• Home
• Services
• Methodology
• About Watson Hall
• Security resources
• Contact

The development and operation of web applications is usually driven by business objectives in the context of the economic situation and customer needs. But what are the key regulatory issues and who are the prominent players in setting standards and guidelines? The answer depends upon your sector, your customers, the type of functions that are web-enabled and the countries you operate in. We have created a diagram showing how we see the picture for UK organisations - there is a significant 'United States effect' partly due to the origins of the internet and also to close working relationships, ownership and investments, especially in the financial sector.

If you have any suggestions for additions, alterations or corrections (see change log), please use our enquiry form.

Diagram image

The guidance, standards, legislation and organisations that are principal influences on the development and operation of UK web sites and web applications are illustrated in the oversize chart image below. Use the scroll bars and click on an item to view more details in the tree further down this page.

Those organisations we believe are specially important have emboldened names and documents of particular note to web application security are highlighted with a star.

Diagram tree

The diagram is displayed as a dynamic tree below.

UK Web Applications

United Kingdom

Standards Organisations

BSI

Standards

BS 8878 (Web Accessibility) Draft

BS 10008 (Evidential Weight and Legal Admissibility of Electronic Information)

BS 10012 (Protection of Personally Identifiable Information)

BS 25777 (Information and Communications Technology Continuity Management)

BS 25999 (Business Continuity)

Publicly Available Specifications

PAS 78:2006 (Guide to Good Practice in Commissioning Accessible Websites)

PAS 124:2008 (Defining, Implementing and Managing Website Standards: A Statement of Best Practice)

PAS 74:2008 (Internet safety. Access Control Systems for the Protection of Children Online. Specification)

Governmental

Welsh Assembly Government

Code of Practice on Access to Information

The Scottish Parliament

Data Handling in Government

Local Government

Local Authority WARP (Warning, Advice and Reporting Point)

UK Parliament

Legislation

Criminal Justice and Immigration Act 2008

Police and Justice Act 2006

Safeguarding Vulnerable Groups Act 2006

The Companies Act 2006

The Terrorism Act 2006

Communications Act 2003

Criminal Justice Act 2003

The Privacy and Electronic Communications (EC Directive) Regulations 2003

The Electronic Commerce (EC Directive) Regulations 2002

Freedom of Information Act 2000

The Regulation of Investigatory Powers Act 2000

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

The Consumer Protection (Distance Selling) Regulations 2000

The Human Rights Act 1998

Data Protection Act 1998

Civil Evidence Act 1995

The Computer Misuse Act 1990

Disability Discrimination Act 1995

Trade Marks Act 1994

Copyright, Designs and Patents Act 1988

Data Retention (summary of various legislation)

Regulators

Information Commissioner's Office (ICO)

Annual Track

Data Protection Act 1998 Legal Guidance

Data Protection Act Compliance Check Template

Data Protection Guide

Eighth Data Protection Principle and International Data Transfers

Personal Information Online Code of Practice (Draft)

Privacy By Design Report

Privacy Impact Assessments Handbook

Privacy Notices Code of Practice

Financial Services Authority (FSA)

FSA Handbook

Data Security in Financial Services

Office of Fair Trading

Charity Commission

Agencies

Audit Commission

Centre for the Protection of National Infrastructure (CPNI)

NISCC Secure Web Applications - Development Installation and Security Testing

Guidance on Securing Web Sites

Good Practice Guidelines

Technical Notes

Technical Notes on Application Protection

Risk Management and Accreditation of Information Systems (HMG Infosec Standard No 2)

Communications and Electronic Services Group (CESG)

Incident Response Team (GovCertUK)

CESG Claims Tested Mark (CCTM)

Good Practice Guides

IT Health Check Service (known as CHECK)

IS1 Risk Tool Worksheet

Information Assurance Maturity Model (IAMM)

Supported Self Assessment

Child Exploitation and Online Protection Centre (CEOP)

Criminal Records Bureau (CRB)

Health and Safety Executive

Improvement and Development Agency (IDeA)

Independent Safeguarding Authority (ISA)

Serious Organised Crime Agency (SOCA)

Technology Strategy Board

Departments

Department for Work and Pensions

Government Connect (GC)

CoCo (Code of Connection)

Department for Innovation, Universities and Skills

Patent Office

Higher Education Funding Council for England

Joint Information Systems Committee (JISC)

JANET

JISC Legal

Data Protection

Human Rights

Cabinet Office

Central Sponsor for Information Assurance (CSIA)

