Addressing data privacy and security with the NIST Privacy Framework

 In |

Reading Time: 4 minutes

Data privacy is a top concern for organizations everywhere, as an endless stream of data breaches funnels personal records into the hands of hackers.

Lawmakers are upping the ante on enforcing privacy protection. Facebook and Google are facing billion-dollar lawsuits over violations of the General Data Protection Regulation (GDPR), and the number of state-based regulations aimed at giving consumers control over their personal information continues to climb.

A recent study revealed 10% of U.S. companies are attempting to comply with 50 or more privacy laws, 13% are working actively on 11 to 49 laws, and another 13% are working on six to 10 laws.

Organizations are under tremendous pressure to secure sensitive data, but it’s not easy. As privacy requirements continue to proliferate, the path to compliance across an evolving ecosystem of data from partners, customers, and vendors can be complicated.

Solving the privacy puzzle

Many public and private-sector organizations utilize the NIST Cybersecurity Framework (CSF) as a playbook for advancing their security posture.

In January, NIST released its Privacy Framework Version 1.0, which complements the CSF. Designed to help organizations identify and prioritize privacy risks, it’s a flexible, outcome-driven enterprise risk management tool that facilitates compliance with data privacy regulations globally.

During RSA Conference 2020, NIST Senior Privacy Policy Advisor Naomi Lefkovitz explained that NIST looks at security and privacy as a Venn diagram. In order to effectively protect sensitive and regulated data, organizations need to manage not only cybersecurity risks but also privacy risks, which aren’t always tied to security incidents.

Image source: NIST

Modeled after the CSF, the Privacy Framework has three parts — the Core, Profiles, and Implementation Tiers — that are the building blocks for achieving risk management goals.

The Core outlines a set of privacy protection activities. The Profiles help identify which activities in the Core should be pursued, and the Implementation Tiers provide a point of reference for determining whether the right resources are in place to manage risk.

Image source: NIST

The framework is adaptable and designed to augment — not replace — existing capabilities. It can be leveraged by organizations with robust privacy risk management processes already in place to analyze and articulate any gaps, or used as a guide by companies looking to develop a privacy program from scratch. As Lefkovitz notes, it was “designed to be agnostic to any law, so it can assist you no matter what your goals are.”

Adopting the NIST Privacy Framework

Organizations that have already implemented the Cybersecurity Framework will have a head-start on adopting the Privacy Framework. Here are five tips to make your efforts successful:

  1. Assess your environment.

    Before getting started, make sure you fully understand your underlying infrastructure, regulatory requirements, the risks posed by your systems and services, and your relationship to other organizations in the data processing ecosystem.

  2. Establish objectives.

    Identify what success looks like by detailing what you want to achieve. Interview key stakeholders about their data privacy concerns and focus on specific, measurable goals. These might include completing a security awareness training program that highlights data privacy, or implementing policies and procedures to manage data privacy risk.

  3. Prioritize communication.

    Effective communication will ensure everyone involved in the project is aware of their responsibilities and how work is progressing. It also helps avoid confusion and encourages cooperation across the organization by keeping them informed about the project’s goals, activities, and status.

  4. Recognize wins.

    The Privacy Framework can take a few months to implement. To gauge progress and strengthen morale, it’s a good idea to highlight some tasks that can be completed relatively quickly, such as discovering the locations of sensitive and regulated data, or identifying additional controls to strengthen your data privacy efforts.

  5. Think programmatically.

    Adoption of the framework shouldn’t be a short-term goal. It should be part of an iterative cybersecurity roadmap that sets the direction for your security program and helps your organization continually address evolving security and compliance challenges.

Navigating the path to privacy protection is a significant undertaking, and many organizations don’t have the in-house resources needed to support their efforts. Vendor-independent technology partners can help by providing an objective view of your security and privacy capabilities, promoting collaboration with different business units, and building a cohesive risk management strategy.

Bridging the gap between security and privacy

Addressing privacy in today’s threat landscape requires more than a good security posture. Organizations looking to comply with changing regulations and gain customer trust need to improve their approach to using and protecting personal data.

The NIST Privacy Framework is expected to play a similar role to the Cybersecurity Framework as a voluntary gold-standard that can strengthen your response to data privacy challenges. By combining the use of both frameworks within your security program, you can comprehensively address cybersecurity and privacy concerns and continually adjust to new risks.

For more information about the Privacy Framework, visit NIST’s website for an in-depth, on-demand webinar. To learn more about advancing your security and privacy capabilities, contact your SHI account executive.

Anne Grahn contributed to this post.