Vendor Management Perspective

Setting Security Purchase and Acceptance Criteria for Software

All software applications were not created equal – at least from a security requirements perspective anyway. Different applications require different security levels to be present to ensure they are “fit for purpose” in a particular deployment environment or to meet the acquiring company’s information security risk governance models. Determining the business criticality of the target company’s software is a critical first step in the mergers and acquisition process. Veracode highly recommends that Vendor Management and Procurement Professionals develop an appropriate business classification index for their organizations application portfolio. This can be easily accomplished by reviewing the six potential Impact Categories below and determining if the associated impact is low, moderate or high based on the definitions of the Impact Category. Once determining the potential impacts from a security breach, Veracode will assign an application assurance level (business criticality) which will assist in the setting of proper security thresholds for the target company’s software to pass. Veracode’s program office can easily assist Procurement Professionals to create the appropriate application classification system, oftentimes in partnership with the office of the CIO or CISO.

Six Impact Categories

  • Potential impact of inconvenience, distress, or damage to standing or reputation;
  • Potential impact of financial loss;
  • Potential impact of harm to organization programs or public interests;
  • Potential impact of unauthorized release of sensitive information;
  • Potential impact to personal safety;
  • The potential impact of civil or criminal violations

The following chart from NIST provides guidance on selecting an assurance level based on the business risk determined from the six Impact Categories above: