Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 5: Measuring progress and demonstrating compliance
Learn how to measure progress and demonstrate compliance.
Demonstrating compliance
Learn how to demonstrate compliance.
Compliance Report
Learn about Compliance report.
California Consumer Privacy Act (CCPA) - AB 375
This report displays issues found on your site that are noncompliant with these regulations. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.

Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.
  - Measuring progress
    Learn how to track various metrics and trends of the applications that compose your portfolio.
  - Demonstrating compliance
    Learn how to demonstrate compliance.
    - Exporting issues as reports
      You can generate customized reports (in PDF, HTML, or XML) for issues and send them to developers, internal auditors, penetration testers, managers, and the CISO. The reporting templates in AppScan Enterprise map application security data to key government regulations and industry standards. Use the reports to document progress towards regulatory compliance goals, such as showing a reduction in the number of application vulnerabilities that are associated with compliance issues.
    - Limiting the size of a Security report
      Security reports can be large. During report generation, you might receive a warning message that the file is hundreds of pages long, or the report creation process might time out. Try the following tips to reduce report size.
    - Compliance Report
      Learn about Compliance report.
      - APRA PPG 234 - Management of Security Risk in Information and Information Technology report
        This report displays issues found on your site that are noncompliant with this regulation. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Basel II report
        This Basel II compliance report can help financial institutions deal with operational risk derived from online activity by identifying, monitoring, and reporting web application vulnerabilities.
      - California Consumer Privacy Act (CCPA) - AB 375
        This report displays issues found on your site that are noncompliant with these regulations. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Children's Online Privacy Protection Act of 1998 report
        This report displays Children's Online Privacy Protection Act (COPPA) issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation. Note: Many of the issues in this report are similar to those in the HIPAA report. If both reports are added to a dashboard, you will see an inflated number of total issues. To prevent this from happening, you can create tabs for each report, or just add one of the reports to a dashboard.
      - UK Data Protection Act report
        This report displays Data Protection Act issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - DCID 6/3 Securing Advanced Technology IS report
        This report analyzes the results of the web application scan to detect possible violations of the security requirements for safeguarding interconnected information systems, and for safeguarding information systems that employ advanced technologies. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process.
      - DCID 6/3 Availability Basic report
        This report analyzes the results of the web application scan to detect possible violations of the availability requirements for systems operating in the basic protection level outlined in Chapter 6 of the "Protecting Sensitive Compartmented Information within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process. The "basic" level means that information must be available with flexible tolerance for delay or loss of availability will have an adverse effect.
      - DCID 6/3 Availability Medium report
        This report analyzes the results of the web application scan to detect possible violations of the availability requirements for systems operating in the medium protection level outlined in Chapter 6 of the "Protecting Sensitive Compartmented Information within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process. The "medium" level means that information must be readily available with minimum tolerance for delay, or that loss of availability might result in bodily injury or adversely affect organization-level interests.
      - DCID 6/3 Availability High report
        This report analyzes the results of the web application scan to detect possible violations of the availability requirements for systems operating in the high protection level outlined in Chapter 6 of the "Protecting Sensitive Compartmented Information within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process. The "high" level means that information must always be available upon request, with no tolerance for delay. Loss of availability might result in loss of life, adversely affect national interests or breach confidentiality.
      - DCID 6/3 Confidentiality Reqs Protection Level 1 report
        This report analyzes the results of the web application scan to detect possible violations of the confidentiality requirements for systems operating in protection level 1 as outlined in Chapter 4 of the "Protecting Sensitive Compartmented Information Within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process.
      - DCID 6/3 Confidentiality Reqs Protection Level 2 report
        This report analyzes the results of the web application scan to detect possible violations of the confidentiality requirements for systems operating in protection level 2 as outlined in Chapter 4 of the "Protecting Sensitive Compartmented Information Within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process.
      - DCID 6/3 Confidentiality Reqs Protection Level 3 report
        This report analyzes the results of the web application scan to detect possible violations of the confidentiality requirements for systems operating in protection level 3 as outlined in Chapter 4 of the "Protecting Sensitive Compartmented Information Within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process.
      - DCID 6/3 Confidentiality Reqs Protection Level 4 report
        This report analyzes the results of the web application scan to detect possible violations of the confidentiality requirements for systems operating in protection level 4 as outlined in Chapter 4 of the "Protecting Sensitive Compartmented Information Within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process.
      - DCID 6/3 Confidentiality Reqs Protection Level 5 report
        This report analyzes the results of the web application scan to detect possible violations of the confidentiality requirements for systems operating in protection level 5 as outlined in Chapter 4 of the "Protecting Sensitive Compartmented Information Within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process.
      - DCID 6/3 Integrity Basic report
        This report analyzes the results of the web application scan to detect possible violations of the integrity requirements for systems operating in the basic integrity level outlined in Chapter 5 of the "Protecting Sensitive Compartmented Information Within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process. The "basic" level means a reasonable degree of resistance is required against unauthorized modification or loss of integrity will have an adverse effect.
      - DCID 6/3 Integrity Medium report
