Amidst rising concern
around consumer data privacy, NIST is currently developing a data privacy
framework that is similar in spirit to the popular Cybersecurity
Framework (CSF). Like the CSF,
the upcoming privacy Framework will be a close inter-collaboration between
public and private sector stakeholders to create a gold-standard, voluntary
framework. The great challenge will likely center upon how well the new Privacy
Framework integrates with the existing CSF and Risk Management Framework (RMF).Overview of the NIST CSF
and RMF What was remarkable
about the NIST CSF when it was first released in 2014 was the fact that it was
driven by outcomes and did not explicitly prescribe controls to achieve those
outcomes. That allowed practitioners to implement the NIST CSF using varying controls.
Further, the CSF is designed in such a way that it facilitates rapid adoption:
it is nested in increasing levels of granularity with the subcategories showing
outcomes and the tiers showing a view of cyber risk. The NIST CSF was designed
for adaptability and scalability regardless of the organization and that became
even more true in Revision, 1.1. When I attended the NIST Cyber Risk Management
Conference, a trend I noted was the increased concern around supply chain risk
(and rightfully so). The CSF uses a light touch with respect to privacy,
mentioning it in the guidance and in two subcategories. However, when the CSF is
implemented via an RMF process, privacy becomes much more integrated into the
security practice.
The NIST Risk Management
Framework actually addresses data privacy in depth. The 2.0 version
acknowledges that privacy regulations are not slowing down and risk managers
should use both the traditional data protection triad (confidentiality,
integrity, visibility) as well as privacy regulatory standards (such as GDPR
and the upcoming CCPA).The RMF itself focuses
on risk assessments as both a baselining and benchmarking mechanism. Moreover,
the RMF serves as a means to discuss risk at all levels and use the data from
risk assessments to decide what controls to implement, regardless of the
complexity of your risk assessment methodology, from crown jewels or business
objectives through to NIST 800-30 or FAIR.The RMF directly
references the CSF in task P4 in version 2.0. The CSF is deliberately flexible
enough to mitigate and address risk from the function level, the category, and
the subcategory levels. Optimally, organizations that leverage an RMF instantiated
version of the CSF will get a powerful view into their cyber processes and risk
mitigations.Using the RMF to Inform
How Privacy and Risk teams should interact For larger organizations
where risk and privacy tend to be separate teams, the RMF is actually pretty
explicit in how these teams should interact. A privacy mindset for most
security teams means more work - just because customers’ personally
identifiable information (PII) is secure doesn’t mean it’s private. Using the
RMF to determine how to manage PII will typically revolve around the risk
assessment and identifying where your organization's weak points exist with
respect to both security and privacy.While most organizations
use the RMF for a security risk assessment, they can also use it for a privacy
risk assessment - a fundamental aspect of the new Privacy Framework.The new Privacy
FrameworkIf the RMF supports
privacy-centric security, then why invest in a separate privacy framework? In
the same way that the RMF enables practitioners to communicate risk up the
chain, the new Privacy Framework will do the same for data privacy. The concern
for many organizations around privacy is an increasingly technology- literate
customer base - both consumer and businesses - with privacy typically at the
top of their own concerns. While the RMF helps teams think about addressing and
mitigating privacy risk, it does not define a core set of activities for
continuous improvement and mitigation. That’s what the new Privacy Framework
seeks to address.Based on my review of the draft version of the Privacy Framework, we can expect it to be very similar to the CSF
with the RMF as a foundational element. The Privacy Framework uses a similar
core approach with five functions, three of which map directly to the CSF:
identify, protect, control, inform, and respond. In the case of the two new functions
(control and inform), I can see how they would fit directly into a Privacy
Framework/CSF combination for most businesses. These kinds of efficiencies will
become paramount as organizations seek to meet regulatory requirements, protect
their assets and business, and address enterprise risk in an increasingly
complex space.The key to harmonizing
privacy and security starts with the Risk Management Framework. Risk
assessments (security in the case of the CSF and privacy in the case of the
Privacy Framework) are the foundation of any strong security and privacy
program. As more and more regulations arrive, using robust, flexible, and
industry tested frameworks such as the CSF and the impending Privacy Framework
will become the norm for almost all security organizations.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
