So I took the formal corporate policy and translated those into Security and Privacy Guidelines. It is a manifest of some sorts and they fit on 1 page. In essence, they are the 'spiritual' guidelines with which you can enhance the security and privacy of the work you do.
This have led to the following hierarchy in documentation, including the primary target audience.
|Policy||Governance||Senior Management, Legal, Compliance, and Auditors|
|Guidelines||Manifest||Business and IT|
|Standards||Non-technical||Business and IT|
If you have any feedback whatsoever, please let me know!
Development Security Guidelines
- Build a positive security model
- Build to fail securely
- Build to not trust infrastructure
- Build to not trust endpoint input and services
- Build for ergonomics and usability
Technology Security Guidelines
- Open Design and Security by Design
- Defense in Depth and Ubiquitous Security
- Safe defaults and Hardening
- Patch and Life Cycle Management
Information Security Guidelines
- Only collect with consent
- Only collect for purpose
- Destroy after use
- Only enrich within purpose
- Designate Data Ownership