Security defects are sensitive
by nature, always raised as top priority tickets and costlier than functional
and performance defects. Apart from the business impact, there is impact on the
company's image, lost data costs, loss of end-user confidence and it leads to
compliance and legal issues. So, with such high levels of risk associated
with security defects, it is surprising to see that many organizations do not
have an internal structure towards security assurance.
Internal security assurance is
needed for any organization to increase security awareness across the
enterprise, have a structure to deal with various security compliance aspects
and to use this structure to strengthen and build and test processes. Setting
clear goals, reporting structure, defining activities and enlisting performance
measurement criteria helps in smoother functioning of security assurance team.
To know more about a team structure that is capable of providing
enterprise-wide security assurance service for Web applications, read our POV
titled "3-Pillar Security Assurance Team Structure for ensuring Enterprise Wide
Web Application Security" at http://www.infosys.com/IT-services/independent-validation-testing-services/white-papers/Documents/security-assurance-team.pdf.