Compliance Series: Financial Services Security and the BITS Framework

This article in our compliance series looks at the importance of secure software development to the financial services industry.  Software – whether running on PCs, laptops, or in new cloud-based services plays a critical role for financial services institutions in helping to protect their business and customers. It can help protect against malicious attacks, theft of customer data and even corporate assets.  However, designing large, complex programs and services that manage this data in a secure manner can be difficult without a good secure development process in place.  This is one of the reasons the BITS Software Assurance Framework was created by the Financial Services Roundtable.

The BITS Software Assurance Framework was created in 2012 by the Financial Services Roundtable to document the importance of secure development practices and to provide guidelines that financial services organizations can use to implement these practices more fully.  BITS, a part of the Financial Services Roundtable, is made up of major US financial institutions that are responsible for almost 93 million US dollars in managed assets. The Software Assurance Framework was developed to help financial institutions better follow secure development practices and avoid the risks outlined above.

The Framework is rooted in education, integration of security in design using standards and threat modeling, best practices for coding, focused and comprehensive testing and followed with important implementation and response practices.  The Framework was developed in collaboration with Microsoft, and integrates the Microsoft Security Development Lifecycle at the foundation.

According to Paul Smocer, BITS president, “Building safe software is a necessity, a priority and a complex process for financial institutions.  The BITS Framework offers a practical approach to software security through strong design, implementation and testing processes.”

For more information on software and compliance, I encourage you to check out the Microsoft SDL compliance center.

Tim Rains
Trustworthy Computing


Read other parts of this series

Part 1: Compliance Series:  Software Security and Compliance Introduction
Part 2: Compliance Series:  Microsoft SDL Helps Orgs Meet HIPAA Standards
Part 3:
Compliance Series: Software and Service Security and PCI DSS/PA-DSS
Part 4: Compliance Series: Financial Services Security and the BITS Framework




About the Author
Tim Rains

Director, Security

Tim Rains is Director, Security at Microsoft where he helps manage marketing communications for Microsoft Cloud & Enterprise security, identity, and enterprise mobility products and services. Formerly, Tim was Chief Security Advisor of Microsoft’s Enterprise Cybersecurity Group where he helped Read more »