While the European Union General Data Protection Regulation (EU GDPR) continues to make headlines for its requirements and the looming California Consumer Protection Act (CCPA) approaches, there are many other reasons to have program-level documentation to demonstrate how cybersecurity and privacy principles are designed and implemented by default. It goes beyond compliance and is just good business practice.
Can You Honestly Answer HOW Privacy or Security Are Implemented At Your Organization?
When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as how Security by Design (SbD) and Privacy by Design (PbD) principles are managed. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created a program-level document to address this need and the Security & Privacy by Design (SPBD) is that solution.
Managing Privacy & Cybersecurity Principles Does Not Have To Be Hard
If you can use Microsoft Word and Excel, then you can perform both Security by Design (SbD) and Privacy by Design (PbD) by simply following the instructions and editing the template to suit your specific requirements. While this is a template, we did the hard work of creating the formatting, bringing together the correct scope of information that needs to be addressed!
Operationalize Security by Design (O-SbD)
Operationalize Privacy by Design (O-PbD)
Security by Design (SbD) requirements come from numerous sources. In this context, the most important are:
International Organization for Standardization (ISO)
National Institute for Standards & Technology (NIST)
US Government (HIPAA & FedRAMP)
Information Systems Audit and Control Association (ISACA)
Cloud Security Alliance (CSA)
Center for Internet Security (CIS)
Open Web Application Security Project (OWASP)
Privacy by Design (PbD) requirements come from numerous sources. In this context, the most important are:
Fair Information Practice Principles (FIPPs)
European Union (EU) General Data Protection Regulation (GDPR)
Organization for the Advancement of Structured Information Standards (OASIS)
International Organization for Standardization (ISO)
National Institute for Standards & Technology (NIST)
Information Systems Audit and Control Association (ISACA)
US Government (HIPAA & FTC Act)
Click on the image below to open a PDF document that shows you what the Security & Privacy By Design (SPBD) contains, as well as a look at the worksheets used to generate the checklist.
Editable Excel Checklists
Click For An Example
Editable Excel Checklists
Click For An Example
The main SPBD document is an editable Microsoft Word document.
It is written at a program-level to provide direction and authority.
Defines how both Security by Design (SbD) and Privacy by Design (PbD) are going to be operationalized.
The SPBD comes with editable “paint by numbers” checklists for managing both privacy and security lifecycles.
Security checklists are based on NIST 800-160.
Privacy checklist is based on the OASIS Privacy Management Reference Model and Methodology (PMRM).
Professionally-Written, Editable NIST 800-160 & OASIS PMRM-Based Cybersecurity For Privacy by Design (C4P) Program
The Security & Privacy By Design (SPBD) product is designed to support your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels.
Editable Microsoft Word Documentation & Excel Checklists
The SPBDExcel checklists provide a wealth of experience to bake in security and privacy principles by establishing methodical and repeatable processes.
NIST 800-160 is the "gold standard" on how to build security into the System Development Life Cycle (SDLC)
Logically-organized phases
Task focus (How tasks support the lifecycle phases)
Task #
Activity Description
Reasonable Task Deliverables
Mapping to leading practices:
NIST 800-160
NIST 800-53
ISO 27002
OASIS PMRM
Level of Effort (expectation for basics or enhanced requirements)
In addition to logically organizing steps, we went the extra mile by calling out the deliverables expected and tied it to task #:
Proposed solution is documented that captures security-relevant criteria and tentative requirements.
Listing of applicable statutory, regulatory and contractual requirements are defined.
Business & technical constraints are identified and documented.
Data classification is identified.
System criticality is identified.
Data protection requirements are defined (e.g., controls) based on data classification and system criticality.
"Best practices" are defined to be used in the design & implementation of systems, applications and services (e.g., OWASP, NIST, DISA, etc.).
System hardening baselines (e.g., configuration management requirements) are defined and documented.
Security Concept of Operations (CONOPS) is defined and documented.
Standardized Operating Procedures (SOP) are documented.
Service Level Agreement(s) (SLAs) are defined and documented.
Tentative life cycle is identified.
Roles and responsibilities for security requirements are assigned and documented.
Risk Assessment is conducted and a Risk Register (RR) is used to document findings.
Business Impact Analysis (BIA) is conducted and documented.
Privacy Impact Assessment (PIA) is conducted or modified.
Project stakeholder list is defined and documented (strategic personnel, business units and third parties).
Threat assessment is conducted and documented.
List of constraints (facts & assumptions) is defined.
Listing of expected systems and services that will be required to support the proposed solution is defined.
System Security Plan (SSP) is documented or modified.
Change Control Board (CCB) change request(s)
High Level Diagram (HLD) is documented.
Low Level Diagram (LLD) is documented.
Data Flow Diagram (DFD) is documented.
Plan of Action & Milestones (POA&M) is documented or modified.
End user training material is developed.
Security awareness training is provided.
Information Assurance (IA) testing (certification &accreditation) is commenced.
Key Performance Indicators (KPIs) are identified.
Authorization is granted (e.g., Authority To Operate (ATO) , Interim Authority To Operate (IATO) or Denied Authority To Operate (DATO)).
User Acceptance Testing (UAT) is conducted and documented.
Central to Cybersecurity For Privacy By Design Requires Leveraging Common Touch Points
Unfortunately, most companies fail to see the common touch points that exist in both project lifecycles and this can lead to either gaps in coverage or duplication of efforts. Through our experience in cybersecurity and privacy, we understand these touch points and call those out to enable a "paint by numbers" approach to baking in both cybersecurity and privacy controls into development and project management processes.
This is where aligning your company’s Security by Design (SbD) efforts with the Risk Management Framework (RMF) (e.g., NIST 800-37) can be very beneficial, since the RMF provides a well-established format to securely engineer and maintain systems throughout the entire life cycle of the asset. Utilizing common linkages, Privacy by Design (PbD) is incorporated into the RMF cycle.
"Paint By Numbers" Approach To Cybersecurity & Privacy Requirements
What we've done is simply handle the heavy lifting to integrate security and privacy controls into standard project management processes. This allows your teams to have a "paint by numbers" approach to demonstrating that both cybersecurity and privacy principles are baked into the process! We identified the stages where both cybersecurity and privacy requirements are expected as part of project development. This can enable your teams to work more effectively together and reduce the negative effect of teams working in silos.
All too often, when projects are commenced, involvement from key stakeholders is siloed, as compared to operating as a cohesive team. We want to help your company avoid the following security & privacy pitfalls where:
Project / application teams work in a vacuum, unaware of security or privacy concerns;
Privacy and security conduct their own assessments without any information sharing or collaboration; and
Security involvement is viewed as a final hurdle to overcome, just prior to “go live” for the project.
Data Privacy Program (DPP) - Editable Privacy Program Template
What Is The Data Protection Program (DPP)?
The Data Privacy Program (DPP) is an editable "privacy program template" that exists to ensure data protection-related controls are adequately...
Security & Privacy By Design
What Is The Security & Privacy by Design (SPBD)?
With the European Union General Data Protection Regulation (EU GDPR) effective in mid-2018 and the California Consumer Privacy Act (CCPA) on the...
Cybersecurity & Data Privacy Control Validation Testing
What Is The Information Assurance Program (IAP)?
The IAP is focused on pre-production testing. ComplianceForge's IAP is based on established processes used by the US Government (e.g., FISMA,...