Regulatory Compliance Starts with Software

As with SOX, HIPAA concerns are best validated and verified by analyzing the application itself. The transformation of the requirements into software is naturally complex, and the multiple points of contact with the data demand that the applications themselves be analyzed for consistency in protecting that data.

SB 1386

SB 1386 is a California Senate bill that amended existing privacy laws to include stipulations requiring disclosure of privacy violations. These apply to organizations that maintain personal information on customers and do business in the state of California.

The narrow scope and lack of ambiguity in the legal wording has given regulators significant power in their ability to enforce SB 1386 in a variety of cases. In fact, there have already been many documented cases where companies have been found to be in violation.

For practical purposes, this bill has two specific compliance steps:

  • Ensure privacy of customer data at all costs; and ·
  • Disclose all cases where personal information that meets the previously mentioned criteria has been reasonably suspected of being improperly disclosed or acquired by an unauthorized person or entity.

    The most common examples driving disclosure involve the accidental loss of data stored on physical media, e.g., back-up tapes and laptops. In these events, disclosure is required because of the unencrypted state of the data.

    Use of encryption for data-at-rest and in-transit will minimize a company’s exposure. But companies should beware: encryption is often implemented incorrectly. As such, they should seek guidance and tools to help with implementation and verification of proper encoded data.

    Understanding compliance can be difficult, and there are very few resources that map regulatory requirements to software development or management requirements. However, the difficulty in understanding the legislation does not lessen its importance. The ramifications of non-compliance are very real risks to a business.

    The regulations themselves may be complex, but meeting their requirements doesn’t have to be. It boils down to following a few critical steps:

  • Identify which regulations are important for your industry and for the specific application you are assessing; ·
  • Relate the business requirements to your software development process at every phase from requirements analysis to design, development, testing and deployment; ·
  • Follow best practices as appropriate in the areas of confidentiality, integrity, availability, auditing and logging, and authentication.

    Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.

    Jack Danahy is founder and CTO of Ounce Labs, a provider of software security assurance.