SSE ch 6

CS 3154 - Secure Software Engineering

Lecture 06 - Dr. Mohammad Nauman

  • Join slack: https://recluze.net/slack-effat

Privacy

  • Definition: Data privacy is the ability of individuals to control their personal information.

Understanding Regulatory Compliance

  • Purpose of Compliance:

    • Ensures software meets legal and security standards.

    • Protects users’ rights and data privacy.

    • Reduces legal and financial risks.

    • Involves both technical and organizational measures.

Importance of Compliance

  • Benefits:

    • Builds user trust and brand reputation.

    • Helps avoid penalties and lawsuits.

    • Encourages secure development practices.

    • Supports international data exchange.

Key Data Protection Regulations

  • Overview of Regulations:

    • GDPR:

    • Full Name: General Data Protection Regulation.

    • Region: European Union regulation for personal data protection.

    • HIPAA:

    • Full Name: Health Insurance Portability and Accountability Act.

    • Region: United States law for health information security.

    • Other Standards:

    • PCI DSS (Payment Card Industry Data Security Standard).

    • ISO 27001 (International Standard for Information Security Management).

    • Each regulation targets specific data domains.

GDPR – Core Principles

  • Core Principles Include:

    • Lawfulness, fairness, and transparency in data processing.

    • Purpose limitation and data minimization.

    • Storage limitation.

    • Integrity, confidentiality, and accountability.

GDPR Compliance

  • Steps to Comply with GDPR:

    1. Understand the GDPR principles.

    2. Implement data protection measures.

    3. Conduct a data audit on processing activities.

    4. Define data privacy policies and update as necessary.

    5. Obtain consent where necessary.

    6. Appoint a data protection officer (DPO) if necessary.

    7. Review contracts with third-party vendors.

    8. Create a breach response plan.

    9. Ensure data subject rights are maintained.

    10. Conduct regular training and awareness programs.

    11. Monitor compliance and update processes.

GDPR – Developer Responsibilities

  • Responsibilities Include:

    • Collect only the necessary data.

    • Ensure consent is obtained and properly recorded.

    • Provide options for data access and deletion.

    • Protect data in transit and at rest.

HIPAA Overview

  • Purpose:

    • Protects Patient Health Information (PHI).

    • Applies to healthcare providers, insurers, and partners.

    • Defines:

    • Administrative safeguards.

    • Physical safeguards.

    • Technical safeguards.

    • Requires breach notification and documentation.

HIPAA Compliance

  • Steps to Achieve HIPAA Compliance:

    1. Determine which HIPAA rules apply to your organization.

    2. Appoint a security officer.

    3. Conduct an audit on PHI.

    4. Ensure awareness of the HIPAA security rule.

    5. Determine reporting exemptions to State Attorneys General.

    6. Appoint a privacy officer.

    7. Clarify what constitutes PHI.

    8. Minimize and simplify PHI.

    9. Create measures to report data breaches.

    10. Keep up to date on HIPAA changes.

Secure Handling of Sensitive Data

  • Best Practices:

    • Classify data according to sensitivity levels.

    • Encrypt sensitive data both in storage and during transmission.

    • Limit access to sensitive data using the principle of least privilege.

    • Regularly review and rotate access credentials.

Data Retention and Disposal Policies

  • Key Policies Include:

    • Retain data only for as long as necessary.

    • Define automatic deletion mechanisms for data.

    • Securely erase or anonymize data that is no longer needed.

    • Document retention schedules for different types of data.

Ensuring Compliance Through SDLC

  • *Compliance Integration in SDLC:

    • Integrate compliance checks into every phase of the Software Development Life Cycle (SDLC).

    • Use checklists for regulatory requirements to ensure all aspects are covered.

    • Conduct privacy impact assessments in the early stages of development.

    • Review compliance during design and release phases.

IT Compliance

  • 6 Steps to Ensure IT Compliance:

    1. Identify all requirements to follow.

    2. Conduct an internal compliance audit.

    3. Reflect requirements in documentation.

    4. Cover missing requirements.

    5. Monitor compliance-related changes continually.

    6. Leverage compliance management tools for efficiency.

Proactive vs. Reactive Compliance

  • Focus on Compliance Types:

    • Proactive compliance: involves anticipating regulatory needs and instilling best practices.

