Policy to Execution: An Introduction
"Equifax had serious gaps between IT policy development and execution" - The U.S. Government’s House of Representatives, Majority Staff Report
Organizations today have teams who create security policies and separate IT teams who develop software. There are, however, an overwhelming number of policies to comply with, but no way to translate those policies into actionable tasks for their technical teams. This is the policy-to-execution gap.
Now, the question is: how do we streamline the process of translating policies into actionable tasks that software teams can use? In our white paper, we examine this challenge and present how an expert system like SD Elements can streamline and automate the process to bridge the gap from policy to execution.
From Policy to Execution with SD Elements
SD Elements automatically translates high-level policies into actionable tasks that are easy to understand and implement for technical (development) teams.
Secure Coding and Compliance: SD Elements’ knowledge base is made up of actionable tasks developed and maintained by our research team. Our research team analyzes low-level secure-coding best practices and interprets high-level policies. Based on these interpretations, SD Elements generates ‘tasks’ which contain instructions for software teams on how to write secure and compliant code.
Custom Policies: SD Elements’ ‘Tasks’ support compliance with PA-DSS, GLBA, HIPAA, ISO 27001, GDPR, COPPA, GAPP as well as other popular frameworks, but they also accommodate organizations’ custom policies. Using our platform, policy teams can define and communicate risk policies for their applications based on regulations, industry standards, and internal policies.
Integrations: SD Elements supports multiple integrations, creating a highly-efficient workflow for your enterprise teams. It syncs with most Application Lifecycle Management (ALM) tools on the market, and pushes security and compliance tasks to your developers as tasks. Once a member of your team marks a task as ‘complete,’ SD Elements tracks and streamlines testing results. The system can automatically verify tasks by importing the results from Static Analysis Security Testing Tools (SAST) such as Veracode, Checkmarx, or Fortify and Dynamic Analysis Security Testing Tools (DAST) such as WebInspect or AppScan back into SD Elements. Your software teams can then quickly verify whether the implementation of a control was successful.
Policy-to-Execution Solutions in the Industry
Policy to execution is a growing topic of discussion in the field of information security. The U.S. Government’s House of Representatives refers to a popular security breach as the result of "an execution gap between IT policy development and operation." Gartner also created its own term for describing policy-to-execution solutions. Their term is Application Security Requirements and Threat Management (ASRTM). ASRTM is a subset of our policy-to-execution platform, SD Elements: whereas ASRTM solutions address a subset of application security capabilities, SD Elements has a wider scope.