Security & Privacy By Design
With the European Union General Data Protection Regulation (EU GDPR) effective in mid-2018 and the California Consumer Privacy Act (CCPA) on the near-horizon for 2020, companies have an obligation to demonstrate they implement both Security by Design (SbD) and Privacy by Design (PbD). Unfortunately, most businesses lack the knowledge and experience to undertake such documentation efforts. That means businesses are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant with this compliance requirement. In either situation, it is not a good place to be. The good news is that ComplianceForge developed a viable cybersecurity and privacy program that is based on NIST 800-160 guidance for security by design and OASIS for privacy by design.
Professionally-Written, Editable NIST 800-160 & OASIS PMRM-Based Cybersecurity For Privacy by Design (C4P) Program
The Security & Privacy By Design (SPBD) product is designed to support your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels, where it straddles the territory between an organization's centrally-managed policies/standards and its decentralized, stakeholder-executed procedures. The SPBD serves as expert-level guidance that is meant to run a specific capability or function within an organization's cybersecurity department to help communicate user needs and system characteristics to developers, integrators, sponsors, funding decision makers and other stakeholders.
Product Example - Security & Privacy By Design (SPBD)
The SPBD addresses program-level guidance on HOW to actually manage cybersecurity and privacy principles, so that secure processes are designed and implemented by default. Policies & standards are absolutely necessary to an organization, but they fail to describe HOW privacy and security principles are actually planned and managed. The SPBD provides this middle ground between high-level policies and the actual procedures of how developers, PMs, system integrators and system admins do their jobs to design, implement and maintain technology solutions.
|Watch Our Product Walkthrough Video||View Product Example|
Example SPBD Mapping
Cost Savings Estimate - Security & Privacy By Design (SPBD)
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the SPBD from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
- For your internal staff to generate comparable documentation, it would take them an estimated 310 internal staff work hours, which equates to a cost of approximately $23,000 in staff-related expenses. This is about 4-8 months of development time where your staff would be diverted from other work.
- If you hire a consultant to generate this documentation, it would take them an estimated 200 consultant work hours, which equates to a cost of approximately $60,000. This is about 3-4 months of development time for a contractor to provide you with the deliverable.
- The SPBD is approximately 6% of the cost for a consultant or 15% of the cost of your internal staff to generate equivalent documentation.
- We process most orders the same business day so you can potentially start working with the SPBD the same day you place your order.
The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed.
Cybersecurity & Privacy By Design - Program Level Privacy & Security Documentation
The SPBD can serve as a foundational element in your organization's privacy program. It can stand alone or be paired with other specialized products we offer.
Cybersecurity and privacy do not need to be hard. The Security & Privacy By Design (SPBD) document is meant to simplify how security and privacy can be operationalized in a “paint by numbers” approach. This product is comprised of editable Microsoft Word and Excel documentation so you can customize it for your specific needs.
Please keep in mind that security & privacy engineering principles are widely expected activities:
What Is The Security & Privacy by Design (SPBD)?
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The SPBD comes in both editable Microsoft Word and Excel formats. The SPBD is capable of scaling for any sized company.
- The SPBD is an editable Microsoft Word document that providers program-level guidance to directly supports your company's policies and standards for ensuring secure engineering and privacy principles are operationalized.
- This product addresses the “how?” questions for how your company ensures both security and privacy principles are operationalized.
- It is a reality that most companies have either weak or non-existent guidance on how security or privacy principles are implemented.
- The lack of operationalized security & privacy principles can lead to compliance deficiencies with many statutory, regulatory and contractual obligations.
- NIST 800-160 is the "gold standard" on how to build security into the System Development Life Cycle (SDLC)
- The concept of “secure engineering” is mandatory in numerous statutory, regulatory and contractual requirements.
- The SPBD provides a “paint by numbers” approach to ensure your company has evidence of both due care and due diligence for operationalizing security and privacy principles.