    • Reactive compliance: responding to issues and changes after they arise.

Documentation and Audit Trails

  • Best Practices for Documentation:

    • Maintain detailed logs of all system changes.

    • Record all user access and data handling activities.

    • Store audit logs in a secure manner and review them periodically.

    • Utilize immutable storage solutions where feasible, such as WORM (Write Once, Read Many) memory.

Compliance Audits and Assessments

  • Strategies:

    • Perform regular internal and external audits to assess compliance status.

    • Identify any gaps present and establish corrective actions based on findings.

    • Verify adherence to relevant legal and policy requirements consistently.

    • Document all findings, as well as any improvement plans.

Common Compliance Challenges

  • Challenges Include:

    • Ambiguity in regulations that may overlap.

    • Integrating compliance seamlessly into agile workflows.

    • Balancing user usability with privacy concerns.

    • Keeping up with the continual changes in laws affecting compliance.

Tools and Frameworks for Compliance

  • Types of Tools Include:

    • Data classification and encryption tools for protecting sensitive information.

    • Automated compliance checkers that simplify the auditing process.

    • Secure logging and audit software to maintain extensive records.

    • Compliance management systems (CMS) designed to manage ongoing compliance efforts.

Linking Compliance to Security Goals

  • Important Connections:

    • Security vs Compliance:

    • Compliance complements security but does not replace it.

    • Laws define minimum requirements for compliance.

    • Secure design and practices ensure ongoing protection of data and systems.

    • The aim of both is to safeguard users and organizations.

Compliance and Security

  • Differences Between Compliance and Security:

    • Compliance is influenced by regulatory bodies, industry standards, and customer requirements.

    • Security is influenced by the evolving landscape of security threats.

    • Compliance focuses more on protecting the reputation of the company.

    • Security focuses more on safeguarding the assets of a company.

    • Compliance is a periodical effort, whereas security requires constant vigilance and improvement.

    • Non-compliance leads to payment of fines and penalties, while inadequate security leads to cyberattacks and data breaches.

Okay, imagine we're going on a grand adventure into the world of keeping computer stuff safe and fair! Think of us as super-detectives making sure everyone's digital secrets are safe.

Our Adventure: Super Safe Software!

This is like our special class, CS 3154 - Secure Software Engineering, with our guide, Dr. Mohammad Nauman. And if you want to chat with other detectives, you can join our special club on https://recluze.net/slack-effat!

What is Privacy?

Imagine you have a secret diary. Data privacy is like your ability to keep that diary locked away so only you decide who gets to read your super-secret thoughts. It's about you being the boss of your own personal information, like your name, address, or what games you like to play.

Following the Rules: Understanding Regulatory Compliance

Sometimes, in big games, there are rules that everyone has to follow to make sure it's fair and safe. That's what Regulatory Compliance is!

  • Why do we have these rules?

    • They make sure computer programs (software) are built super strong and safe, like a perfectly built LEGO castle.

    • They protect your special privacy rights and make sure your data (your information) is handled carefully.

    • Following them helps companies avoid getting into trouble, like paying big fines or getting sued, which is like getting a penalty in a game.

    • It's not just about the technical stuff (the computer code), but also about how people and teams organize themselves to follow the rules.

Why is Following These Rules So Important?

  • It's like having a good reputation!

    • When companies follow the rules, people trust them more, like trusting a friend who always plays fair. This builds a good brand reputation.

    • It helps companies avoid penalties and lawsuits (getting in trouble).

    • It makes sure that everyone building software thinks about security from the very beginning, like building a strong foundation for a house.

    • It even helps different countries share information safely, like exchanging secret messages across borders without anyone peeking!

The Big Rulebooks: Key Data Protection Regulations

There are different rulebooks for different kinds of information and different places. Think of them as special instruction manuals:

  • Our Main Rulebooks:

    • GDPR (General Data Protection Regulation): This is the super-important rulebook for everyone in Europe. It's all about keeping personal data (your name, what you like, etc.) super safe.

