Att utforma en policy är för det mesta tidskrävande och omfattande. Det finns en del som man bör tänka på när man ska ta fram en informationssäkerhetspolicy.

Security/privacy by design and software development

In this post I will explain the concept of security/privacy by design with regards to software development, the GDPR and the PCI DSS.

Security by design in PCI DSS

In the PCI DSS requirement 6.3, one of the sub requirements state:

Develop internal and external software applications (including web-based administrative access to applications) securely, incorporating information security throughout the software-development life cycle.

Privacy by design in PCI DSS

Similarly, the GDPR states in article 25:

“…the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles…”

What do the requirements mean?

What is basically implied here is: Think of security first, start developing later. Both the PCI DSS and the GDPR demands that security should permeate the entire SDLC – starting from the elicitation of requirements to maintenance. Security measures that should be accounted for are, for example, risk analyses, secure coding practices and encryption in order to implement data-protection principles such as confidentiality, integrity and data minimization.

A very common business practice today is to not incorporate security throughout the SDLC. Businesses want their applications to get to the market as fast as possible, before the competition. Making an application secure takes time, therefore, security is added after the product hits the market through patches or add-ons as vulnerabilities are discovered. This will no longer be acceptable for organizations wishing to process personal data, security is not an add-on.

Contact us

Contact us below and we will come back to you shortly!

24Solutions AB
officially changes name
to Complior AB

We are happy to announce an exciting new chapter for our company!

New company name and logo.

Stronger organization and more focus on our compliance