The Online Trust Alliance (OTA), one of the biggest proponents for Extended Validation SSL Certificates (EV SSL) in the security community, recently announced a new set of guidelines that any business or technical decision maker should consider within their security environments.
The guidelines, titled Security by Design, provides an outline for best practices regarding the treatment of consumer data. It explains that when collecting consumer data, businesses need to ensure they are protecting user data and avoiding any type of security incident breakdown---something we've seen frequently in recent weeks.
Here are the first 5 steps to Security by Design:
1. Create a cross-functional security team headed by a chief security officer (or
equivalent) as a single point of authority with security accountability.
2. Map the data workflows within your organization and vendors to identify points of
vulnerability. Examine how you handle data, from collection and storage to
transmission, usage and destruction. Define who should have access to the data,
how and why.
3. Include security review milestones in the product development process, from concept
development, functional specification development, design, testing and launch.
4. Audit your network infrastructure, mapping both internal and external facing sites
and all points of connection. Implement processes to monitor your network and data
assets to detect unauthorized access or unusual patterns of activity.
5. Develop an incident response plan and team. Include pre-defined action items
In order to determine where your current state is, there are then 20 assessment questions OTA suggests you ask yourself to see how you measure up. Finally, they offer a number of best practices that can be done immediately or within 90 days to limit the chances of your brand being victim to a data breach, thus hindering your own brand.
For the press release issued by OTA, please click here. Symantec is a member of the committee in support of this initiative. Also, please be sure to check out best practice number 10, which suggests the use of EV SSL Certificates.