    • HIPAA (Health Insurance Portability and Accountability Act): This is the special rulebook in the United States for anything to do with your health information, like doctor's visits or medicines. It keeps your PHI (Patient Health Information) secret.

    • Other Special Instruction Manuals:

      • PCI DSS (Payment Card Industry Data Security Standard): This one has rules for keeping your credit card numbers safe when you buy things online.

      • ISO 27001 (International Standard for Information Security Management): This is like a worldwide guide for how companies should manage all their information security.

    • Each rulebook has special rules for a specific type of data (like health data or payment data).

GDPR – The Super-Secret Principles

The GDPR rulebook has some main ideas that are super important:

  • Here are the main ideas:

    • Be lawful, fair, and transparent! This means telling people clearly and honestly how their data is being used.

    • Only use data for a specific purpose (why you collected it) and only collect the minimum amount of data you need. Don't be a data hoarder!

    • Don't keep data forever! There's a storage limitation, meaning you should only keep it as long as necessary.

    • Keep data safe and sound (integrity, confidentiality), and always be ready to explain what you did (accountability).

How to Play by the GDPR Rules: GDPR Compliance

Here are the steps companies take to make sure they're playing by the GDPR rules:

  1. Understand the GDPR principles: First, read and understand those main ideas we just talked about.

  2. Implement data protection measures: Put strong locks and guards on the data.

  3. Conduct a data audit on processing activities: Check where all the data is going and what's happening to it, like tracing a secret path.

  4. Define data privacy policies and update as necessary: Write down clear rules for how data is handled and update them if things change.

  5. Obtain consent where necessary: Always ask for permission (consent) before using someone's data, like asking to borrow a toy.

  6. Appoint a data protection officer (DPO) if necessary: Sometimes, big companies need a special person, a DPO, whose job is just to make sure all the data rules are followed.

  7. Review contracts with third-party vendors: If you work with other companies, make sure they also follow the rules.

  8. Create a breach response plan: Have a plan ready in case data accidentally gets out, like a fire escape plan.

  9. Ensure data subject rights are maintained: Make sure people can ask to see their data or have it deleted if they want.

  10. Conduct regular training and awareness programs: Teach everyone how to follow the rules.

  11. Monitor compliance and update processes: Keep checking all the time and make changes if needed.

What Programmers Do for GDPR: Developer Responsibilities

If you're a programmer building software, here’s what you need to do for GDPR:

  • Collect only the necessary data: Only gather the info you absolutely need for your app to work, nothing extra.

  • Ensure consent is obtained and properly recorded: Make sure people said yes to you using their data and write it down somewhere, just in case.

  • Provide options for data access and deletion: Give people a button or a way to see their data or make it disappear forever.

  • Protect data in transit and at rest: Keep data safe when it's moving from one place to another (like sending an email) and when it's just sitting in storage (like a file on your computer).

All About HIPAA: HIPAA Overview

Remember HIPAA? It's the health information rulebook!

  • What's its main job?

    • It protects Patient Health Information (PHI) – all your medical records and health secrets.

    • It applies to doctors, hospitals, insurance companies, and even other companies that help them.

    • It tells them how to set up:

      • Administrative safeguards: These are like office rules and training for staff.

      • Physical safeguards: These are like locks on doors and security cameras in buildings where health data is kept.

      • Technical safeguards: These are like special computer passwords and encryption (code that scrambles data) to protect electronic health records.

    • If there's ever a data accident (a breach), HIPAA requires them to tell people and write down what happened.

How to Play by the HIPAA Rules: HIPAA Compliance

Here are the steps to make sure health data is super safe:

  1. Determine which HIPAA rules apply to your organization: Find out which parts of the rulebook are for your specific company.