Data Handling Procedures in Government

National Security Strategy

National Risk Register

Schemas and Standards

Data Standards

The e-Government Interoperability Framework (e-GIF)

The e-Government Metadata Standard

Security Policy Framework

Cyber Security Strategy

Office of Cyber Security (OCS)

Cyber Security Operations Centre (CSOC)

Central Office of Information

Web Standards and Guidelines for Public Sector Websites

Department for Health

Information Governance

Information Governance Toolkit

Home Office

Code of Practice for the Investigation of Protected Electronic Information

Good Practice Guidance for the Providers of Social Networking and Other User Interactive Services

Police Central E-crime Unit (PCeU)

Department for Business, Innovation and Skills

Cyber Security KTN

Business Link

Consumer Direct

Companies House

Department for Culture, Media and Sport

Digital Britain

Treasury

Good Practice Guides

The Internal Audit Role in Information Assurance

Putting the Frontline First: Smarter Government

Groups

Parliamentary Information Technology Committee (PITCOM)

All Party Parliamentary Communications Group (apComms)

Can We Keep Our Hands Off the Net?

All-Party Media Group

UK Internet Governance Forum (UK IGF)

House of Lords

Science and Technology Committee

Personal Internet Security Report

Follow-Up

Other Organisations

ISACA UK Chapters

Central

London

Northern

Scotland

ISSA UK

OWASP UK Chapters

Leeds

London

Scotland

Accredit UK

Association of Chief Police Officers (ACPO)

Good Practice Guide for Computer-Based Evidence

National Working Group on Fraud

Association of International Accountants (AIA)

E-business Regulatory Alliance

Westminster Forum Projects

EURIM

Director's Guides to Managing Information Risks

British Computer Society (BCS)

Information Security Specialist Group (BCS-ISSG)

Business Continuity Institute (BCI)

Direct Marketing Association

Get Safe Online

The Children's Charities' Coalition for Internet Safety (CHIS)

Information Assurance Advisory Council (IAAC)

Information Security Awareness Forum (ISAF)

Institute of Chartered Accountants in England and Wales (ICAEW)

AAF 01/06 - Assurance Reports on Internal Controls of Service Organisations Made Available to Third Parties

Institute of Chartered Accountants of Scotland (ICAS)

Institute of Information Security Professionals (IISP)

Institute of Internal Auditors

Intellect

Internet Services Providers' Association (ISPA)

Internet Watch Foundation (IWF)

Jericho Forum

Local Government Association (LGA)

Local Government Data Handling Guidelines

London Internet Exchange (LINX)

Nominet

Society for Computers and Law

Society of Information Technology Management (SOCITM)

UK Crimestoppers

International

United States

Governmental

Federal

Legislation

Sarbanes-Oxley Act of 2002

Section 508 of the Rehabilitation Act

CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act)

Digital Millennium Copyright Act

Federal Information Security Management Act of 2002 (FISMA)

Health Insurance Portability and Accountability Act (HIPAA)

Departments

Commerce

National Institute of Standards and Technology (NIST)

Special Publications (SPs)

SP 800-53 Recommended Security Controls for Federal Information Systems

SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

National Vulnerability Database (NVD)

Federal Information Processing Standards (FIPS)

Security Content Automation Protocol (SCAP) Checklists

Software Assurance Metrics And Tool Evaluation (SAMATE)

Defense

Security Technical Implementation Guides

Application Security and Development - Security Technical Implementation Guide

Homeland Security

Common Weakness Enumeration (CWE)

Building Security In

Treasury

Comptroller of the Currency

Agencies

Government Accountability Office

Federal Information System Controls Audit Manual (FISCAM)

State

Legislation

SB1386

Other Organisations

Internet Corporation for Assigned Names and Numbers (ICANN)

Internet Assigned Numbers Authority (IANA)

American Institute of Certified Public Accountants (AICPA)

Statement on Auditing Standard 70 (SAS 70)

American National Standards Institute (ANSI)

Carnegie Mellon University

Software Engineering Institute

Capability Maturity Model Integration (CMMI)

CERT

Secure Coding Standards

Global

Standards Organisations

AIIM

Bank for International Settlements

Basel II Accord

Ecma International

TC39 - ECMAScript

TC49 - Programming Languages

IEEE

International Electrotechnical Commission (IEC)

ISO

ISO/IEC Information Technology Task Force (ITTF)

JTC 1 - Information Technology

SC7 - Software and Systems Engineering

SC22 - Programming Languages, Their Environments and System Software Interfaces

SC27 - IT Security Techniques

ISO/IEC 38500:2008 (Corporate Governance of Information Technology )

