Secure-by-design principles:
The Secure by Design principles guide the development of software and systems that are secure from the ground up. Their core purpose is to prevent vulnerabilities and minimize damage in the event of an attack by embedding security into every stage of the design and development process. Goal: Create systems that are resilient, robust, and harder to compromise by default.| Principle | Summary | Explanation |
| Minimize Attack Surface Area | Reduce potential entry points for attackers | Only expose necessary components and features to limit vulnerabilities. Less exposed code = fewer opportunities for exploitation. |
| Establish Secure Defaults | Systems should be secure by default | Out-of-the-box configurations should prioritize security—e.g., disable unnecessary features, use strong authentication, and restrict access. |
| Least Privilege | Grant only the minimum access needed | Users and systems should only have permissions essential for their function. Limits potential damage from misuse or compromise. |
| Defense in Depth | Use multiple layers of security controls | Implement overlapping security measures (e.g., firewalls, authentication, encryption) to ensure protection even if one layer fails. |
| Fail Securely | Fail in a way that maintains security | When systems or applications fail, they should do so without exposing sensitive data or bypassing access controls. |
| Don’t Trust Services | Assume external systems may be compromised | Validate and verify all interactions with third-party services or components. Don’t blindly trust external systems, even if they seem reliable. |
| Separation of Duties | Split responsibilities to reduce risk | No single individual or system should have full control over critical operations. Helps prevent fraud and limits damage from insider threats. |
| Avoid Security by Obscurity | Don’t rely on hiding details for security | Security should not depend on secrecy of implementation. Even if attackers know how your system works, it should still be secure. |
| Keep Security Simple | Simpler designs are easier to secure | Complexity often leads to vulnerabilities. A clear, simple, and well-understood security design is less error-prone and easier to maintain. |
| Fix Security Issues Correctly | Properly resolve the root cause of vulnerabilities | Don’t just patch symptoms. Fully understand and address the underlying issue to prevent reoccurrence or new vulnerabilities. |
Privacy-by-design principles:
The Privacy by Design principles focus on embedding privacy protection into technologies, processes, and business practices from the start. The aim is to ensure that individuals’ personal data is handled with care, transparency, and respect throughout its lifecycle. Goal: Build systems that protect personal data by default, giving users confidence, control, and trust in the services they use.| Principle | Summary | Explanation |
| Proactive not Reactive; Preventative not Remedial | Anticipate and prevent privacy issues | Build systems to prevent privacy breaches before they happen, rather than reacting to them afterward. |
| Privacy as the Default Setting | Privacy is automatically protected | Users shouldn’t have to take action to protect their privacy—it should be built in and enabled by default. |
| Privacy Embedded into Design | Privacy is a core design consideration | Privacy should be integrated into systems and processes from the outset—not added later as an afterthought. |
| Full Functionality – Positive-Sum, not Zero-Sum | No trade-off between privacy and usability | Aim for solutions that support both privacy and other system goals (e.g., security, functionality) without unnecessary compromises. |
| End-to-End Security – Full Lifecycle Protection | Secure data throughout its entire lifecycle | Protect personal data from collection through to deletion using strong security practices (e.g., encryption, access controls). |
| Visibility and Transparency – Keep it Open | Be open and accountable | System operations and data handling practices should be transparent and verifiable to users and stakeholders. |
| Respect for User Privacy – Keep it User-Centric | Put users in control of their data | Prioritize user interests, offer clear privacy options, and make systems easy to understand and control from a user perspective. |