  2. Appoint a security officer: Get a special person whose job is to keep all the data secure.

  3. Conduct an audit on PHI: Check exactly where all the health data is and who can see it.

  4. Ensure awareness of the HIPAA security rule: Make sure everyone knows the rules about keeping health info safe.

  5. Determine reporting exemptions to State Attorneys General: Figure out if there are any special cases where you don't have to report a tiny accident to the government.

  6. Appoint a privacy officer: Get another special person just for privacy rules.

  7. Clarify what constitutes PHI: Make sure everyone understands exactly what counts as Patient Health Information.

  8. Minimize and simplify PHI: Only collect and keep the health data you truly need.

  9. Create measures to report data breaches: Have a clear plan for what to do if health data accidentally gets out.

  10. Keep up to date on HIPAA changes: The rules can change, so always be in the know!

Handling Super Secret Data Safely: Secure Handling of Sensitive Data

Some data is more secret than others, like your health info or bank account. Here's how to keep it extra safe:

  • Best Ways to Be Safe:

    • Classify data according to sensitivity levels: Sort your data like you'd sort toys: some are ordinary, some are special, and some are super special!

    • Encrypt sensitive data both in storage and during transmission: Encrypting is like putting your data in a secret code. Do it when it's sitting on a computer and when it's moving across the internet.

    • Limit access to sensitive data using the principle of least privilege: Only let people see the super secret data if they absolutely need to for their job, and only let them see the minimum they need. This is like only giving the key to the treasure chest to the person who needs to open it, and not everyone.

    • Regularly review and rotate access credentials: Change your passwords and keys often, like changing the combination on a safe.

Keeping and Throwing Away Data: Data Retention and Disposal Policies

Just like you don't keep old broken toys forever, there are rules for data:

  • Important Rules:

    • Retain data only for as long as necessary: Only keep data for as long as you really need it, then it's time to let it go.

    • Define automatic deletion mechanisms for data: Set up a system where old data automatically disappears when it's no longer needed, like a self-cleaning closet!

    • Securely erase or anonymize data that is no longer needed: When you throw data away, make sure it's really gone forever, or change it so that no one can tell who it belongs to (anonymize).

    • Document retention schedules for different types of data: Write down how long you'll keep different kinds of data, like a calendar for your data.

Making Rules Part of Building Software: Ensuring Compliance Through SDLC

Building software is like building a house (Software Development Life Cycle or SDLC). You need to follow rules at every step:

  • Putting Rules into Every Step of Building Software:

    • Integrate compliance checks into every phase of the Software Development Life Cycle (SDLC): Make sure to check the rules when you're planning, designing, building, and testing your software.

    • Use checklists for regulatory requirements to ensure all aspects are covered: Have a checklist, like a grocery list, to make sure you don't miss any rules.

    • Conduct privacy impact assessments in the early stages of development: Think about privacy right at the beginning of building your software, not as an afterthought.

    • Review compliance during design and release phases: Check the rules again when you're drawing up your plans and right before you launch your software.

Computer Rules: IT Compliance

These are the 6 big steps to make sure all the computer systems and technology follow the rules:

  1. Identify all requirements to follow: First, find out all the rules you need to play by.

  2. Conduct an internal compliance audit: Do your own check-up inside your company to see if you're following the rules.

  3. Reflect requirements in documentation: Write down how you are meeting these rules in your company's papers.

  4. Cover missing requirements: If you find any rules you're not following, fix it!

  5. Monitor compliance-related changes continually: Keep watching, because rules can change, and you need to keep up!

  6. Leverage compliance management tools for efficiency: Use special computer programs to help you manage all these rules so it's easier.

Always Ahead or Catching Up? Proactive vs. Reactive Compliance

There are two main ways to think about following rules:

  • Two Ways to Follow Rules:

    • Proactive compliance: This means being smart and thinking ahead. You guess what rules might come next and start being super safe before you're told to. It's like wearing your raincoat before it starts raining.

    • Reactive compliance: This means waiting for a problem to happen or a rule to change, and then fixing it. It's like getting wet and then putting on your raincoat.

Keeping a Journal: Documentation and Audit Trails

It's super important to write everything down and keep good records:

  • Best Ways to Keep Records:

    • Maintain detailed logs of all system changes: Write down every single change made to a computer system, like a diary of all the adjustments.