- The CIRP is based on numerous frameworks, but the core principles are based on NIST 800-160 and the Generally Accepted Privacy Principles (GAPP) which are the de facto standards on security and privacy design principles.
What Problem Does The SPBD Solve?
- Lack of In House Security Experience - Writing cybersecurity & privacy documentation is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive procedure documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The SPBD is an efficient method to obtain comprehensive guidance documentation to implement cybersecurity and privacy principles within your organization!
- Compliance Requirements - EU GDPR requires companies that store, process or transmit the personal information of EU citizens to ensure that both cybersecurity and privacy principles are built into processes by default. Can you prove how cybersecurity & privacy principles are implemented?
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The SPBD provide mapping to leading security and privacy frameworks to show you exactly what is required to both stay secure and compliant.
- Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies, standards and procedures. With EU GDPR, vendors and other partners will be expected to demonstrate evidence of compliance with the EU GDPR.
How Does The SPBD Solve It?
- Clear Documentation - The SPBD provides a comprehensive approach to operationalizing both cybersecurity and privacy principles. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - The SPBD can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific cybersecurity and privacy needs.
- Alignment With Leading Practices - The SPBD is written to support leading cybersecurity and privacy frameworks!
Reducing Risk Through Cybersecurity For Privacy by Design (C4P)
The Security & Privacy By Design (SPBD) document supports your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels. The SPBD document is focused on understanding risk associated with cybersecurity and privacy so that risk can be:
- Transferred; or
Implementing both Security by Design (SbD) and Privacy by Design (PbD) principles is a systematic way to find and address weaknesses, flaws and risks to your company.
- Repeatable, methodical processes that seek out both security and privacy risk reduces the chance of surprises.
- Addressing security issues in an orderly manner gives your company a better assurance that gaps have been closed properly and as quickly as possible.
Work Smarter! Leverage Common Touch Points Between Cybersecurity & Privacy
Systems security engineering delivers systems deemed adequately secure by stakeholders. The fundamental relationships among assets, an asset-dependent interpretation of loss, and the corresponding loss consequences are central to any discussion of system security.
This is where aligning your company’s Security by Design (SbD) efforts with the Risk Management Framework (RMF) (e.g., NIST 800-37) can be very beneficial, since the RMF provides a well-established format to securely engineer and maintain systems throughout the entire life cycle of the asset. Utilizing common linkages, Privacy by Design (PbD) is incorporated into the RMF cycle.
Paint By Numbers - Cybersecurity & Privacy Requirements
What we've done is take on the heavy lifting to integrate security and privacy controls into standard project management processes. This allows your teams to have a "paint by numbers" approach to demonstrating that both cybersecurity and privacy principles are baked into the process! We identified the stages where both cybersecurity and privacy requirements are expected as part of project development. This can enable your teams to work more effectively together and reduce the negative effect of teams working in silos.
All too often, when projects are commenced, involvement from key stakeholders is siloed, as compared to operating as a cohesive team. We want to help your company avoid the following security & privacy pitfalls where:
- Project / application teams work in a vacuum, unaware of security or privacy concerns;
- Privacy and security conduct their own assessments without any information sharing or collaboration; and
- Security involvement is viewed as a final hurdle to overcome, just prior to “go live” for the project.
The SPBD Excel checklists provide a wealth of experience to bake in security and privacy principles by establishing methodical and repeatable processes.
- Logically-organized phases
- Task focus (How tasks support the lifecycle phases)
- Task #
- Activity Description
- Reasonable Task Deliverables
- Mapping to leading practices:
- NIST 800-160
- NIST 800-53
- ISO 27002
- OASIS PMRM
- Level of Effort (expectation for basics or enhanced requirements)
- Stakeholder RACI Matrix (Responsible, Accountable, Consulted, Informed)
In addition to logically organizing steps, we went the extra mile by calling out the deliverables expected and tied it to task #:
- Proposed solution is documented that captures security-relevant criteria and tentative requirements.
- Listing of applicable statutory, regulatory and contractual requirements are defined.
