Tuesday, January 24, 2017

Building a set of Guidelines for Security and Privacy

I receive often the question on what should be done in terms of security and privacy, and the pitfall is that you can either respond in to abstract terms, or in way to specific detail. When I was thinking about a security policy I noticed that people rarely read them, and I can understand that. And not everyone wants, or needs, to read specific documentation regarding the implementation of encryption.
And in any case, security rules should not lead to disabling businesses or change, but to enabling businesses. And they should be felt to be necessary to protect the business, rather than a checklist just to satisfy the auditor.

So I took the formal corporate policy and translated those into Security and Privacy Guidelines. It is a manifest of some sorts and they fit on 1 page. In essence, they are the 'spiritual' guidelines with which you can enhance the security and privacy of the work you do.

This have led to the following hierarchy in documentation, including the primary target audience.

Document Focus Target audience
Policy Governance Senior Management, Legal, Compliance, and Auditors
Guidelines Manifest Business and IT
Standards Non-technical Business and IT
Baselines Technical IT
The guidelines will be outlined by four main topics which each consists of four to five guidelines (see below). In the upcoming posts I will focus on the guidelines I have set and of which I am kind of a missionary in my organization. I will do that one guideline per post.

If you have any feedback whatsoever, please let me know!


Development Security Guidelines

  1. Build a positive security model
  2. Build to fail securely
  3. Build to not trust infrastructure
  4. Build to not trust endpoint input and services
  5. Build for ergonomics and usability

Technology Security Guidelines

  1. Open Design and Security by Design
  2. Defense in Depth and Ubiquitous Security
  3. Compartmentalization
  4. Safe defaults and Hardening
  5. Patch and Life Cycle Management

Information Security Guidelines

  1. Least Privilege
  2. Segregation of Duties
  3. Complete Authorization
  4. Information Cryptography

Privacy Guidelines

  1. Process with a legal ground
  2. Process within purpose only
  3. Destroy after use
  4. Enrich within purpose only
  5. Designate Data Ownership


Post a Comment