Security & Privacy By Design (SPBD)

Security & Privacy By Design 

With the European Union General Data Protection Regulation (EU GDPR) effective in mid-2018 and the California Consumer Privacy Act (CCPA) on the near-horizon for 2020, companies have an obligation to demonstrate they implement both Security by Design (SbD) and Privacy by Design (PbD). Unfortunately, most businesses lack the knowledge and experience to undertake such documentation efforts. That means businesses are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant with this compliance requirement. In either situation, it is not a good place to be. The good news is that ComplianceForge developed a viable cybersecurity and privacy program that is based on NIST 800-160 guidance for security by design and OASIS for privacy by design. 

Professionally-Written, Editable NIST 800-160 & OASIS PMRM-Based Cybersecurity For Privacy by Design (C4P) Program

The Security & Privacy By Design (SPBD) product is designed to support your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels, where it straddles the territory between an organization's centrally-managed policies/standards and its decentralized, stakeholder-executed procedures. The SPBD serves as expert-level guidance that is meant to run a specific capability or function within an organization's cybersecurity department to help communicate user needs and system characteristics to developers, integrators, sponsors, funding decision makers and other stakeholders.

Product Example - Security & Privacy By Design (SPBD)

The SPBD addresses program-level guidance on HOW to actually manage cybersecurity and privacy principles, so that secure processes are designed and implemented by default. Policies & standards are absolutely necessary to an organization, but they fail to describe HOW privacy and security principles are actually planned and managed. The SPBD provides this middle ground between high-level policies and the actual procedures of how developers, PMs, system integrators and system admins do their jobs to design, implement and maintain technology solutions.  

Watch Our Product Walkthrough Video		View Product Example

Cost Savings Estimate - Security & Privacy By Design (SPBD)

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SPBD from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

• For your internal staff to generate comparable documentation, it would take them an estimated 310 internal staff work hours, which equates to a cost of approximately $23,500 in staff-related expenses. This is about 4-8 months of development time where your staff would be diverted from other work.
• If you hire a consultant to generate this documentation, it would take them an estimated 200 consultant work hours, which equates to a cost of approximately $60,000. This is about 3-4 months of development time for a contractor to provide you with the deliverable.
• The SPBD is approximately 6% of the cost for a consultant or 16% of the cost of your internal staff to generate equivalent documentation.
• We process most orders the same business day so you can potentially start working with the SPBD the same day you place your order.

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. 

Cybersecurity & Privacy By Design - Program Level Privacy & Security Documentation

The SPBD can serve as a foundational element in your organization's privacy program. It can stand alone or be paired with other specialized products we offer.

Cybersecurity and privacy do not need to be hard. The Security & Privacy By Design (SPBD) document is meant to simplify how security and privacy can be operationalized in a “paint by numbers” approach. This product is comprised of editable Microsoft Word and Excel documentation so you can customize it for your specific needs. 

Please keep in mind that security & privacy engineering principles are widely expected activities:

• European Union General Data Protection Regulation (EU GDPR)
• NIST 800-53
• NIST Cybersecurity Framework
• ISO 27002
• Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012 (NIST 800-171)
• Federal Acquisition Regulations (FAR) 52.204-21 - 4
• National Industrial Security Program Operating Manual (NISPOM)
• SOC2
• New York State Department of Financial Service (DFS)
• Payment Card Industry Data Protection Standard (PCI DSS)
• Center for Internet Security Critical Security Controls (CIS CSC)
• Generally Accepted Privacy Principles (GAPP) 

What Is The Security & Privacy by Design (SPBD)? 

Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The SPBD comes in both editable Microsoft Word and Excel formats. The SPBD is capable of scaling for any sized company. 