    • Record all user access and data handling activities: Note down who looked at what data and when, just like a visitor's log.

    • Store audit logs in a secure manner and review them periodically: Keep these journals in a super safe place and read through them often to make sure nothing sneaky happened.

    • Utilize immutable storage solutions where feasible, such as WORM (Write Once, Read Many) memory: Use special storage where once you write something down, you can never change or delete it. Think of it like writing in stone, not on a whiteboard – WORM stands for Write Once, Read Many.

Checking for Rules: Compliance Audits and Assessments

Just like you have check-ups at the doctor, companies have check-ups for their rules:

  • Ways to Check:

    • Perform regular internal and external audits to assess compliance status: Have people inside and outside the company regularly check if you're following all the rules.

    • Identify any gaps present and establish corrective actions based on findings: If they find anything you're not doing right (a gap), make a plan to fix it.

    • Verify adherence to relevant legal and policy requirements consistently: Always double-check that you're sticking to the laws and your own company rules.

    • Document all findings, as well as any improvement plans: Write down everything they found and what you're going to do to make things better.

The Tricky Bits: Common Compliance Challenges

Following all these rules can be hard sometimes! Here are some tricky parts:

  • Hard Parts Include:

    • Ambiguity in regulations that may overlap: Sometimes the rules aren't super clear, or different rules might say slightly different things, which can be confusing!

    • Integrating compliance seamlessly into agile workflows: It's hard to fit all these rule-checking steps into fast-paced ways of working (like agile workflows, where things change quickly).

    • Balancing user usability with privacy concerns: Sometimes, making things super private makes them harder for people to use, so you have to find a good balance.

    • Keeping up with the continual changes in laws affecting compliance: The rules are always changing and updating, so it's like trying to hit a moving target!

Super Helper Tools: Tools and Frameworks for Compliance

Good news! There are special tools to help us follow all these rules!

  • Types of Tools to Help:

    • Data classification and encryption tools for protecting sensitive information: Tools that help you sort your data by how secret it is, and then put it in a secret code (encrypt it).

    • Automated compliance checkers that simplify the auditing process: Robots (software) that can automatically check if you're following the rules, making audits much easier.

    • Secure logging and audit software to maintain extensive records: Programs that keep super safe and detailed journals of everything happening.

    • Compliance management systems (CMS) designed to manage ongoing compliance efforts: Big, smart computer systems that help you manage all your rule-following tasks all the time.

How Rules (Compliance) and Being Safe (Security) Work Together: Linking Compliance to Security Goals

Think of compliance (following the rules) and security (keeping things safe from bad guys) as two super-friends working together for the same goal:

  • Important Connections Between the Friends:

    • Security vs Compliance: Compliance helps security, but it doesn't mean you're automatically secure just by following rules. It's like following traffic laws (compliance) helps keep you safe, but you still need to drive carefully and look out for other drivers (security).

    • The laws are like the minimum required rules for compliance.

    • Secure design and practices (building things safely from the start) are what really keep data and systems protected all the time.

    • Both friends have the same main goal: to safeguard users and organizations – to keep people and companies safe!

Differences Between the Super-Friends: Compliance and Security

Even though they're friends, they have different focuses:

  • How They Are Different:

    • Compliance is influenced by fancy rule-making groups, industry best practices, and what customers expect. It's about meeting external requirements.

    • Security is influenced by the ever-changing world of sneaky computer bad guys (threats) and new ways they try to attack.

    • Compliance often worries more about keeping the company's good name and reputation safe.

    • Security focuses more on actually protecting the company's valuable stuff (assets), like important data and systems.

    • Compliance is often something you check regularly, like doing a report once a year. It's a periodical effort.

    • Security needs constant vigilance and improvement; it's like having a superhero always on watch, ready for anything.

    • If you don't follow compliance, you pay big fines and penalties. It's like getting a ticket.

    • If your security isn't good enough, you could get cyberattacks (bad guys breaking in) and data breaches (your secrets getting out!). This is much scarier!