Security in Project Planning.

I recently had the opportunity to work on a project involving patient health information covered by HIPAA and the ability to transfer that information from one device to another securely.  I was asked to make the project as secure as possible, and when I was done I was very satisfied with the finished product.  I also noticed that my finished product was very different (and much more inclusive) than my first draft.

This led me to think that maybe I should have some kind of project planning template.  For every application that we are going to deploy we need to have some kind of security policy in place that guides how the data will be used, stored, transferred and disposed of.  I'd like to present to you what I have developed so far, and see if any of you have anything you think should be added to it.  I know this is a hacking site, and most of us are interested in how to ethically gain access to systems, but the whole purpose for ethical hacking is to ultimately create more secure systems.

Non-technical headings:
   Legal Framework
   Ownership of Data
   Notification Procedure
   Training Plan
   Sanctions for violation

The Non-technical headings are sections of the project policy that don't contain technical details, but still have important information that needs to be understood by everyone using the finished application or system.  The Legal Framework gives a short description of any federal, state, and local laws that govern this kind of data, and any institutional policies that also need to be taken into consideration for this system.  The project plan should include a training plan to ensure that all users are aware of the policies and should spell out any sanctions for violating the policy.  The project plan should also include some statement about who the owner of the data is and what requirements must be met for the data to be shared with others.  One of the most important non-technical sections is the notification procedure, which tells the end user who to call in the event that data is lost or stolen.

Technical considerations
   Physical Security
   Data at Rest
   Data in Motion
   Detection

In the technical considerations section we examine each piece of the application or system that is going to touch our data and we write out the requirements for each of these devices.  What are the physical security requirements for our servers?  Are these requirements different from the desktops?  What needs to be encrypted?  Do the backup tapes need special consideration?  How are we going to encrypt data in motion?

Questions this raises...
What has been left out?  Are there additional technical considerations that need to be taken to protect the data?  Is this model granular enough?  For example, to protect data at rest I use encryption, anti-virus software, anti-spyware software, authentication requirements and what access-controls are needed.  Is that too much for one category?  I'm sure this isn't a comprehensive list of considerations for project planning, but I hope that it will spur a good conversation and make all of our projects better.