Skip to main content

Software Security and Privacy by Design Guidelines

This guideline provides practical, step-by-step guidance for embedding security and privacy principles into software development. It aims to ensure that government software systems are secure, resilient, and protect personal data throughout their entire lifecycle.

Introduction

This guideline provides practical, step-by-step guidance for embedding security and privacy princ...

Objectives

This guideline aims to provide clear, actionable instructions to embed security and privacy into ...

Scope

What this guideline covers This guideline applies to all software systems developed, acquired, d...

Target Audience Roles and Responsibilities

Key roles include: Management: Approve security and privacy deliverables and ensure resourcing...

List of Abbreviations

RISA: Rwanda Information Society Authority GoR: Government of Rwanda PbD: Privacy by Design ...

Core Principles

Combine the foundational Privacy by Design (PbD) principles with Security-by-Design objectives in...

Minimum Security and Privacy Controls

Data minimization and purpose limitation, collect only what is necessary. Strong encryption fo...

Software development lifecycle step-by-step guidance

Below are phase-by-phase actions, mandatory deliverables and practical checklists to guide implem...

Initiation

Goal: Establish security and privacy expectations and identify risks before design work begins. ...

Requirements and acquisition

Goal: Ensure requirements include explicit privacy and security criteria. Define functional, p...

Architecture and design

Goal: Design an architecture that enforces privacy and security by construction. Produce secur...

Development

Goal: Implement secure, privacy-aware code and configurations. Adopt secure coding standards (...

Testing

Goal: Verify security and privacy controls work as intended. Create a security test plan cover...

Deployment

Goal: Deploy securely with correct configurations, access controls and monitoring in place. Ap...

Operations and Maintenance

Goal: Sustain security and privacy posture throughout operations. Maintain a schedule for vuln...

Upgrade / Decommission

Goal: Safely retire or replace systems while preserving required records and preventing data leak...

Security Incident Management

Key steps: Prepare: maintain an incident response plan with roles, communication trees, and es...

Awareness, Training and Best Practices

Provide role-specific training and general awareness sessions.  Topics should include: Data p...

Compliance, Audit and Continuous Improvement

Schedule regular audits, internal and external assessments, and maintain documented evidence for ...

References

Law No 058/2021 Relating to the Protection of Personal Data and Privacy. Shifting the Balance ...
Back to top