Security by Design (SbD) & Privacy by Design (PbD) In One Cohesive Approach

banner-nist-800-160-oasis-privacy-management-sbd-program.jpg

Professionally-Written, Editable & Easily-Implemented NIST 800-160 & OASIS Based Security & Privacy Program

With the EU GDPR, companies doing business with citizens of the European Union have an obligation to demonstrate they implement both Security by Design (SbD) and Privacy by Design (PbD). Unfortunately, most businesses lack the knowledge and experience to undertake such documentation efforts. That means businesses are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant with this compliance requirement. In either situation, it is not a good place to be. The good news is that ComplianceForge.com developed a viable cybersecurity and privacy program that is based on NIST 800-160 guidance for security by design and OASIS for privacy by design. This document is capable of scaling for any sized company. 

Cybersecurity and privacy do not need to be hard. The Security & Privacy By Design (SPBD) document is meant to simplify how security and privacy can be operationalized in a “paint by numbers” approach. This product is comprised of EDITABLE Microsoft Word and Excel documentation so you can customize it for your specific needs. 

Editable Word Template

2017-spbd-editable-security-engineering-framework-privacy-by-design-word-template.jpg

Click For An Example

Editable Excel Checklists

2017-spbd-editable-security-engineering-framework-privacy-by-design-excel-template.jpg

Click For An Example

  • The main SPBD document is an editable Microsoft Word document.
  • It is written at a program-level to provide direction and authority.
  • Defines how both Security by Design (SbD) and Privacy by Design (PbD) are going to be operationalized.
  • The SPBD comes with editable “paint by numbers” checklists for managing both privacy and security lifecycles.
  • Security checklists are based on NIST 800-160.
  • Privacy checklist is based on the OASIS Privacy Management Reference Model and Methodology (PMRM).

Professionally-Written, Editable & Easily-Implemented NIST 800-160 & OASIS PMRM Based Cybersecurity For Privacy by Design (C4P) Program

Most companies have requirements to document its incident response processes, but they lack the knowledge and experience to undertake such documentation efforts. That means businesses are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant with a compliance requirement. In either situation, it is not a good place to be. The good news is that ComplianceForge.com developed a viable incident response program that is based on NIST 800-61 guidance, which is the "gold standard" for incident response frameworks. This document is capable of scaling for any sized company. 

 

SPBD Cost Savings

From surveying cybersecurity professionals, we created the following chart to provide a comparison of options for companies needing a combined privacy by design and secure engineering program. As you can see, when you factor in internal staff time (cybersecurity & legal staff) to perform reviews and refinements with key stakeholders, purchasing a SPBD from ComplianceForge is approximately 10% ($35,000+ savings) of the cost as compared to writing your own documentation and 6% ($59,500+ savings) of the cost as compared to hiring a consultant to write it for you!

 2017-pricing-privacy-by-design-pbd-cybersecurity-for-privacy-c4p-program-estimate.jpg

Professionally-Written, Editable NIST 800-160 & OASIS PMRM-Based Cybersecurity For Privacy by Design (C4P) Program

The Security & Privacy By Design (SPBD) product is designed to support your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels.

2017-spbd-privacy-by-design-supporting-existing-processes.jpg

2017-eu-gdpr-compliance-policies-standards-example.jpg

Reducing Risk Through Cybersecurity For Privacy by Design (C4P)

The Security & Privacy By Design (SPBD) document supports your company’s existing policies and standards. Our solution is focused at the procedural and guideline levels. The SPBD document is focused on understanding risk associated with cybersecurity and privacy so that risk can be:

  • Reduced;
  • Avoided;
  • Transferred; or 
  • Accepted.

Implementing both Security by Design (SbD) and Privacy by Design (PbD) principles is a systematic way to find and address weaknesses, flaws and risks to your company.

  • Repeatable, methodical processes that seek out both security and privacy risk reduces the chance of surprises. 
  • Addressing security issues in an orderly manner gives your company a better assurance that gaps have been closed properly and as quickly as possible.

 

Work Smarter! Leverage Common Touch Points Between Cybersecurity & Privacy

Systems security engineering delivers systems deemed adequately secure by stakeholders. The fundamental relationships among assets, an asset-dependent interpretation of loss, and the corresponding loss consequences are central to any discussion of system security. 

