Search Results

Goal: Ensure requirements include explicit privacy and security criteria. Define functional, privacy and security requirements. Include purpose limitation and data minimization requirements. Conduct Privacy Impact Assessment (PIA) and update risk register....

Goal: Design an architecture that enforces privacy and security by construction. Produce security architecture diagrams showing trust boundaries, data flows and classification. Apply Data Flow Mapping and Data Classification (sensitive vs non-sensitive). ...

Goal: Implement secure, privacy-aware code and configurations. Adopt secure coding standards (OWASP, CERT) and include them in the definition of done.  Use automated static analysis (SAST), dependency scanning and secret detection in CI/CD pipelines. Enfo...

Goal: Verify security and privacy controls work as intended. Create a security test plan covering unit, integration, system, and acceptance tests. Include privacy test cases validating consent, data minimization, and access controls.  Conduct vulnerabilit...

Goal: Deploy securely with correct configurations, access controls and monitoring in place. Apply secure configuration baselines and hardening to servers, databases and network devices.  Enforce RBAC and configure least privilege for all accounts; set up M...

Goal: Sustain security and privacy posture throughout operations. Maintain a schedule for vulnerability scanning, patch management, and configuration reviews. Conduct periodic privacy and security control reviews and update PIAs as needed.  Ensure change ...

Goal: Safely retire or replace systems while preserving required records and preventing data leakage. Plan archival or migration of records according to legal retention requirements. Sanitize media and verify secure deletion of sensitive data using approve...

Key steps: Prepare: maintain an incident response plan with roles, communication trees, and escalation criteria. Detect and report: ensure monitoring, logging and clear internal reporting channels. Classify: use severity levels (critical, major, minor) an...

Provide role-specific training and general awareness sessions.  Topics should include: Data protection law and privacy (Law No 058/2021). Secure development lifecycle and secure configuration. Phishing awareness and safe handling of sensitive data. Inci...

Schedule regular audits, internal and external assessments, and maintain documented evidence for compliance. Update controls and PIAs when legal/regulatory or threat landscapes change. Use KPIs (e.g: time-to-patch, vulnerabilities found vs remediated) to drive...

Law No 058/2021 Relating to the Protection of Personal Data and Privacy. Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, CISA, October 2023. Minimum Cybersecurity Standards for Public Institutions, NCSA,...