Software Security and Privacy by Design Guidelines This guideline provides practical, step-by-step guidance for embedding security and privacy principles into software development. It aims to ensure that government software systems are secure, resilient, and protect personal data throughout their entire lifecycle. Introduction This guideline provides practical, step-by-step guidance for embedding security and privacy principles into software development. It aims to ensure that government software systems are secure, resilient, and protect personal data throughout their entire lifecycle. With increasing digitalization of government services, the Government of Rwanda (GoR) recognized the need for a standardized approach to software security and privacy. This guideline consolidates the principles of Privacy by Design (PbD) and Security by Design, aligning with Law No 058/2021 on Data Protection and national minimum cybersecurity standards. It was developed to promote proactive, consistent, and auditable practices across all government software projects. Objectives This guideline aims to provide clear, actionable instructions to embed security and privacy into software systems used by the Government of Rwanda. It seeks to: Ensure confidentiality, integrity, availability, and privacy of personal data throughout the software lifecycle. Provide standardized, auditable steps and deliverables for all phases of software development, deployment, and maintenance. Promote proactive identification and mitigation of security and privacy risks. Align software practices with Law No 058/2021 (Data Protection) and national cybersecurity standards. Support a consistent approach across GoR institutions, contractors, and service providers. Intended outcomes Following this guideline, users should be able to: Implement secure and privacy-aware software systems from initiation to decommission. Minimize risks of data breaches or unauthorized access. Maintain compliance with legal and regulatory requirements. Enhance public trust in digital government services. Scope What this guideline covers This guideline applies to all software systems developed, acquired, deployed, or maintained by Government of Rwanda (GoR) institutions. It provides step-by-step instructions, controls, and best practices for embedding privacy and security throughout the software lifecycle, including: Software initiation, requirements gathering, architecture and design, development, testing, deployment, operations, maintenance, and decommissioning. Risk assessment, threat modeling, and privacy impact assessments (PIAs). Implementation of minimum security and privacy controls such as encryption, RBAC, multi-factor authentication, secure coding, vulnerability management, and audit logging. Incident management, monitoring, and compliance with Law No 058/2021 (Data Protection) and national minimum cybersecurity standards. What this guideline does not cover Physical security of facilities, data centers, and offices. Security of personal devices (BYOD) beyond software access requirements. National-level cyber defense operations or military/intelligence systems. Vendor internal security policies unrelated to GoR systems. Financial, procurement, or project management procedures not related to software security and privacy. Non-software systems like manual or paper-based processes. User behavior or content moderation on platforms. The focus is on system design and data protection. Applicable departments and roles All GoR institutions developing or using software systems. Employees, contractors, and third-party vendors involved in software lifecycle activities. Target Audience Roles and Responsibilities Key roles include: Management: Approve security and privacy deliverables and ensure resourcing. System owners: Classify data, approve risk treatment, and ensure compliance. Project managers: Include security tasks in plans and enforce deliverables. Security expert: Lead threat/risk assessments, reviews, and testing. Developers: Implement secure code and remediate findings. System administrator: Apply configurations, patching, and continuous monitoring. Database administrators: Secure, manage, and monitor databases to protect and maintain data. List of Abbreviations RISA: Rwanda Information Society Authority GoR: Government of Rwanda PbD: Privacy by Design BYOD: Bring Your Own Device RBAC: Role-Based Access Control PAM: Privileged Access Management MFA: Multi-Factor Authentication OWASP: Open Worldwide Application Security Project CERT: Computer Emergency Response Team CIA: Confidentiality, Integrity and Availability PIA: Privacy Impact Assessment SAST: Static Application Security Testing CI/CD: Continuous Integration / Continuous Deployment DAST: Dynamic Application Security Testing IDS/IPS: Intrusion Detection System / Intrusion Prevention System SIEM: Security Information and Event Management KPIs: Key Performance Indicators NCSA: National Cyber Security Authority Core Principles Combine the foundational Privacy by Design (PbD) principles with Security-by-Design objectives into a unified set: Proactive and preventative: Anticipate and reduce privacy/security risks before they occur. Privacy and security by default: Systems must default to the most privacy-preserving and secure configuration. Embedded into design: Privacy and security are integral to architecture and not bolted on afterwards. Positive-sum functionality: Achieve privacy and security without unnecessary trade-offs to functionality. End-to-end lifecycle protection: Protect data across collection, storage, use, transfer, archive, and destruction. Visibility, transparency, and accountability: Maintain auditability, clear policies, and openness about practices. User-centric and respect for privacy: Provide clear notices, consent mechanisms, and user controls. Least privilege and segmentation: Limit access by role and segment networks/systems to reduce blast radius. Continuous improvement: Monitor, patch, audit, and reassess to adapt to new threats and legal updates. Minimum Security and Privacy Controls Data minimization and purpose limitation, collect only what is necessary. Strong encryption for data at rest and in transit; use approved cryptographic standards. Role-Based Access Control (RBAC) and Privileged Access Management (PAM). Multi-Factor Authentication (MFA) for privileged and remote access. Secure-by-default configurations; remove/disable insecure defaults and accounts. Secure logging and monitoring with protected audit trails and log retention policy. Secure coding standards, code reviews, and static analysis (OWASP, CERT). Vulnerability scanning, regular patching and timely security updates. Privacy-enhancing