Cybersecurity For Privacy By Design (C4P)
Security & Privacy By Design - Program Level Privacy & Security Documentation
With the European Union General Data Protection Regulation (EU GDPR) on the near horizon in 2018, companies doing business with citizens of the European Union have an obligation to demonstrate they implement both Security by Design (SbD) and Privacy by Design (PbD). Unfortunately, most businesses lack the knowledge and experience to undertake such documentation efforts. That means businesses are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant with this compliance requirement. In either situation, it is not a good place to be. The good news is that ComplianceForge developed a viable cybersecurity and privacy program that is based on NIST 800-160 guidance for security by design and OASIS for privacy by design.
The SPBD can serve as a foundational element in your organization's privacy program. It can stand alone or be paired with other specialized products we offer.
Cybersecurity and privacy do not need to be hard. The Security & Privacy By Design (SPBD) document is meant to simplify how security and privacy can be operationalized in a “paint by numbers” approach. This product is comprised of editable Microsoft Word and Excel documentation so you can customize it for your specific needs.
Please keep in mind that security & privacy engineering principles are widely expected activities:
- European Union General Data Protection Regulation (EU GDPR)
- NIST 800-53
- NIST Cybersecurity Framework
- ISO 27002
- Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012 (NIST 800-171)
- Federal Acquisition Regulations (FAR) 52.204-21 - 4
- National Industrial Security Program Operating Manual (NISPOM)
- New York State Department of Financial Service (DFS)
- Payment Card Industry Data Protection Standard (PCI DSS)
- Center for Internet Security Critical Security Controls (CIS CSC)
- Generally Accepted Privacy Principles (GAPP)
What Is The Security & Privacy by Design (SPBD)?
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The SPBD comes in both editable Microsoft Word and Excel formats. The SPBD is capable of scaling for any sized company.
- The SPBD is an editable Microsoft Word document that providers program-level guidance to directly supports your company's policies and standards for ensuring secure engineering and privacy principles are operationalized.
- This product addresses the “how?” questions for how your company ensures both security and privacy principles are operationalized.
- It is a reality that most companies have either weak or non-existent guidance on how security or privacy principles are implemented.
- The lack of operationalized security & privacy principles can lead to compliance deficiencies with many statutory, regulatory and contractual obligations.
- NIST 800-160 is the "gold standard" on how to build security into the System Development Life Cycle (SDLC)
- The concept of “secure engineering” is mandatory in numerous statutory, regulatory and contractual requirements.
- The SPBD provides a “paint by numbers” approach to ensure your company has evidence of both due care and due diligence for operationalizing security and privacy principles.
- The CIRP is based on numerous frameworks, but the core principles are based on NIST 800-160 and the Generally Accepted Privacy Principles (GAPP) which are the de facto standards on security and privacy design principles.
What Problem Does The SPBD Solve?
- Lack of In House Security Experience - Writing cybersecurity & privacy documentation is a skill that most cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive procedure documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The SPBD is an efficient method to obtain comprehensive guidance documentation to implement cybersecurity and privacy principles within your organization!
- Compliance Requirements - EU GDPR requires companies that store, process or transmit the personal information of EU citizens to ensure that both cybersecurity and privacy principles are built into processes by default. Can you prove how cybersecurity & privacy principles are implemented?
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The SPBD provide mapping to leading security and privacy frameworks to show you exactly what is required to both stay secure and compliant.
- Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies, standards and procedures. With EU GDPR, vendors and other partners will be expected to demonstrate evidence of compliance with the EU GDPR.
How Does the SPBD Solve It?
- Clear Documentation - The SPBD provides a comprehensive approach to operationalizing both cybersecurity and privacy principles. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - The SPBD can provide your organization with a templated solution that requires minimal resources to fine tune for your organization's specific cybersecurity and privacy needs.
- Alignment With Leading Practices - The SPBD is written to support leading cybersecurity and privacy frameworks!
Product Example - Security & Privacy By Design (SPBD)
Our customers choose the Security & Privacy by Design (SPBD) because they:
- Have a need for comprehensive cybersecurity procedures to address their compliance needs
- Need to be able to edit the document to their specific technology, staffing and other considerations
- Have documentation that is directly linked to NIST 800-53, NIST 800-171 and other documentation
- Need an affordable and timely solution to address not having procedures
Don't take our word for it - take a look at the example below to see for yourself the level of professionalism and detail that went into it.
Cost Savings Estimate - Security & Privacy By Design (SPBD)
The process of writing cybersecurity policies and standards can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time.This also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months.
When you look at the costs associated with either hiring a consultant to write cybersecurity procedures for you or tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Purchasing the SPBD offers these clear advantages:
- Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars!
- Compared to writing your own cybersecurity and privacy documentation, you can potentially save hundreds of man-hours and the associated cost of lost productivity!
