Perspectives on application security and risk management

In my last blog post, I focused on information security risk management and the aggressive application of the financial services sector. According to my recommendations, the segment of the health sector should follow the increase in the effectiveness and efficiency of information security programs. Refreshing to see evidence that this is happening. At the OWASP AppSec USA conference in the past week, one of the leaders in the health sector shared their views on information security risk management.

"Characterizes Software Security as a Key Business Risk" in both the commercial and public sectors, including: Tom Brennan, Proactive Risk Chairman and CEO, and OWASP's Board of Directors; Ed Pagett, CISO for Credit Processing Services; Richard Greenberg, ISO at the Los Angeles County Public Health Department; and John Sapp, McKesson's Security, Risk and Compliance Director

Instead of concentrating on technical security issues at an OWASP conference, the panel discusses risk and risk management programs. Much of the discussion focused on the need to express the most important drivers of risk management from a business perspective, such as patient outcomes, customer satisfaction, revenue and profit.

Greenburg, of the Public Health Sector, said that the Los Angeles County Public Health Department: "It's all about access to patient care: the department does not care about IT and does not let you know the security of the application. to give the best possible care. "

Sapp continued from McKesson:" During the development of the risk management program, I looked at how the application security programs help to achieve this. Of course, this does not mean that technology and security are ignored, but we do not want to break the business in a bad way, and of course we do not want to break it. But a deep dive into technology is not the debate we did during the risk management program, we left the debate that the security operations team take part in risk management "

The board has offered some guidance to help other organizations have their own application security and risk management programs:

  • Talk about business, for example, securing secure banking transactions, private and non- provide flexible patient care and provide trusted services to employees, partners, and clients
  • The answer is never to simply "buy a device". Avoid purchasing blind products in the hope of resolving your application security and risk management issues, you must first understand the purpose of the risk management program and then select the appropriate tool (s) for the job. "the fool with a device is still crazy."
  • Widespread access to widespread allies, both profound and widespread – primarily those who are responsible for revenue generation and follow those who have auditing and compliance responsibilities [19659008] Search for on-site leaders and champions to create some local effort , take advantage of the project management team to achieve a quick or double victory and then use them as case studies to further develop the program
  • Effort frameworks such as ISO 27002 are the basics for building a risk management program and supporting application security program.

Some guidelines for the healthcare industry, Sapp fro McKesson, mentioned some of the key elements of the risk management program

McKesson's first four targets were

  • Harmonization of Processes and Investments in Risk Management
  • Improving the overall risk management process [19659008] Creating application management
  • Ensuring transparency and visibility through the risk management program

To achieve these goals, McKesson defined risk management category with the goal of defining, implementing and measuring progress. Some sampling risk management categories include security, quality, privacy, legal and third party components. Each category plays a role in risk management, and with its primary definition, McKesson was able to create a comprehensive, formalized risk management program for the entire business. The purpose of McKesson is to include its own business risk and the risks associated with the products, services, and solutions offered to its customers.

Within each category, McKesson would look beyond security risk and business risk; would be deeply into the risk / reward analysis and concentrate on how to get the most rewards while alleviating or avoiding the greatest risk. An example of this analysis would be to reduce the overall cost of the system / application as opposed to mitigating the risks to avoid increased operating costs. Another example of how to achieve high level of application quality and flexibility, while alleviating the risks associated with application defects and other critical failures. One final example would be for McKesson to increase the likelihood and tight pace of its own sales efforts while reducing the cost of purchasing customers as opposed to mitigating the risk of competitive disadvantage (eg low security or poor application quality)

program framework, OCEG ( Open Compliance & Ethics Group), McKesson focuses on implementing an integrated application security program. The application security analysis company was the following:

  1. Requests for the HITECH (Medical Informatics Economics and Clinical Health) certificate.
  2. Development Schedule
  3. Legacy applications that have the company's high revenue

This analysis and priorities enable McKesson to make clear and calculated choices with IT security and security of supply compared to the general risk management program. One such decision is to update apps or end-users. With this analysis McKesson can take decisions based on poor or limited data, potentially millions invest in systems and applications that would otherwise have to be built or replaced.

By completing the program and flagship analysis, McKesson was able to select an application security product kit, code analysis tools, and consulting services to perform routine risk assessments, provide risk minimization tasks, implement best practices for secure application development within its software development lifecycle and provide management visibility for effective risk management program with application security enabled

For more information on the security of the Web application: http://www.redspin.com/services_application_assessment.html

Source by sbobet

Leave a Reply

Your email address will not be published. Required fields are marked *