technologies where appropriate use pseudonymization and tokenization. Network segmentation and least privilege architecture. Data retention and secure disposal procedures like sanitization and secure deletion. Documented incident response and escalation paths. Transparent privacy notices and user consent management. Software development lifecycle step-by-step guidance Below are phase-by-phase actions, mandatory deliverables and practical checklists to guide implementation. Initiation Goal: Establish security and privacy expectations and identify risks before design work begins. Actions: Appoint project sponsor, system owner and security lead. Perform initial Threat and Privacy Risk Assessment (documented). Define security and privacy objectives of CIA, non-repudiation and legal requirements. Draft a Security and Privacy Plan with milestones, roles and budget for security activities. Require security awareness briefing for project stakeholders. Requirements and acquisition Goal: Ensure requirements include explicit privacy and security criteria. Define functional, privacy and security requirements. Include purpose limitation and data minimization requirements. Conduct Privacy Impact Assessment (PIA) and update risk register.  Translate risks into measurable security requirements like encryption, RBAC, logging and retention.  For procurement: include security clauses, acceptance criteria and tender security evaluation. For third parties: require evidence of prior security audits and contractual data protection obligations. Architecture and design Goal: Design an architecture that enforces privacy and security by construction. Produce security architecture diagrams showing trust boundaries, data flows and classification. Apply Data Flow Mapping and Data Classification (sensitive vs non-sensitive). Embed privacy controls: data minimization, consent capture points, and user-facing  Specify encryption, key management, segmentation, and secure default configurations.  Plan for logging, monitoring, and auditability (what to log, how long, who has access). Document fallback modes and failure behaviors to avoid privacy leaks or insecure defaults. Development Goal: Implement secure, privacy-aware code and configurations. Adopt secure coding standards (OWASP, CERT) and include them in the definition of done.  Use automated static analysis (SAST), dependency scanning and secret detection in CI/CD pipelines. Enforce strong access controls for development environments and use separate secrets management. Perform regular code reviews focused on security and privacy by identifying hard-coded secrets and data exposures. Implement privacy-enhancing techniques (pseudonymization, tokenization) where feasible.  Maintain secure build and deployment scripts; avoid embedding credentials in code. Testing Goal: Verify security and privacy controls work as intended. Create a security test plan covering unit, integration, system, and acceptance tests. Include privacy test cases validating consent, data minimization, and access controls.  Conduct vulnerability scanning and dynamic application security testing (DAST). Arrange independent penetration testing for critical systems and production environments.  Perform usability testing to ensure privacy settings and notices are clear and actionable. Run regression tests after patches and new features to prevent reintroducing vulnerabilities. Deployment Goal: Deploy securely with correct configurations, access controls and monitoring in place. Apply secure configuration baselines and hardening to servers, databases and network devices.  Enforce RBAC and configure least privilege for all accounts; set up MFA for admin accounts. Enable and protect audit logging; ensure log storage and retention meet policy requirements. Conduct a production penetration test and address critical findings before go-live.  Publish privacy notices and provide user controls for consent and data management.  Establish monitoring and alerting (IDS/IPS, SIEM) and define on-call incident responders. Operations and Maintenance Goal: Sustain security and privacy posture throughout operations. Maintain a schedule for vulnerability scanning, patch management, and configuration reviews. Conduct periodic privacy and security control reviews and update PIAs as needed.  Ensure change management enforces security reviews and testing before changes are applied. Continue training for administrators and users; run phishing and awareness programs. Keep data retention schedules and securely sanitize or delete data when no longer required. Keep an incident response plan current and conduct tabletop exercises regularly. Upgrade / Decommission Goal: Safely retire or replace systems while preserving required records and preventing data leakage. Plan archival or migration of records according to legal retention requirements. Sanitize media and verify secure deletion of sensitive data using approved methods.  Revoke access, disable accounts and remove credentials tied to decommissioned systems. Update documentation to reflect where data was moved and how it can be accessed or destroyed. Notify stakeholders and offer users guidance to export or delete their data where applicable.  Security Incident Management Key steps: Prepare: maintain an incident response plan with roles, communication trees, and escalation criteria. Detect and report: ensure monitoring, logging and clear internal reporting channels. Classify: use severity levels (critical, major, minor) and assign appropriate response teams.  Contain and eradicate: isolate affected systems and remove root causes. Recover: restore services from trusted backups and validate integrity. Post-incident: perform root-cause analysis, update risk registers, and publish lessons learned. Awareness, Training and Best Practices Provide role-specific training and general awareness sessions.  Topics should include: Data protection law and privacy (Law No 058/2021). Secure development lifecycle and secure configuration. Phishing awareness and safe handling of sensitive data. Incident reporting procedures and personal responsibilities. Compliance, Audit and Continuous Improvement Schedule regular audits, internal and external assessments, and maintain documented evidence for compliance. Update controls and PIAs when legal/regulatory or threat landscapes change. Use KPIs (e.g: time-to-patch, vulnerabilities found vs remediated) to drive improvements. References Law No 058/2021 Relating to the Protection of Personal Data and Privacy. Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, CISA, October 2023. Minimum Cybersecurity Standards for Public Institutions, NCSA, July 2023.  https://privacy-by-design.ca/