Start course

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of security policies and regulations.

Learning Objectives

  • Obtain a general understanding of security policies, regulations, and compliance
  • Understand the legal and privacy issues that these regulations aim to address
  • Learn about a variety of security frameworks and standards
  • Learn about trusted computed principles and how they underpin security frameworks
  • Understand the security implications of acquiring software

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification, or for anyone interested in the topics it covers.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at



Of course today, privacy is an issue, and one of growing concern. Any system or situation that concerns information that identifies a person uniquely, or some element that can be traced to a specific individual, falls into the realm of a privacy concern, and generally has a law governing it in some way. Now, the typical definitions or acronyms for it are personally identifiable information, as signified by PII, protected health information, or PHI, as we find under HIPAA, and personal financial information, or PFI, as we find under Gramm-Leach-Bliley.

Now, in software development projects, such data may play a role in the design, build, and testing, and the QA processes to ensure correct operation, as well as ensuring that this particular type of data, whichever one of these it may be, will be properly identified, classified, categorized, and thus in the end, protected from any sort of mishandling or collection use and disclosure errors. Now, the thing that the CSSLP needs to understand and contributes to its team's efforts, is to associate such practices and be able to evaluate the risk, any compliance requirements, and the commensurate security to ensure that appropriate protections are designed and built into the program, and in place and are properly functioning, wherever necessary.

So, let's look at some specific elements that are included in multiple types of this individually identifiable information. Now, here we have a list of directly identifying fields associated with a person's unique identity. And if we are going to be required to enable our program design to enforce a Safe Harbor list, then each of these identifiers must be captured and removed if the requirement is there for its removable, but they should be protected from disclosure through the use of other controls when they are to be retained. Common to all of these different program elements are the privacy guidelines that are becoming more and more global each day. These OECD Guidelines harken back to a standard for privacy information protection called the GAPP, or the Generally Accepted Privacy Principles.

Here we see the principles that are captured in nearly every type of privacy legislation found around the globe. We have different titles here: data controller, data processor, data subject, and others. And these rules here, data controller, accountability, for example, data controller's responsible for protection of data holdings in accordance with regulatory requirements, these are the sorts of things that we find present in virtually every form of privacy legislation encountered. More to the point though, these are the kinds of things that must translate into functional and non-functional requirements for any program that will be handling the type of data for which these rules were placed.

So we have the privacy Safe Harbor. Fundamental to the collection use and disclosure is the ability to capture all of the elements, but also to identify those and remove them when necessary to produce a Safe Harbor. The idea of the Safe Harbor is to ensure that the information containing these elements is secured, protected during its collection use and disclosure activities through all states. They include the standards that we see here: notice, choice, onward transfer, security, rules about data integrity, rules governing access and how it will be granted if it is, and then how it will be enforced. And these relate back to the standards that you saw on the slide with the OECD Guidelines.

In recent years, many new privacy laws have been passed, and many countries around the world now have them, where before, they may not have. But with the advent of the internet spanning the globe and more and more companies going online, and larger and larger companies being brought under scrutiny for how they collect, use, and disclose personally identifiable information, the subject of privacy has gained worldwide attention, and in some cases, alarm on the part of their governments.

Now, in nearly all of the questions regarding where these laws are, let's examine a few specific examples. We have the California Consumer Privacy Act, which was enacted in 2018; we have the yet-to-be-enacted California Privacy Rights Act to be enacted in 2023; the EU GDPR enacted in 2018; and the Egyptian Personal Data Protection Law. The US and the EU organizations, NIST and ISO, have also been very quite busy. The ISO has passed the 27018, which is about handling PII in the cloud, as guidance for data controllers. NIST has done likewise.

For us in this particular course, we pay attention to the NIST special publication, 800-64, and the security and privacy considerations in the software development lifecycle. And for those systems that will end up in cloud deployment, the special publication, 800-144, which provides guidelines for privacy and security protection in the cloud environment. Now, these laws and these guidelines all talk about the same conditions that have to be met, including ensuring a Safe Harbor state can be put into place, that identification, classification, and categorization of the information can be performed competently, and that the necessary controls, both proactive and reactive, can be put in place and function correctly.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.