ISO/IEC 27000 series (Information Security Management Systems Family of Standards)

ISO/IEC 25000 series (Software Engineering Software product Quality Requirements and Evaluation [SQuaRE])

ISO/IEC 20000 (IT Service)

ISO/IEC TR 18044 (Information Security Incident Management)

ISO/IEC 15288:2008 (Systems and Software Engineering -- System Life Cycle Processes)

ISO/IEC 15504 (Process Assessment)

ISO/IEC 14598 (Software Product Evaluation)

ISO/IEC 12207 (Software Life Cycle Processes)

ISO/IEC 9126 (Software Engineering - Product Quality)

ISO 9001 (Quality)

ITIL

Organisation for the Advancement of Structured Information Standards (OASIS)

Standards

Payment Card Industry (PCI) Security Standards Council

PCI Data Security Standard (PCI DSS)

Payment Application Data Security Standard (PA-DSS)

Unicode Consortium

Other Organisations

Building Security In Maturity Model (BSIMM)

Center for Internet Security (CIS)

Benchmarks and Tools

Cloud Security Alliance (CSA)

Security Guidance for Critical Areas of Focus in Cloud Computing

Forum of Incident Response and Security Teams (FIRST)

Common Vulnerability Scoring System (CVSS)

Information Security Forum

The Standard of Good Practice for Information Security

Information Systems Audit And Control Association (ISACA)

COBIT

Security Baseline

Information Systems Security Association (ISSA)

International Systems Security Engineering Association (ISSEA)

Systems Security Engineering Capability Maturity Model (SSE-CMM)

Institution of Engineering and Technology (IET)

International Association of Internet Hotlines (INHOPE)

International Information Systems Security Certification Consortium (ISC2)

Internet Engineering Task Force (IETF)

Internet Architecture Board (IAB)

ISM3 Consortium

ISM3

Microsoft

Trustworthy Computing Security Development Lifecycle (or SDL)

Developer Starter Kit

Open Security Foundation

Open Source Vulnerability Database (OSVDB)

Open Web Application Security Project (OWASP)

Code Review Guide

Application Security Verification Standard (ASVS)

CLASP (Comprehensive, Lightweight Application Security Process)

Development Guide

Software Assurance Maturity Model (SAMM)

Testing Guide

Top 10

Software Assurance Forum for Excellence in Code (SAFECode)

SysAdmin, Audit, Network, Security (SANS) Institute

Consensus Audit Guidelines (CAG)

Web Application Security Consortium (WASC)

Web Hacking Incidents Database (WHID)

Web Security Threat Classification

Web Security Glossary

World Wide Web Consortium (W3C)

Web Accessibility Initiative (WAI)

Accessible Rich Internet Applications (ARIA)

Authoring Tool Accessibility Guidelines (ATAG)

Protocols and Formats Working Group (PFWG)

User Agent Accessibility Guidelines (UAAG)

Web Content Accessibility Guidelines (WCAG)

XHTML2 Working Group

Web Applications (WebApps) Working Group

Web Security Context Working Group

XML Security Working Group

United Nations (UN)

International Telecommunication Union (ITU)

Cybersecurity Gateway

Global Cybersecurity Agenda (GCA)

World Summit on the Information Society (WSIS)

Internet Governance Forum (IGF)

Europe

Directives

95/46/EC (Processing of Personal Data)

2002/58/EC (Privacy and Electronic Communications)

2000/31/EC (Electronic Commerce)

97/7/EC (Distance Contracts with Consumers)

96/9/EC (Protection of Databases)

2001/29/EC (Copyright)

Directorates

Justice, Freedom and Security

European Data Protection Supervisor

Standards Organisations

European Committee for Standardization (CEN)

European Standards (EN)

European Telecommunications Standards Institute (ETSI)

Technical Committees and Projects

European Committee for Electrotechnical Standardization (CENELEC)

Other Organisations

European Network and Information Security Agency (ENISA)

Security and Privacy in Virtual Worlds and Gaming

Security Issues and Recommendations for Online Social Networks

Web 2.0 Security and Privacy

Cloud Computing Benefits, Risks and Recommendations

Web Accessibility Benchmarking (WAB) Cluster

Unified Web Evaluation Methodology

Insafe

Safer Internet Day

European Internet Exchange (Euro-IX)

Web security services from Watson Hall

Information security policies, standards and procedures, web site and web application security assessments and audit and web security design and review.

Act now

Contact Watson Hall to discuss web application assessments including compliance checks.