Data Protection (Privacy) & Secure Engineering

While the European Union General Data Protection Regulation (EU GDPR) continues to make headlines for its requirements and the looming California Consumer Protection Act (CCPA) approaches, there are many other reasons to have program-level documentation to demonstrate how cybersecurity and privacy principles are designed and implemented by default. It goes beyond compliance and is just good business practice. 

Can You Honestly Answer HOW Privacy or Security Are Implemented At Your Organization?

When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as how Security by Design (SbD) and Privacy by Design (PbD) principles are managed. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created a program-level document to address this need and the Security & Privacy by Design (SPBD) is that solution. 

Managing Privacy & Cybersecurity Principles Does Not Have To Be Hard

If you can use Microsoft Word and Excel, then you can perform both Security by Design (SbD) and Privacy by Design (PbD) by simply following the instructions and editing the template to suit your specific requirements. While this is a template, we did the hard work of creating the formatting, bringing together the correct scope of information that needs to be addressed!

Click on the image below to open a PDF document that shows you what the Security & Privacy By Design (SPBD) contains, as well as a look at the worksheets used to generate the checklist.

Professionally-Written, Editable NIST 800-160 & OASIS PMRM-Based Cybersecurity For Privacy by Design (C4P) Program

The Security & Privacy By Design (SPBD) product is designed to support your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels.

Editable Microsoft Word Documentation & Excel Checklists 

 The SPBD Excel checklists provide a wealth of experience to bake in security and privacy principles by establishing methodical and repeatable processes. 

• NIST 800-160 is the "gold standard" on how to build security into the System Development Life Cycle (SDLC)
• Logically-organized phases 
• Task focus (How tasks support the lifecycle phases)
• Task #
• Activity Description
• Reasonable Task Deliverables
• Mapping to leading practices:
• NIST 800-160
• NIST 800-53
• ISO 27002
• OASIS PMRM
• Level of Effort (expectation for basics or enhanced requirements)
• Stakeholder RACI Matrix (Responsible, Accountable, Consulted, Informed)

In addition to logically organizing steps, we went the extra mile by calling out the deliverables expected and tied it to task #:  

• Proposed solution is documented that captures security-relevant criteria and tentative requirements.
• Listing of applicable statutory, regulatory and contractual requirements are defined.
• Business & technical constraints are identified and documented.
• Data classification is identified.
• System criticality is identified.
• Data protection requirements are defined (e.g., controls) based on data classification and system criticality.
• "Best practices" are defined to be used in the design & implementation of systems, applications and services (e.g., OWASP, NIST, DISA, etc.).
• System hardening baselines (e.g., configuration management requirements) are defined and documented.
• Security Concept of Operations (CONOPS) is defined and documented.
• Standardized Operating Procedures (SOP) are documented.
• Service Level Agreement(s) (SLAs) are defined and documented.
• Tentative life cycle is identified.
• Roles and responsibilities for security requirements are assigned and documented.
• Risk Assessment is conducted and a Risk Register (RR) is used to document findings.
• Business Impact Analysis (BIA) is conducted and documented.
• Privacy Impact Assessment (PIA) is conducted or modified.
• Project stakeholder list is defined and documented (strategic personnel, business units and third parties).
• Threat assessment is conducted and documented.
• List of constraints (facts & assumptions) is defined.
• Listing of expected systems and services that will be required to support the proposed solution is defined.
• System Security Plan (SSP) is documented or modified.
• Change Control Board (CCB) change request(s)
• High Level Diagram (HLD) is documented.
• Low Level Diagram (LLD) is documented.
• Data Flow Diagram (DFD) is documented.
• Plan of Action & Milestones (POA&M) is documented or modified.
• End user training material is developed.
• Security awareness training is provided.
• Information Assurance (IA) testing (certification &accreditation) is commenced.
• Key Performance Indicators (KPIs) are identified.
• Authorization is granted (e.g., Authority To Operate (ATO) , Interim Authority To Operate (IATO) or Denied Authority To Operate (DATO)).
• User Acceptance Testing (UAT) is conducted and documented.

Central to Cybersecurity For Privacy By Design Requires Leveraging Common Touch Points

Unfortunately, most companies fail to see the common touch points that exist in both project lifecycles and this can lead to either gaps in coverage or duplication of efforts. Through our experience in cybersecurity and privacy, we understand these touch points and call those out to enable a "paint by numbers" approach to baking in both cybersecurity and privacy controls into development and project management processes.

This is where aligning your company’s Security by Design (SbD) efforts with the Risk Management Framework (RMF) (e.g., NIST 800-37) can be very beneficial, since the RMF provides a well-established format to securely engineer and maintain systems throughout the entire life cycle of the asset. Utilizing common linkages, Privacy by Design (PbD) is incorporated into the RMF cycle.

"Paint By Numbers" Approach To Cybersecurity & Privacy Requirements

What we've done is simply handle the heavy lifting to integrate security and privacy controls into standard project management processes. This allows your teams to have a "paint by numbers" approach to demonstrating that both cybersecurity and privacy principles are baked into the process! We identified the stages where both cybersecurity and privacy requirements are expected as part of project development. This can enable your teams to work more effectively together and reduce the negative effect of teams working in silos. 

All too often, when projects are commenced, involvement from key stakeholders is siloed, as compared to operating as a cohesive team. We want to help your company avoid the following security & privacy pitfalls where:

• Project / application teams work in a vacuum, unaware of security or privacy concerns;
• Privacy and security conduct their own assessments without any information sharing or collaboration; and
• Security involvement is viewed as a final hurdle to overcome, just prior to “go live” for the project.