Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
NIST Privacy Framework a Flexible Tool for Managing Privacy Risks
Privacy isn’t new concept, but organizations of all sizes continue to struggle with it as the digital age generates new data-driven products and services at a dizzying pace.
In November 2019 I addressed some of the struggles that even organizations with mature data protection capabilities are facing as a result of new data regulations requirements – issues like subject access requests, the right to erasure and data portability, for instance. In an effort to help organizations address these challenges, enable better privacy practices and provide a common language to communicate privacy requirements the National Institute of Standards and Technology (NIST) has published the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (NIST PF). This document leaves no doubt that the focus on consumer privacy will continue to sharpen.
The good news is that the NIST PF doesn’t establish a lot of new expectations. In a very real sense, it simply formalizes what we, as security risk and privacy professionals, already know should be done.
The Privacy Framework is deliberately organized similarly to the NIST Cyber Security Framework (CSF) to facilitate the parallel use of both tools. The PF is composed of three parts: Core, Profiles and Implementation Tiers.
The framework’s Core consists of five functions:
IDENTIFY-P (ID-P): Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
GOVERN-P (GV-P): Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
CONTROL-P (CT-P): Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
COMMUNICATE-P (CM-P): Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
PROTECT-P (PR-P): Develop and implement appropriate data processing safeguards.
The integration with the NIST CSF is highlighted in the Core by a key labeling or subcategories which are identical to the CSF (or if they align with the CSF but the descriptions has been adapted). This approach reinforces the idea that an effective privacy program requires the integration with our information security and risk management programs. Of the 100 Subcategory items in the Privacy Framework, 53 are carried over from the NIST CSF, meaning the Privacy Framework suggests 47 new activities (predominantly in the Control-P and Communicate-P functions).
Here is a summary of the and subcategories that are pulled from the CSF into the Privacy Framework:
Of the 18 :
Of the 100 subcategories:
The 47 subcategories that do not have a direct link to the CSF focus on capabilities such as inventorying processing activities, privacy by design, privacy impact assessments and handling subject access requests; activities that security and privacy professionals will be familiar with. In their simplest form we could summarize these as:
Given the explosion of privacy-related legislation both in the US and globally (CCPA and Nevada SB220 recently, as well as GDPR, PIPEDA, Brazil’s GDPL and several other state-level laws currently being considered in the United States), the NIST PF should be added to the toolbox of all privacy and risk management stakeholders. In doing so, they will be positioned with a framework that, if used correctly, will demonstrate reasonable efforts to protect consumer information.
It’s also important to note that the FTC provided public comments to the preliminary draft of the Privacy Framework. This is an important consideration given the commission’s focus on consumer protections in the United States as well as past statements it has made indicating the CSF approach to integrating cybersecurity into overall risk management is consistent with its approach to enforcement.
I expect the NIST Privacy Framework will become as popular as the CSF because of the simplicity of integration into existing security and risk management frameworks. By complementing and extending these frameworks that organizations already employ, we help ourselves build scalable, flexible programs that can adapt to evolving requirements (such as emerging privacy regulations) with minimal effort.
Let us know what you need, and we will have an Optiv professional contact you shortly.