- Orders are usually processed the same business day so you get your SPBD quickly!
When you factor in approximately 160+ hours of a cybersecurity consultant and the internal staff time to perform reviews and refinements with key stakeholders, purchasing a SPBD from ComplianceForge is approximately 7% ($59,500+ savings) of the cost as compared to hiring a consultant to write it for you!
When you factor in 280+ hours of internal staff time to research, write and peer review cybersecurity documentation, purchasing a SPBD from ComplianceForge is approximately 11% ($35,000+ savings) of the cost as compared to writing your own documentation!
Professionally-Written, Editable NIST 800-160 & OASIS PMRM-Based Cybersecurity For Privacy by Design (C4P) Program
The Security & Privacy By Design (SPBD) product is designed to support your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels.
Reducing Risk Through Cybersecurity For Privacy by Design (C4P)
The Security & Privacy By Design (SPBD) document supports your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels. The SPBD document is focused on understanding risk associated with cybersecurity and privacy so that risk can be:
- Transferred; or
Implementing both Security by Design (SbD) and Privacy by Design (PbD) principles is a systematic way to find and address weaknesses, flaws and risks to your company.
- Repeatable, methodical processes that seek out both security and privacy risk reduces the chance of surprises.
- Addressing security issues in an orderly manner gives your company a better assurance that gaps have been closed properly and as quickly as possible.
Work Smarter! Leverage Common Touch Points Between Cybersecurity & Privacy
Systems security engineering delivers systems deemed adequately secure by stakeholders. The fundamental relationships among assets, an asset-dependent interpretation of loss, and the corresponding loss consequences are central to any discussion of system security.
This is where aligning your company’s Security by Design (SbD) efforts with the Risk Management Framework (RMF) (e.g., NIST 800-37) can be very beneficial, since the RMF provides a well-established format to securely engineer and maintain systems throughout the entire life cycle of the asset. Utilizing common linkages, Privacy by Design (PbD) is incorporated into the RMF cycle.
Paint By Numbers - Cybersecurity & Privacy Requirements
What we've done is take on the heavy lifting to integrate security and privacy controls into standard project management processes. This allows your teams to have a "paint by numbers" approach to demonstrating that both cybersecurity and privacy principles are baked into the process! We identified the stages where both cybersecurity and privacy requirements are expected as part of project development. This can enable your teams to work more effectively together and reduce the negative effect of teams working in silos.
All too often, when projects are commenced, involvement from key stakeholders is siloed, as compared to operating as a cohesive team. We want to help your company avoid the following security & privacy pitfalls where:
- Project / application teams work in a vacuum, unaware of security or privacy concerns;
- Privacy and security conduct their own assessments without any information sharing or collaboration; and
- Security involvement is viewed as a final hurdle to overcome, just prior to “go live” for the project.
The SPBD Excel checklists provide a wealth of experience to bake in security and privacy principles by establishing methodical and repeatable processes.
- Logically-organized phases
- Task focus (How tasks support the lifecycle phases)
- Task #
- Activity Description
- Reasonable Task Deliverables
- Mapping to leading practices:
- NIST 800-160
- NIST 800-53
- ISO 27002
- OASIS PMRM
- Level of Effort (expectation for basics or enhanced requirements)
- Stakeholder RACI Matrix (Responsible, Accountable, Consulted, Informed)
In addition to logically organizing steps, we went the extra mile by calling out the deliverables expected and tied it to task #:
- Proposed solution is documented that captures security-relevant criteria and tentative requirements.
- Listing of applicable statutory, regulatory and contractual requirements are defined.
- Business & technical constraints are identified and documented.
- Data classification is identified.
- System criticality is identified.
- Data protection requirements are defined (e.g., controls) based on docuemented data classification and system criticality.
- "Best practices" are defined to be used in the design & implementation of systems, applications and services (e.g., OWASP, NIST, DISA STIGs, etc.).
- System hardening baselines (e.g., configuration management requirements) are defined and documented.
- Security Concept of Operations (CONOPS) are defined and documented.
- is defined and documented.
- Standardized Operating Procedures (SOP) are documented.
- Service Level Agreement(s) (SLAs) are defined and documented
- Tentative life cycle is identified.
- Roles and responsibilities for security requirements are assigned and documented.
- Risk Assessment is conducted and a Risk Register (RR) is used to document findings.
- Business Impact Analysis (BIA) is conducted and documented.
- Privacy Impact Assessment (PIA) is conducted or modified.
- Project stakeholder list is defined and documented (strategic personnel, business units and third parties).
- Threat assessment is conducted and documented.
- List of constraints (facts & assumptions) is defined.
- Listing of expected systems and services that will be required to support the proposed solution is defined.
- System Security Plan (SSP) is documented or modified.
