Cyber Risk Advisory

The Significance of the NIST Privacy Framework

Coalfire Assessment Team

February 21, 2020
Blog Images 2022 02 21 Tile

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free.

Part 1: About the NIST Privacy Framework v1.0

Kudos to the NIST Privacy Team! Privacy Framework v.1.0 has finally been released. I’ve been tracking the growth of this initiative since the focus group was kicked off in September 2018 and respect its thoroughly explored yet fundamentally grass roots approach. A few points worth bringing to your attention:

The Privacy Framework closely mirrors the same approach as the NIST Cybersecurity Framework. The Cybersecurity functions are: Identify, Protect, Detect, Respond, Recover. The Privacy functions are: Identify, Govern, Control, Communicate, Protect.

The shared risks, remediation strategies, and underlying fundamentals for privacy are interwoven with those of cybersecurity.

Part 2: Coalfire’s Perspective

Privacy is an industry that has a labyrinth of remediation and compliance complications. Organizations have often been confused or unsure of how to determine where the regulatory boundary and geographical scope of coverage starts and ends. We also have a significant number of industry and government regulations that all appear seemingly imminent in priority, such as CCPA, GDPR, LGPD, PIPEDA, FERPA, HIPAA Privacy Rule, GLBA… the list continues. When the NIST Privacy Team started this effort, it was with the goal to work with all industries (healthcare, finance, transport, etc.), nationalities, and privacy organizations (e.g., IAPP). The objective was to develop a framework / approach that was freely available and industry- and geography-agnostic. One that provides a mutual foundation for all.

Privacy is an enterprise initiative. It aims to protect the “house,” not the “product.” One can also argue that by protecting the house, one is essentially securing the product. As you develop your policies and procedures, incident and breach response capabilities, response to data subject requests, and the associated back end technical implementation capabilities for all points mentioned above, privacy leaders should keep in mind that the scope should be geared toward the enterprise. If not, significant effort and cost will have to be directed toward segmenting, boundary demarcations, and data leakage protection (DLP) solutions to make sure the narrower scoped solutions are functional and effective (“PR.DS-P5: Protections against data leaks are implemented”).

In the current corporate culture, we find privacy departments covered by roles in the legal department, compliance, risk, IT, and cybersecurity, and each of these do have a role to play in making sure equitable solutions are developed and implemented. However, it is important to note that the backbone for most of the management, operational, and technical solutions considered are necessarily covered by cybersecurity.

Coalfire has a robust privacy program that covers advisory, remediation, and assessment initiatives regardless of the framework or regulation or the geographical area being discussed.