This is where aligning your company’s Security by Design (SbD) efforts with the Risk Management Framework (RMF) (e.g., NIST 800-37) can be very beneficial, since the RMF provides a well-established format to securely engineer and maintain systems throughout the entire life cycle of the asset. Utilizing common linkages, Privacy by Design (PbD) is incorporated into the RMF cycle.

2017-spbd-cybersecurity-by-design-risk-management-framework-implementation.jpg

Paint By Numbers - Cybersecurity & Privacy Requirements

What we've done is take on the heavy lifting to integrate security and privacy controls into standard project management processes. This allows your teams to have a "paint by numbers" approach to demonstrating that both cybersecurity and privacy principles are baked into the process! We identified the stages where both cybersecurity and privacy requirements are expected as part of project development. This can enable your teams to work more effectively together and reduce the negative effect of teams working in silos. 

All too often, when projects are commenced, involvement from key stakeholders is siloed, as compared to operating as a cohesive team. We want to help your company avoid the following security & privacy pitfalls where:

  • Project / application teams work in a vacuum, unaware of security or privacy concerns;
  • Privacy and security conduct their own assessments without any information sharing or collaboration; and
  • Security involvement is viewed as a final hurdle to overcome, just prior to “go live” for the project.

2017-spbd-security-privacy-by-design-project-management-phases.jpg

 

 The SPBD Excel checklists provide a wealth of experience to bake in security and privacy principles by establishing methodical and repeatable processes. 

  • Logically-organized phases 
  • Task focus (How tasks support the lifecycle phases)
  • Task #
  • Activity Description
  • Reasonable Task Deliverables
  • Mapping to leading practices:
    • NIST 800-160
    • NIST 800-53
    • ISO 27002
    • OASIS PMRM
  • Level of Effort (expectation for basics or enhanced requirements)
  • Stakeholder RACI Matrix (Responsible, Accountable, Consulted, Informed)

In addition to logically organizing steps, we went the extra mile by calling out the deliverables expected and tied it to task #:  

  • Proposed solution is documented that captures security-relevant criteria and tentative requirements.
  • Listing of applicable statutory, regulatory and contractual requirements are defined.
  • Business & technical constraints are identified and documented.
  • Data classification is identified.
  • System criticality is identified.
  • Data protection requirements are defined (e.g., controls) based on docuemented data classification and system criticality.
  • "Best practices" are defined to be used in the design & implementation of systems, applications and services (e.g., OWASP, NIST, DISA STIGs, etc.).
  • System hardening baselines (e.g., configuration management requirements) are defined and documented.
  • Security Concept of Operations (CONOPS) are defined and documented.
  • is defined and documented.
  • Standardized Operating Procedures (SOP) are documented.
  • Service Level Agreement(s) (SLAs) are defined and documented
  • Tentative life cycle is identified.
  • Roles and responsibilities for security requirements are assigned and documented.
  • Risk Assessment is conducted and a Risk Register (RR) is used to document findings.
  • Business Impact Analysis (BIA) is conducted and documented.
  • Privacy Impact Assessment (PIA) is conducted or modified.
  • Project stakeholder list is defined and documented (strategic personnel, business units and third parties).
  • Threat assessment is conducted and documented.
  • List of constraints (facts & assumptions) is defined.
  • Listing of expected systems and services that will be required to support the proposed solution is defined.
  • System Security Plan (SSP) is documented or modified.
  • Change Control Board (CCB) change request(s).
  • High Level Diagram (HLD) is documented.
  • Low Level Diagram (LLD) is documented.
  • Data Flow Diagram (DFD) is documented.
  • Plan of Action & Milestones (POA&M) is documented or modified.
  • End user training material is developed.
  • Security awareness training is provided.
  • Information Assurance (IA) testing (certification &accreditation) is commenced.
  • Key Performance Indicators (KPIs) are identified.
  • Authorization is granted (e.g., Authority To Operate (ATO) , Interim Authority To Operate (IATO) or Denied Authority To Operate (DATO)).
  • User Acceptance Testing (UAT) is conducted and documented.

