Compliance Standards and Policies

Regulations and compliance refer to the rules and standards that govern various aspects of an enterprise's operations, including those related to software development. Compliance with these rules is essential because failure to adhere to them can result in financial penalties, increased scrutiny, future regulatory constraints, and negative publicity. Compliance is distinct from security, as it focuses on adhering to established rules, even though strict compliance does not necessarily guarantee security.

Security standards organizations

ISO

ISO stands for the International Organization for Standardization. It is an international organization that develops and publishes standards to ensure the quality, safety, efficiency, and interoperability of products, services, and systems across various industries, including information security.

IEC

The International Electrotechnical Commission (IEC) is an international standards organization that specializes in developing and publishing standards related to electrical and electronic technologies, components, and systems.

ISO/IEC 9126 Quality Characteristics

This ISO/IEC standard defines six quality characteristics that can be used to measure the quality of software:

  • Functionality

  • Reliability

  • Usability

  • Efficiency

  • Maintainability

  • Portability

SAFECode

SAFECode is an industry-supported organization that promotes collaboration among companies to enhance software assurance practices by sharing successful best practices and providing guidance on secure software development.

Practical Security Stories

OWASP

OWASP is a global, open community dedicated to enhancing application software security by publishing Top Ten vulnerability lists and providing valuable resources on their website (www.owasp.org) to help organizations create more secure software.

NIST

NIST, or the National Institute of Standards and Technology, is a federal agency responsible for developing technology, measurements, and standards aligned with the U.S. economy's interests. Within NIST, the Computer Security Division addresses computer security concerns, including compliance with laws like the Federal Information Security Management Act (FISMA). NIST publishes key document types like Federal Information Processing Standards (FIPS) and the Special Publication (SP) 800 series, providing guidelines for information security practices, cryptographic protocols, and risk management frameworks, making them valuable resources for the information systems community

Some important publications are:

  • FIPS 200

  • FIPS 199

  • FIPS 197

  • FIPS 186-3

  • FIPS 190-4

  • FIPS 140 Series

  • SP 800-152

  • SP 800-107

  • SP 800-100

  • SP 800-63

  • SP 800-53

  • SP 800-30

  • SP 800-12

  • SP 800-218 (SSDF)

PreviousSoftware Security RequirementsNextSarbanes-Oxley (SOX)

Last updated