• The SPBD is an editable Microsoft Word document that providers program-level guidance to directly supports your company's policies and standards for ensuring secure engineering and privacy principles are operationalized.
• This product addresses the “how?” questions for how your company ensures both security and privacy principles are operationalized.
  • It is a reality that most companies have either weak or non-existent guidance on how security or privacy principles are implemented.
  • The lack of operationalized security & privacy principles can lead to compliance deficiencies with many statutory, regulatory and contractual obligations.
  • NIST 800-160 is the "gold standard" on how to build security into the System Development Life Cycle (SDLC)
• The concept of “secure engineering” is mandatory in numerous statutory, regulatory and contractual requirements.
• The SPBD provides a “paint by numbers” approach to ensure your company has evidence of both due care and due diligence for operationalizing security and privacy principles.
• The CIRP is based on numerous frameworks, but the core principles are based on NIST 800-160 and the Generally Accepted Privacy Principles (GAPP) which are the de facto standards on security and privacy design principles.

What Problem Does The SPBD Solve?

• Lack of In House Security Experience - Writing cybersecurity & privacy documentation is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive procedure documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The SPBD is an efficient method to obtain comprehensive guidance documentation to implement cybersecurity and privacy principles within your organization!
• Compliance Requirements - EU GDPR requires companies that store, process or transmit the personal information of EU citizens to ensure that both cybersecurity and privacy principles are built into processes by default. Can you prove how cybersecurity & privacy principles are implemented?
• Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The SPBD provide mapping to leading security and privacy frameworks to show you exactly what is required to both stay secure and compliant.   
• Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies, standards and procedures. With EU GDPR, vendors and other partners will be expected to demonstrate evidence of compliance with the EU GDPR.

How Does The SPBD Solve It?

• Clear Documentation - The SPBD provides a comprehensive approach to operationalizing both cybersecurity and privacy principles. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
• Time Savings - The SPBD can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific cybersecurity and privacy needs. 
• Alignment With Leading Practices - The SPBD is written to support leading cybersecurity and privacy frameworks!   

Reducing Risk Through Cybersecurity For Privacy by Design (C4P)

The Security & Privacy By Design (SPBD) document supports your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels. The SPBD document is focused on understanding risk associated with cybersecurity and privacy so that risk can be:

• Reduced;
• Avoided;
• Transferred; or 
• Accepted.

 Implementing both Security by Design (SbD) and Privacy by Design (PbD) principles is a systematic way to find and address weaknesses, flaws and risks to your company.

• Repeatable, methodical processes that seek out both security and privacy risk reduces the chance of surprises. 
• Addressing security issues in an orderly manner gives your company a better assurance that gaps have been closed properly and as quickly as possible.

Work Smarter! Leverage Common Touch Points Between Cybersecurity & Privacy

Systems security engineering delivers systems deemed adequately secure by stakeholders. The fundamental relationships among assets, an asset-dependent interpretation of loss, and the corresponding loss consequences are central to any discussion of system security. 

This is where aligning your company’s Security by Design (SbD) efforts with the Risk Management Framework (RMF) (e.g., NIST 800-37) can be very beneficial, since the RMF provides a well-established format to securely engineer and maintain systems throughout the entire life cycle of the asset. Utilizing common linkages, Privacy by Design (PbD) is incorporated into the RMF cycle.

Paint By Numbers - Cybersecurity & Privacy Requirements

What we've done is take on the heavy lifting to integrate security and privacy controls into standard project management processes. This allows your teams to have a "paint by numbers" approach to demonstrating that both cybersecurity and privacy principles are baked into the process! We identified the stages where both cybersecurity and privacy requirements are expected as part of project development. This can enable your teams to work more effectively together and reduce the negative effect of teams working in silos. 

All too often, when projects are commenced, involvement from key stakeholders is siloed, as compared to operating as a cohesive team. We want to help your company avoid the following security & privacy pitfalls where:

• Project / application teams work in a vacuum, unaware of security or privacy concerns;
• Privacy and security conduct their own assessments without any information sharing or collaboration; and
• Security involvement is viewed as a final hurdle to overcome, just prior to “go live” for the project.

 The SPBD Excel checklists provide a wealth of experience to bake in security and privacy principles by establishing methodical and repeatable processes. 