        This report analyzes the results of the web application scan to detect possible violations of the integrity requirements for systems operating in the medium integrity level outlined in Chapter 5 of the "Protecting Sensitive Compartmented Information Within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process. The "medium" level means that a high degree of resistance is required against unauthorized modification, but not absolute. A medium loss of integrity might result in bodily injury or an adverse affect on organizational-level interests.
      - DCID 6/3 Integrity High report
        This report analyzes the results of the web application scan to detect possible violations of the integrity requirements for systems operating in the high integrity level outlined in Chapter 5 of the "Protecting Sensitive Compartmented Information Within Information Systems" Manual. It will help you detect possible violations of the requirements presented in steps 3, 4, 5 and 8 of the accreditation process. The "high" level means that a very high degree of resistance is required against unauthorized modification. A high loss of integrity might result in loss of life or adverse affect on national interests or confidentiality.
      - DISA STIG v3 r9 report
        The Application Security and Development Security Technical Implementation Guide (STIG) provides security guidance for use throughout the application development lifecycle. The Defense Information Systems Agency (DISA) encourages sites to use these guidelines as early as possible in the application development process.
      - DISA STIG Version 3 Release 9 Category 1 report
        The Application Security and Development Security Technical Implementation Guide (STIG) provides security guidance for use throughout the application development lifecycle. The Defense Information Systems Agency (DISA) encourages sites to use these guidelines as early as possible in the application development process.
      - DoD Instruction 8500.1 - Cybersecurity report
        This report displays issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - DoD Instruction 8550.1 - Internet Services and Internet Based Capabilities report
        This report displays issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Electronic Funds Transfer Act and Regulation E report
        This report displays EFTA issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - European Directive 1995/46/EC report
        This report displays Data Protection Directive (EU 1995/46/EC) issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - European Directive 2002/58/EC report
        This report displays Privacy and Electronic Communications Directive (EU 2002/58/EC) issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Family Educational Rights and Privacy Act (FERPA) report
        This report displays FERPA issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Federal Financial Institutions Examination Council (FFIEC) - Information Security IT Examination Handbook report
        This report displays FFIEC issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Federal Information Security Management Act (FISMA) report
        This report displays FISMA issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Federal Risk and Authorization Management Program (FedRAMP) report
        This report displays FedRAMP issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Financial Services (GLBA) report
        This report displays GLBA issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Freedom of Information and Protection of Privacy Act (FIPPA) report
        This report displays FIPPA issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - The Health Insurance Portability and Accountability Act (HIPAA) of 1996 report
        This report displays HIPAA issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Japan's Personal Information Protection Act report
        This report displays issues found on your site concerning Japan's Personal Information Protection Act. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Massachusetts 201 CMR 17.00 report
        This MA 201 compliance report can help financial institutions deal with operational risk derived from online activity by identifying, monitoring, and reporting web application vulnerabilities.
      - Management of Information Technology Security (MITS) report
        This MITS compliance report can help financial institutions deal with operational risk derived from online activity by identifying, monitoring, and reporting web application vulnerabilities.
      - NERC CIPC Electricity Sector Security Guidelines report
        This report displays NERC CIPC Violations issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - PA-DSS (Payment Application Data Security Standard) v3.0 report
        This PA-DSS compliance report can help financial institutions deal with operational risk derived from online activity by identifying, monitoring, and reporting web application vulnerabilities.
      - Payment Card Industry Data Security Standard (PCI) v3.0 report
        This report displays PCI issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - PIPED Act report
        This report displays PIPED issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Privacy Act of 1974 report
        This report displays Privacy Act of 1974 issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Regulation 2016/679 of the European Parliament and of the Council - General Data Protection Regulation (GDPR)
        This report displays General Data Protection Regulation (GDPR) issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Safe Harbor report
        This report displays European Safe Harbor issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Sarbanes-Oxley Act (SOX) of 2002 report
        This report displays Sarbanes-Oxley issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - Title 21 Code of Federal Regulations (21 CFR) Part 11 report
        This report displays 21CFR11 (Code of Federal Regulations, Title 21, Part 11) issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
    - Industry standard reports
      Learn about Industry standard report.

California Consumer Privacy Act (CCPA) - AB 375

This report displays issues found on your site that are noncompliant with these regulations. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.

Why it matters

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale or sharing of their personal information; and
The right to non-discrimination for exercising their CCPA rights.

Best practices for complying with California Consumer Privacy Act (CCPA) - AB 375

Identify the kinds of personal information that the business collects and maintains, including paper-based and electronically-stored personal information.
Determine the level of risk that the potential loss or unauthorized disclosure of information poses to your business and to the public.
Determine if your security measures and procedures are reasonable. In making this determination, weigh the costs of the protection that you currently provide against the damages the business would sustain if the data were to be lost or improperly disclosed.
Adjust procedures and practices so that the type and level of protection provided to the personal information is appropriate for degree of risk of loss or improper disclosure of that information.