Everyone knows it's cheaper and better to build in security from the start of a technology project. Forward-thinking companies have formalized the process; here's why you should too.

In This Story:

• How certification and accreditation processes build security into application development
• How it pays off

Two years ago, Bruce Bonsall decided to build an addition to his house. Plans in hand, Bonsall's first stop was his town's building authority to begin the permitting process. Along the way, Bonsall, the CISO for MassMutual Financial Group, got to thinking: What if there were a building permit process for IT projects?

At the time, Bonsall recalls, "too many projects were making it almost to production without adequate security consideration". On more than one occasion, tipped off by the auditing department that a new system did not adhere to security policies, Bonsall had the unappealing task of sending it back for more work - such as building in a connection to the enterprise electronic authentication system - before the application could be deployed. Needless to say, these situations left everyone unhappy.

"I wanted to create a process that adds value and gets [security] involved up front, rather than stall the project at the 11th hour," he says. Extending the building permit analogy to IT projects suddenly seemed like the ticket. "Before you start [a building project], the building inspectors want to see your plans, they want to ask you some questions about your project. As you go along, you have some inspections. When you're done, they sign off that everything was done properly and you get a certificate of occupancy. Most people are familiar with the process," says Bonsall.

Bonsall had stumbled upon a concept that got its start in the US Department of Defence roughly 15 years ago. Goaded by late 80s risk legislation, the US federal government requires its IT projects to go through a formal security certification and accreditation (SC&A) process - known by the unwieldy acronym Ditscap (see "How the Feds Do It", page 80) - from inception. "Certification is the documentation and evaluation of the system against a specific set of guidelines. Accreditation refers to the point where a decision maker outside the security organization chooses to accept whatever residual risk remains with the system. That person then has the responsibility to actively manage that risk," says Hart Rossman, chief technology officer for the enterprise security solutions business unit at Science Applications International Corporation (SAIC), which has a practice helping organizations establish SC&A programs.

Many private-sector companies have in the past shown a reluctance to invest the time necessary to build security into the IT project life cycle. Now that's changing, driven in part by the greater accountability created by the Sarbanes-Oxley Act and other regulations. Two financial services companies profiled here, MassMutual and Nationwide Mutual Insurance, provide insight into making the SC&A process work. Late application changes are costly, regardless of what industry you're in, so CIOs and CISOs may find these ideas worth imitating.