Home » Data Protection » Application Security

In Depth

Security Certification and Accreditation Programs Help Build Secure Applications

Everyone knows it's cheaper and better to build in security from the start of a technology project. Following the federal government's lead, forward-thinking companies have formalized the SC&A process. Here's why you should too.

By Lauren Gibbons Paul

February 01, 2005 — CSO — Two years ago, Bruce Bonsall decided to build an addition to his house. Plans in hand, Bonsall's first stop was his town's building authority to begin the permitting process. Along the way, Bonsall, the CISO for MassMutual Financial Group, got to thinking: What if there were a building permit process for IT projects?

At the time, Bonsall recalls, "Too many projects were making it almost to production without adequate security consideration." On more than one occasion, tipped off by the auditing department that a new system did not adhere to security policies, Bonsall had the unappealing task of sending it back for more worksuch as building in a connection to the enterprise electronic authentication systembefore the application could be deployed. Needless to say, these situations left everyone unhappy.

"I wanted to create a process that adds value and gets [security] involved up front, rather than stall the project at the 11th hour," he says. Extending the building permit analogy to IT projects suddenly seemed like the ticket. "Before you start [a building project], the building inspectors want to see your plans, they want to ask you some questions about your project. As you go along, you have some inspections. When you're done, they sign off that everything was done properly and you get a certificate of occupancy. Most people are familiar with the process," says Bonsall.

Bonsall had stumbled upon a concept that got its start in the Department of Defense roughly 15 years ago. Goaded by late '80s risk legislation, the federal government requires its IT projects to go through a

formal security certification and accreditation (SC&A) processknown by the unwieldy acronym Ditscap (see "How the Feds Do It," this page)from inception. "Certification is the documentation and evaluation of the system against a specific set of guidelines. Accreditation refers to the point where a decision maker outside the security organization chooses to accept whatever residual risk remains with the system. That person then has the responsibility to actively manage that risk," says Hart Rossman, chief technology officer for the enterprise security solutions business unit at Science Applications International Corp. (SAIC), which has a practice helping organizations establish SC&A programs.

Many private-sector companies have in the past shown a reluctance to invest the time necessary to build security into the IT project lifecycle. Now that's changing, driven in part by the greater accountability created by the Sarbanes-Oxley Act and other regulations. Two financial services companies profiled here, MassMutual and Nationwide Mutual Insurance, provide insight into making the SC&A process work. Late application changes are costly, regardless of what industry you're in, so CISOs may find these ideas worth imitating.Starting with AttitudeIn MassMutual's case, the familiarity of the building permit concept also helped Bonsall and his group smooth over some political bumps in establishing the program about a year ago. For starters, the security group was not "out to get" the IT staff any more than the town building officials were throwing their weight around with local homeowners. Still, going from having no formal process to having a full-bodied program is difficult. "There was a fair amount of campaigning up front. Senior management immediately understood why we needed to do this," he says. With the critical executive support in place, 18-year MassMutual veteran Bonsall (who reports to the company's CIO) and his staff (two of the 28 information security personnel would serve as IT project security consultants) had to convince the IT professionals that this was worthwhile, tailoring the message to fit the specific audience. "The developers had to understand why they were being forced to go through this. Project managers had to understand there are security processes that have to be adhered to," says Bonsall.