Prepare security guidelines as part of the product and in other traditional forms. For example, a part of the product could be warning messages that pop up when the features are going to be used, and other forms of security guidelines are booklets and manuals.

Follow these guidelines:

• Create security guides that tell the users how to securely use or configure the device/software.
• If the software/module is being used in another system, fully document the security parameters, capabilities and settings.
• Seek and fill out standard security statement forms (such as MDS2 form) to specify the security and privacy features of your product.

Include these topics in security documents where applicable:

• Privacy policies and types of data that are handled.
• Authentication and authorization mechanisms.
• Security features for all services, protocols, and ports that are in use.
• Data protection methods (data in transit and data at rest).
• Emergency procedures (break-glass features).
• Backup/restore, logging and auditing features.
• Communication with other software/devices including removable devices (for example, external hard drives, and flash memory).
• Physical security (if applicable).
• Virus and malware protection mechanisms.
• Device sanitization (for example, instructions on how to permanently delete personal data).

Document insecure settings

Address insecure settings that are present during the first system bootup in installation and configuration documentation. If they are not addressed appropriately, the system may be left vulnerable to cyberattacks.

Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/amq-clients/tasks/phase/specifications/141-T379/

Training Modules

Privacy Fundamentals

• Privacy by Design Principles