- Change Control Board (CCB) change request(s).
- High Level Diagram (HLD) is documented.
- Low Level Diagram (LLD) is documented.
- Data Flow Diagram (DFD) is documented.
- Plan of Action & Milestones (POA&M) is documented or modified.
- End user training material is developed.
- Security awareness training is provided.
- Information Assurance (IA) testing (certification &accreditation) is commenced.
- Key Performance Indicators (KPIs) are identified.
- Authorization is granted (e.g., Authority To Operate (ATO) , Interim Authority To Operate (IATO) or Denied Authority To Operate (DATO)).
- User Acceptance Testing (UAT) is conducted and documented.
Understanding Privacy & Security Starts With Defining Requirements
Understanding the requirements for both Security by Design (SbD) and Privacy by Design (PbD) principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations to right-size the approach, since every organization is unique:
- Applicable best practices based on your company’s industry.
- Cloud security
- Operational Technology (OT) & Internet of Things (IoT)
- Statutory obligations (e.g., state, federal and international laws)
- FTC Act (prohibition on unfair business practices)
- Family Educational Rights and Privacy Act (FERPA)
- Children's Online Privacy Protection Act (COPPA)
- State ID theft laws (e.g., MA 201 CMR 17)
- Regulatory obligations (e.g., regulatory bodies or governmental agencies)
- EU General Data Protection Regulation (EU GDPR)
- NY Department of Financial Services (23 NYCRR 500)
- FISMA / DIACAP / DIARMF
- Contractual obligations (e.g., vendor agreements)
- DFARS / FAR
- Privacy Shield
- PCI DSS
Security by Design (SbD)
Privacy by Design (PbD)
Security by Design (SbD) requirements come from numerous sources. In this context, the most important are:
- International Organization for Standardization (ISO)
- National Institute for Standards & Technology (NIST)
- US Government (HIPAA & FedRAMP)
- Information Systems Audit and Control Association (ISACA)
- Cloud Security Alliance (CSA)
- Center for Internet Security (CIS)
- Open Web Application Security Project (OWASP)
Privacy by Design (PbD) requirements come from numerous sources. In this context, the most important are:
- Fair Information Practice Principles (FIPPs)
- European Union (EU) General Data Protection Regulation (GDPR)
- Organization for the Advancement of Structured Information Standards (OASIS)
- International Organization for Standardization (ISO)
- National Institute for Standards & Technology (NIST)
- Information Systems Audit and Control Association (ISACA)
- US Government (HIPAA & FTC Act)
Data-Centric Security (DCS) = Defense-In-Depth Approach To Security
Thinking in terms of data, or information, it is your company’s most valuable asset. Therefore, being "data-centric" is how we approach our defense-in-depth concept. When you look at the diagram below, if you envision data protection as a set of concentric rings, at the center of the protection is your data.
Zone-Based Approach To Secure Engineering
From a secure engineering and architecture perspective, it is worthwhile to take a zone-based approach to scoping an environment for secure systems engineering. This effort is meant to focus on particular systems of interest, while taking into account the systems elements and enabling systems that compose the system of interest. This supports the concept of Data-Centric Security (DCS), since the focus encompasses everything that either stores, processes or transmits the data in question, as well as the supporting infrastructure and services.
From this perspective, assets can be logically grouped into three (3) overlapping zones:
Zone 1 – The asset is a system of interest;
Zone 2 – The asset exists within the immediate operating environment of a system of interest; or
Zone 3 – The asset exists outside of the operating environment but influences the system of interest.
Methodical Approach To Privacy By Design (PbD)
The OASIS Privacy Management Reference Model and Methodology (PMRM) is a privacy framework that assists in operationalizing Privacy by Design. Thee PMRM identifies eight (8) privacy services that are needed to operate at a functional level. These services are meant to clarify the “architectural” relationships and can be logically grouped into three (3) categories: Core policy services, Privacy assurance services; and Presentation & lifecycle services.
The Security & Privacy By Design (SPBD) includes an editable checklist for PMRM controls. This is tied to the security controls, so it is easy to link both cybersecurity and privacy requirements. This allows for a more cohesive assessment and encourages information sharing. The end product is a more comprehensive assessment of risk to both privacy and security.
Which Product Is Right For You?
Our documentation is meant to address your requirements from strategic concepts all the way down to day-to-day deliverables you need to demonstrate compliance with common statutory, regulatory and contractual obligations. We offer up to 40% discounts on our documentation bundles, so please be aware that you have benefit from significant savings by bundling the documentation you need. You can see the available bundles here.
We are here to help make comprehensive cybersecurity documentation as easy and as affordable as possible. We serve businesses of all sizes, from the Fortune 500 all the way down to small businesses, since our cybersecurity documentation products are designed to scale for organizations of any size or level of complexity. Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!