Labs ID. Log in or register.
Software Security Assurance
Compliance Guide for Financial Services
Financial services organizations manage among the most critical and private data in the world, yet must make their systems open and available across the web. These competing requirements demand the highest levels of security assurance in the software that manages and transmits this critical data. Reflecting this concern, regulations and compliance frameworks have been created, holding organizations accountable for insecure software and its risk to customer data, and requiring ongoing, measurable software security assurance programs.
Businesses, armed with automated software security assurance tools such as Ounce Labs provides, can now have the metrics and policy compliance information they need to report to key executives, auditors and regulators on the process and state of their software security assurance efforts.
This guide provides key personnel charged with fulfilling these various requirements with a quick reference to understanding:
- The major compliance categories into which software security assurance activities fall, including Risk Assessment and Vulnerability Management and Remediation.
- The applicable regulatory and compliance frameworks and the specific control activities within each that apply to software security assurance activities.
- The Ounce Labs solution and the way in which its capabilities provide the necessary metrics and policy compliance information to help prove compliance with these activities.
The regulatory and compliance frameworks covered in this guide include:
- GLBA and the FFIEC: Gramm-Leach-Bliley Act section 501(b) describes the need for standards to safeguard financial customer information. The Federal Financial Institutions Examination Council's (FFIEC) Information Security IT Examination Handbook provides a rigorous security program designed to help financial institutions mitigate the risk presented by their applications and systems.
- Payment Card Industry Data Security Standard (PCI): In the wake of high-profile identity theft and fraud concerns, VISA and MasterCard are now requiring organizations that process cardholder data to comply with their PCI Data Security Standard. PCI details twelve key requirements designed to reduce the risk from the electronic transmission of cardholder data, and devotes substantial focus on the development and maintenance of secure systems and applications.
- Sarbanes-Oxley: This regulation's central mission is reliable financial information from public companies, requiring an attendant focus on the software and systems that house financial data. In creating IT controls for compliance, organizations must assess risk, control relationships and deliverables from outsourcers, integrate security into the development process, and monitor all changes that might impact critical systems.
- COBIT: As a compliance framework, Cobit provides a rigorous process, closely aligning IT with business processes and standards such as COSO, and specifically detailing software security assurance tasks for businesses to follow throughout the software development process.
- ISO 17799: Considered the major international standard for information security, ISO 17799 provides a comprehensive set of best practices and IT controls for organizations to follow. Software security assurance is central to its mission, requiring security compliance reviews and source code analyses as part of systems development and compliance management.