Understanding Privacy & Security Starts With Defining Requirements

Understanding the requirements for both Security by Design (SbD) and Privacy by Design (PbD) principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations to right-size the approach, since every organization is unique:

  • Applicable best practices based on your company’s industry.
    • Cloud security
    • Operational Technology (OT) & Internet of Things (IoT)
  • Statutory obligations (e.g., state, federal and international laws)
    • FTC Act (prohibition on unfair business practices)
    • Family Educational Rights and Privacy Act (FERPA)
    • Children's Online Privacy Protection Act (COPPA)
    • State ID theft laws (e.g., MA 201 CMR 17)
  • Regulatory obligations (e.g., regulatory bodies or governmental agencies)
    • EU General Data Protection Regulation (EU GDPR)
    • NY Department of Financial Services (23 NYCRR 500)
    • FISMA / DIACAP / DIARMF
  • Contractual obligations (e.g., vendor agreements)
    • DFARS / FAR
    • Privacy Shield
    • PCI DSS
2017-spbd-security-by-design-sbd-privacy-by-design-pbd-understanding-reasonable-expectations.jpg

  

  Security by Design (SbD)  

 2017-spbd-security-by-design-fedramp-owasp-hipaa-dfars-far-nist-csa-pci-isaca-iso.jpg

  Privacy by Design (PbD)  

2017-spbd-privacy-by-design-oasis-fipp-hipaa-ftc-nist-iso-isaca-gdpr.jpg 

Security by Design (SbD) requirements come from numerous sources. In this context, the most important are:

  • International Organization for Standardization (ISO)
  • National Institute for Standards & Technology (NIST)
  • US Government (HIPAA & FedRAMP)
  • Information Systems Audit and Control Association (ISACA)
  • Cloud Security Alliance (CSA)
  • Center for Internet Security (CIS)
  • Open Web Application Security Project (OWASP)

Privacy by Design (PbD) requirements come from numerous sources. In this context, the most important are:

  • Fair Information Practice Principles (FIPPs)
  • European Union (EU) General Data Protection Regulation (GDPR)
  • Organization for the Advancement of Structured Information Standards (OASIS
  • International Organization for Standardization (ISO)
  • National Institute for Standards & Technology (NIST)
  • Information Systems Audit and Control Association (ISACA)
  • US Government (HIPAA & FTC Act)

 

Data-Centric Security (DCS) = Defense-In-Depth Approach To Security

Thinking in terms of data, or information, it is your company’s most valuable asset. Therefore, being "data-centric" is how we approach our defense-in-depth concept. When you look at the diagram below, if you envision data protection as a set of concentric rings, at the center of the protection is your data.

2017-spbd-layered-defenses-for-cybersecurity-and-privacy-by-design.jpg

 

 

Zone-Based Approach To Secure Engineering

From a secure engineering and architecture perspective, it is worthwhile to take a zone-based approach to scoping an environment for secure systems engineering. This effort is meant to focus on particular systems of interest, while taking into account the systems elements and enabling systems that compose the system of interest. This supports the concept of Data-Centric Security (DCS), since the focus encompasses everything that either stores, processes or transmits the data in question, as well as the supporting infrastructure and services.

From this perspective, assets can be logically grouped into three (3) overlapping zones:

Zone 1 – The asset is a system of interest;

Zone 2 – The asset exists within the immediate operating environment of a system of interest; or

Zone 3 – The asset exists outside of the operating environment but influences the system of interest.


2017-spbd-secure-engineering-scoping-system-of-interest-operating-environment-influencing-systems-v2.jpg

Methodical Approach To Privacy By Design (PbD) 

The OASIS Privacy Management Reference Model and Methodology (PMRM) is a privacy framework that assists in operationalizing Privacy by Design. Thee PMRM identifies eight (8) privacy services that are needed to operate at a functional level. These services are meant to clarify the “architectural” relationships and can be logically grouped into three (3) categories: Core policy services, Privacy assurance services; and Presentation & lifecycle services.

2017-spbd-oasis-privacy-management-reference-model-and-methodology-operationalizing-privacy-by-design-pbd-.jpg

The Security & Privacy By Design (SPBD) includes an editable checklist for PMRM controls. This is tied to the security controls, so it is easy to link both cybersecurity and privacy requirements. This allows for a more cohesive assessment and encourages information sharing. The end product is a more comprehensive assessment of risk to both privacy and security. 

 

 

 

 

Sort by:

Sign up for our Newsletter!

×
×