|Cybersecurity & Data Privacy by Design (C|P) Principles
|Cybersecurity & Data Privacy Governance
|Execute a documented, risk-based program that supports business objectives while encompassing appropriate cybersecurity and data privacy principles that addresses applicable statutory, regulatory and contractual obligations.
|Artificial and Autonomous Technology
|Ensure trustworthy and resilient Artificial Intelligence (AI) and autonomous technologies to achieve a beneficial impact by informing, advising or simplifying tasks, while minimizing emergent properties or unintended consequences.
|Manage all technology assets from purchase through disposition, both physical and virtual, to ensure secured use, regardless of the asset’s location.
|Business Continuity & Disaster Recovery
|Maintain a resilient capability to sustain business-critical functions while successfully responding to and recovering from incidents through well-documented and exercised processes.
|Capacity & Performance Planning
|Govern the current and future capacities and performance of technology assets.
|Manage change in a sustainable and ongoing manner that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur.
|Govern cloud instances as an extension of on-premise technologies with equal or greater security protections than the organization’s own internal cybersecurity and privacy controls.
|Oversee the execution of cybersecurity and data privacy controls to ensure appropriate evidence required due care and due diligence exists to meet compliance with applicable statutory, regulatory and contractual obligations.
|Enforce secure configurations for systems, applications and services according to vendor-recommended and industry-recognized secure practices.
|Maintain situational awareness of cybersecurity-related events through the centralized collection and analysis of event logs from systems, applications and services.
|Utilize appropriate cryptographic solutions and industry-recognized key management practices to protect the confidentiality and integrity of sensitive/regulated data both at rest and in transit.
|Data Classification & Handling
|Enforce a standardized data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can
|Provide additional scrutiny to reduce the risks associated with embedded technology, based on the potential damages posed from malicious use of the technology.
|Harden endpoint devices to protect against reasonable threats to those devices and the data those devices store, transmit and process.
|Human Resources Security
|Execute sound hiring practices and ongoing personnel management to cultivate a cybersecurity and privacy-minded workforce.
|Identification & Authentication
|Enforce the concept of “least privilege” consistently across all systems, applications and services for individual, group and service accounts through a documented and standardized Identity and Access Management (IAM) capability.
|Maintain a viable incident response capability that trains personnel on how to recognize and report suspicious activities so that trained incident responders can take the appropriate steps to handle incidents, in accordance with a documented Incident Response Plan (IRP).
|Execute an impartial assessment process to validate the existence and functionality of appropriate cybersecurity and privacy controls, prior to a system, application or service being used in a production environment.
|Proactively maintain technology assets, according to current vendor recommendations for configurations and updates, including those supported or hosted by third-parties.
|Mobile Device Management
|Implement measures to restrict mobile device connectivity with critical infrastructure and sensitive/regulated data that limit the attack surface and potential data exposure from mobile device usage.
|Architect and implement a secure and resilient defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services.
|Physical & Environmental Security
|Protect physical environments through layers of physical security and environmental controls that work together to protect both physical and digital assets from theft and damage.
|Align data privacy practices with industry-recognized data privacy principles to implement appropriate administrative, technical and physical controls to protect regulated personal data throughout the lifecycle of systems, applications and services.
|Project & Resource Management
|Operationalize a viable strategy to achieve cybersecurity & privacy objectives that establishes cybersecurity as a key stakeholder within project management practices to ensure the delivery of resilient and secure solutions.
|Proactively identify, assess, prioritize and remediate risk through alignment with industry-recognized risk management principles to ensure risk decisions adhere to the organization's risk threshold.
|Secure Engineering & Architecture
|Utilize industry-recognized secure engineering and architecture principles to deliver secure and resilient systems, applications and services.
|Execute the delivery of cybersecurity and privacy operations to provide quality services and secure systems, applications and services that meet the organization's business needs.
|Security Awareness & Training
|Foster a cybersecurity and privacy-minded workforce through ongoing user education about evolving threats, compliance obligations and secure workplace practices.
|Technology Development & Acquisition
|Develop and test systems, applications or services according to a Secure Software Development Framework (SSDF) to reduce the potential impact of undetected or unaddressed vulnerabilities and design weaknesses.
|Execute Supply Chain Risk Management (SCRM) practices so that only trustworthy third-parties are used for products and/or service delivery.
|Proactively identify and assess technology-related threats, to both assets and business processes, to determine the applicable risk and necessary corrective action.
|Vulnerability & Patch Management
|Leverage industry-recognized Attack Surface Management (ASM) practices to strengthen the security and resilience systems, applications and services against evolving and sophisticated attack vectors.
|Ensure the security and resilience of Internet-facing technologies through secure configuration management practices and monitoring for anomalous activity.