We need to make sure we are protecting the software correctly in the jurisdiction we are developing and/or using our product. This is to protect the company’s intellectual property.
Software IP is protected by its license. We want to make sure we are not in violation of some type of software piracy regulation.
We want to be compliant, this means maintaining logs and privacy of our users. We need to check if we have an uptime SLA for the availability of our software to prevent liability in case of failure.
I need to be aware of existing privacy laws surrounding the processed data: sensitive data, health information, personally identifiable information.
Data on its own can be not important, but the aggregation of those data, or combined with other, could lead to a breach of privacy.
- To aggregate: join together
- To Infer: see one thing and be able to deduce something else
Protection of sensitive data is often down through access controls. The payment card industry says data access should be limited by business need to know: “do you need to know it in order to do your job?”
Of course, access control needs to be least privilege.
Other requirement related to privacy is notification of breach: to whom, when, how long after the discovery of breach should the notification be sent?