The following post is a contribution by Brian Dean of SecureState, a global management consulting firm focused on information security. At SecureState Brian is a Manager of Audit & Compliance, he works within SecureState’s Audit & Compliance Team as Practice Manager, ensuring value and accuracy.
Interpreting development specs is challenging enough, but writing code without analyzing the regulatory business ramifications rarely ends well. Typically the process assumes your business leaders and partners understand the regulatory environment, the impact to application functionality, and that they can successfully articulate the requirements to the development team. But often the message is muddled, because of a lack of understanding. So put on your red cape (blue tights optional), and read some compliance strategies to take your career to the next level.
Start with a new paradigm: development teams offering secure coding options, privacy requirements, and sufficient detail to obtain executive buy-in. In recent years, we have seen development work outsourced. Now more than ever adding value beyond sitting behind your keyboard churning out lines of code can provide you with upward mobility and more importantly job security. Outsourced developers often lack the business acumen and understanding of the organization’s core business model to provide this insight. Investing a little time to determine laws and regulations that apply, industry best practices, and consumer expectations differentiates your skill-set in an increasingly commoditized industry. To jump start this process continue reading for a pragmatic approach to building privacy and security methodologies into your code development process and application build, differentiating yourself, and doing the right thing for consumers who trust you with their sensitive data.
Complying with numerous federal laws, international and domestic, plus state law, industry standards, and contractual obligations can be difficult. Unlike the European Union and other countries with robust privacy laws, the U.S. lacks a single regulatory framework regarding securing consumer data. Filling the void, albeit insufficiently, are a patchwork of industry specific regulatory requirements, such as the Graham Leach Bliley Act (GLBA); Health Information Portability Accountability Act (HIPAA) , Payment Card Industry (PCI), Sarbanes Oxley (Sox), etc. Adopting development practices to adhere to a single framework is often challenging for developers who typically do not have, nor want, a legal or compliance background. Using a generic framework, such as Generally Accepted Privacy Principles (GAPP) will position your code well for compliance with numerous regulations, but a more focused regulatory approach may be needed based on risk.
Recall the old project management 101 three legged stool: scope, resources, and schedule? For example, if you add scope (e.g., secure coding requirements) it will consume more resources and/or take more time to code and test. You need to show how this improves risk posture, customer experiences, reduces cost of ownership and/or better positions you for regulatory compliance. Articulating this message will ideally result in buy-in and career advancement. Developers who can think beyond just writing code move beyond the commoditized developers. Add value and increase your value!
Crafting “guiding principles” from the applicable laws or generically from GAPP can begin the process. Small wins will reinforce the return on investment (ROI) compliance posture argument discussed in executive buy-in. For example, questioning why an application accesses an entire table, instead of just the needed records and better yet required fields within those specific records. Introducing these concepts during a maintenance release gets the project management team and business owner thinking, and leads the discussion along the lines of industry relevant privacy concerns.
Network diagrams are a great start for documenting data flows and where data is stored, but it needs to include business logic, such as, who has access to the data, is the data access role based and can it be downloaded, printed, etc? A brief whiteboard session can identify and uncover downstream data stores with weak or missing controls. The development team can then make risk based decisions to include additional controls for these data stores.
Privacy by design and security by design, in the past, have been considered niceties, but given the number of breaches each year that are published in mainstream media and social media, the cost of those breaches, and the regulatory scrutiny, these are now manifesting themselves into development requirements. A data breach can result in penalties, public castration, and even legal action (e.g., you are contractually required to protect data that somehow is breached). If the business owners are not driving this change, the development team can and should be the voice of reason. So if your application creates, accesses, processes, or transmits sensitive consumer information consider privacy by design. It is good for business, a good career move, and more importantly good for the consumer – we are all consumers.
Sample List of Regulations/Industry Best Practice Frameworks
|EU Directive||Adopt 7 principles for data emanating from the 27 EU countries: notice, purpose, consent, security, disclosure, access, and accountability.||27 EU countries and partially Switzerland only required for receiving countries not meeting adequacy requirements.|
|GAPP||Adopt 10 trust principles for personally identifiable information (PII): management, notice, choice, collection, use, access, disclosure, Security, quality, and enforcement.||Business who wish to illustrate good citizenship regarding consumer data, not a regulatory requirement.|
|GLBA||Confidentiality and integrity of personal financial information stored by financial institutions.||Financial institutions as broadly defined by the regulation.|
|HIPAA||Confidentiality, integrity, and availability of health care information.||Healthcare providers, health insurance, healthcare clearing houses, and any service provider receiving PHI.|
|PCI||Protecting credit-card holder data (CHD).||Merchants and service providers who store, process, or transmit CHD.|
|Sarbanes Oxley||Adopt guiding principle for certain systems: Confidentiality, Integrity, Availability, Access Controls, Auditing and Logging, Change Management.||Financial data for material business systems of publically traded corporations.|
Join SecureState’s Brian Dean, CIPP, QSA and Privacy Officer, as he discusses how developers can effectively manage applicable regulations throughout the development process.
During this webinar Brian will discuss: