Develop systems, products, and business practices based upon a principle of security by design and industry best practices.
Data protection and privacy consideration must be included by default at the design stage and throughout the product development lifecycle. In addition, design documentation should clearly describe how data is protected.
- Examine whether the organization's policy, standards, and procedures create a framework which fosters a culture and expectation of “security through design.” Determine whether this content addresses the directive of the organization's culture and whether practices reflect security through design.
- Examine whether the organization's governance framework, documents, controls, and metrics satisfy the organization and if its sub-processors comply with this requirement. Establish whether the organization has documented the roles and responsibilities involved.
- Review the organization's data breaches log, the security incidents log, and project change failure records for examples where this requirement was not followed correctly. Further, confirm that action plans were identified and carried out.
- Examine the measures that evaluate this organizational requirement and determine if the measures address implementation of process and control requirements as stipulated.
- Obtain and examine supporting documentation maintained as evidence of these metrics to determine if the office or individual responsible reviews the information and if identified issues were investigated and remediated appropriately.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.