Example Security & Privacy by Design (SPBD) Documentation

If you can use Microsoft Word and Excel, then you can perform both Security by Design (SbD) and Privacy by Design (PbD) by simply following the instructions and editing the template to suit your specific requirements. While this is a template, we did the hard work of creating the formatting, bringing together the correct scope of information that needs to be addressed!

Click on the image below to open a PDF document that shows you what the Security & Privacy By Design (SPBD) contains, as well as a look at the worksheets used to generate the checklist.

Editable Excel Checklists


Click For An Example

Editable Excel Checklists


Click For An Example

  • The main SPBD document is an editable Microsoft Word document.
  • It is written at a program-level to provide direction and authority.
  • Defines how both Security by Design (SbD) and Privacy by Design (PbD) are going to be operationalized.
  • The SPBD comes with editable “paint by numbers” checklists for managing both privacy and security lifecycles.
  • Security checklists are based on NIST 800-160.
  • Privacy checklist is based on the OASIS Privacy Management Reference Model and Methodology (PMRM).

Editable Microsoft Word Documentation & Excel Checklists 

 The SPBD Excel checklists provide a wealth of experience to bake in security and privacy principles by establishing methodical and repeatable processes. 

  • Logically-organized phases 
  • Task focus (How tasks support the lifecycle phases)
  • Task #
  • Activity Description
  • Reasonable Task Deliverables
  • Mapping to leading practices:
    • NIST 800-160
    • Mapping to NIST 800-53
    • Mapping to ISO 27002
  • Level of Effort (expectation for basics or enhanced requirements)
  • Stakeholder RACI Matrix (Responsible, Accountable, Consulted, Informed)


In addition to logically organizing steps, we went the extra mile by calling out the deliverables expected and tied it to task #:  

  • Proposed solution is documented that captures security-relevant criteria and tentative requirements.
  • Listing of applicable statutory, regulatory and contractual requirements are defined.
  • Business & technical constraints are identified and documented.
  • Data classification is identified.
  • System criticality is identified.
  • Data protection requirements are defined (e.g., controls) based on data classification and system criticality.
  • "Best practices" are defined to be used in the design & implementation of systems, applications and services (e.g., OWASP, NIST, DISA, etc.).
  • System hardening baselines (e.g., configuration management requirements) are defined and documented.
  • Security Concept of Operations (CONOPS) is defined and documented.
  • Standardized Operating Procedures (SOP) are documented.
  • Service Level Agreement(s) (SLAs) are defined and documented.
  • Tentative life cycle is identified.
  • Roles and responsibilities for security requirements are assigned and documented.
  • Risk Assessment is conducted and a Risk Register (RR) is used to document findings.
  • Business Impact Analysis (BIA) is conducted and documented.
  • Privacy Impact Assessment (PIA) is conducted or modified.
  • Project stakeholder list is defined and documented (strategic personnel, business units and third parties).
  • Threat assessment is conducted and documented.
  • List of constraints (facts & assumptions) is defined.
  • Listing of expected systems and services that will be required to support the proposed solution is defined.
  • System Security Plan (SSP) is documented or modified.
  • Change Control Board (CCB) change request(s)
  • High Level Diagram (HLD) is documented.
  • Low Level Diagram (LLD) is documented.
  • Data Flow Diagram (DFD) is documented.
  • Plan of Action & Milestones (POA&M) is documented or modified.
  • End user training material is developed.
  • Security awareness training is provided.
  • Information Assurance (IA) testing (certification &accreditation) is commenced.
  • Key Performance Indicators (KPIs) are identified.
  • Authorization is granted (e.g., Authority To Operate (ATO) , Interim Authority To Operate (IATO) or Denied Authority To Operate (DATO)).
  • User Acceptance Testing (UAT) is conducted and documented.





Sort by:

Sign up for our Newsletter!