- Business & technical constraints are identified and documented.
- Data classification is identified.
- System criticality is identified.
- Data protection requirements are defined (e.g., controls) based on docuemented data classification and system criticality.
- "Best practices" are defined to be used in the design & implementation of systems, applications and services (e.g., OWASP, NIST, DISA STIGs, etc.).
- System hardening baselines (e.g., configuration management requirements) are defined and documented.
- Security Concept of Operations (CONOPS) are defined and documented.
- is defined and documented.
- Standardized Operating Procedures (SOP) are documented.
- Service Level Agreement(s) (SLAs) are defined and documented
- Tentative life cycle is identified.
- Roles and responsibilities for security requirements are assigned and documented.
- Risk Assessment is conducted and a Risk Register (RR) is used to document findings.
- Business Impact Analysis (BIA) is conducted and documented.
- Privacy Impact Assessment (PIA) is conducted or modified.
- Project stakeholder list is defined and documented (strategic personnel, business units and third parties).
- Threat assessment is conducted and documented.
- List of constraints (facts & assumptions) is defined.
- Listing of expected systems and services that will be required to support the proposed solution is defined.
- System Security Plan (SSP) is documented or modified.
- Change Control Board (CCB) change request(s).
- High Level Diagram (HLD) is documented.
- Low Level Diagram (LLD) is documented.
- Data Flow Diagram (DFD) is documented.
- Plan of Action & Milestones (POA&M) is documented or modified.
- End user training material is developed.
- Security awareness training is provided.
- Information Assurance (IA) testing (certification &accreditation) is commenced.
- Key Performance Indicators (KPIs) are identified.
- Authorization is granted (e.g., Authority To Operate (ATO) , Interim Authority To Operate (IATO) or Denied Authority To Operate (DATO)).
- User Acceptance Testing (UAT) is conducted and documented.
Understanding Privacy & Security Starts With Defining Requirements
Understanding the requirements for both Security by Design (SbD) and Privacy by Design (PbD) principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations to right-size the approach, since every organization is unique:
Security by Design (SbD)
Privacy by Design (PbD)
Security by Design (SbD) requirements come from numerous sources. In this context, the most important are:
Privacy by Design (PbD) requirements come from numerous sources. In this context, the most important are:
Data-Centric Security (DCS) = Defense-In-Depth Approach To Security
Thinking in terms of data, or information, it is your company’s most valuable asset. Therefore, being "data-centric" is how we approach our defense-in-depth concept. When you look at the diagram below, if you envision data protection as a set of concentric rings, at the center of the protection is your data.
Zone-Based Approach To Secure Engineering
From a secure engineering and architecture perspective, it is worthwhile to take a zone-based approach to scoping an environment for secure systems engineering. This effort is meant to focus on particular systems of interest, while taking into account the systems elements and enabling systems that compose the system of interest. This supports the concept of Data-Centric Security (DCS), since the focus encompasses everything that either stores, processes or transmits the data in question, as well as the supporting infrastructure and services.
From this perspective, assets can be logically grouped into three (3) overlapping zones:
Zone 1 – The asset is a system of interest;
Zone 2 – The asset exists within the immediate operating environment of a system of interest; or
Zone 3 – The asset exists outside of the operating environment but influences the system of interest.
Methodical Approach To Privacy By Design (PbD)
The OASIS Privacy Management Reference Model and Methodology (PMRM) is a privacy framework that assists in operationalizing Privacy by Design. Thee PMRM identifies eight (8) privacy services that are needed to operate at a functional level. These services are meant to clarify the “architectural” relationships and can be logically grouped into three (3) categories: Core policy services, Privacy assurance services; and Presentation & lifecycle services.
The Security & Privacy By Design (SPBD) includes an editable checklist for PMRM controls. This is tied to the security controls, so it is easy to link both cybersecurity and privacy requirements. This allows for a more cohesive assessment and encourages information sharing. The end product is a more comprehensive assessment of risk to both privacy and security.