• Logically-organized phases 
• Task focus (How tasks support the lifecycle phases)
• Task #
• Activity Description
• Reasonable Task Deliverables
• Mapping to leading practices:
• NIST 800-160
• NIST 800-53
• ISO 27002
• OASIS PMRM
• Level of Effort (expectation for basics or enhanced requirements)
• Stakeholder RACI Matrix (Responsible, Accountable, Consulted, Informed)

In addition to logically organizing steps, we went the extra mile by calling out the deliverables expected and tied it to task #:  

• Proposed solution is documented that captures security-relevant criteria and tentative requirements.
• Listing of applicable statutory, regulatory and contractual requirements are defined.
• Business & technical constraints are identified and documented.
• Data classification is identified.
• System criticality is identified.
• Data protection requirements are defined (e.g., controls) based on docuemented data classification and system criticality.
• "Best practices" are defined to be used in the design & implementation of systems, applications and services (e.g., OWASP, NIST, DISA STIGs, etc.).
• System hardening baselines (e.g., configuration management requirements) are defined and documented.
• Security Concept of Operations (CONOPS) are defined and documented.
• is defined and documented.
• Standardized Operating Procedures (SOP) are documented.
• Service Level Agreement(s) (SLAs) are defined and documented
• Tentative life cycle is identified.
• Roles and responsibilities for security requirements are assigned and documented.
• Risk Assessment is conducted and a Risk Register (RR) is used to document findings.
• Business Impact Analysis (BIA) is conducted and documented.
• Privacy Impact Assessment (PIA) is conducted or modified.
• Project stakeholder list is defined and documented (strategic personnel, business units and third parties).
• Threat assessment is conducted and documented.
• List of constraints (facts & assumptions) is defined.
• Listing of expected systems and services that will be required to support the proposed solution is defined.
• System Security Plan (SSP) is documented or modified.
• Change Control Board (CCB) change request(s).
• High Level Diagram (HLD) is documented.
• Low Level Diagram (LLD) is documented.
• Data Flow Diagram (DFD) is documented.
• Plan of Action & Milestones (POA&M) is documented or modified.
• End user training material is developed.
• Security awareness training is provided.
• Information Assurance (IA) testing (certification &accreditation) is commenced.
• Key Performance Indicators (KPIs) are identified.
• Authorization is granted (e.g., Authority To Operate (ATO) , Interim Authority To Operate (IATO) or Denied Authority To Operate (DATO)).
• User Acceptance Testing (UAT) is conducted and documented.

Understanding Privacy & Security Starts With Defining Requirements

Understanding the requirements for both Security by Design (SbD) and Privacy by Design (PbD) principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations to right-size the approach, since every organization is unique:

Applicable best practices based on your company’s industry. Cloud security Operational Technology (OT) & Internet of Things (IoT) Statutory obligations (e.g., state, federal and international laws) FTC Act (prohibition on unfair business practices) Family Educational Rights and Privacy Act (FERPA) Children's Online Privacy Protection Act (COPPA) State ID theft laws (e.g., MA 201 CMR 17) Regulatory obligations (e.g., regulatory bodies or governmental agencies) EU General Data Protection Regulation (EU GDPR) NY Department of Financial Services (23 NYCRR 500) FISMA / DIACAP / DIARMF Contractual obligations (e.g., vendor agreements) DFARS / FAR Privacy Shield PCI DSS

Data-Centric Security (DCS) = Defense-In-Depth Approach To Security

Thinking in terms of data, or information, it is your company’s most valuable asset. Therefore, being "data-centric" is how we approach our defense-in-depth concept. When you look at the diagram below, if you envision data protection as a set of concentric rings, at the center of the protection is your data.

Zone-Based Approach To Secure Engineering

From a secure engineering and architecture perspective, it is worthwhile to take a zone-based approach to scoping an environment for secure systems engineering. This effort is meant to focus on particular systems of interest, while taking into account the systems elements and enabling systems that compose the system of interest. This supports the concept of Data-Centric Security (DCS), since the focus encompasses everything that either stores, processes or transmits the data in question, as well as the supporting infrastructure and services.

From this perspective, assets can be logically grouped into three (3) overlapping zones: