Privacy regulations create a myriad of remediation and compliance complications. Many companies struggle with determining which regulations apply to their organization and what the scope of their responsibilities are. With the privacy landscape changing at breakneck pace, sorting through the number of industry and government regulations such as CCPA, GDPR, LGPD, PIPEDA, FERPA, HIPAA Privacy Rule, and the numerous pending state regulations is a daunting task for many organizations. To compound the issue todays organizations are collecting a large amount of data including names, addresses, phone numbers, IP addresses, geolocation data, drivers license numbers, social security numbers, and much more. The recent pandemic has prompted many organizations to add health data to the data collected about individuals.
Privacy is often considered an IT problem or even a problem for “the folks in legal’. Such a myopic view can be detrimental to the organization with many of these regulations carrying a hefty fine for non-compliance. Privacy effects the whole organization and as such needs to be thought of as an enterprise initiative. As you develop your processes for handling data subject Access Requests, incident response plans, data breach response communications plans and all the requisite technical safeguards you should be approaching these activities with an enterprise lens on these initiatives.
— NIST
At TBG Security we’ve adopted the new NIST Privacy Framework as we are aware cybersecurity and privacy are connected, but different. That being said, we take a methodical approach to determining any organizations readiness to meet their privacy requirements by leveraging the NIST Privacy Framework as the core of our Privacy Risk Assessments. When conducting our assessments we leverage NIST PRAM (Privacy Risk Assessment Methodology). This consists of the following activities:
Capturing the mission/business objectives and functional capabilities for the system/product/service to understand its purpose in order to determine how to to identified privacy risks and support the selection of controls that can mitigate privacy risks while optimizing performance.
In this step we’ll document the privacy capabilities for the system/product/service. Determining the risks for privacy arising from data processing or individuals’ interactions with systems, products, or services requires determining the likelihood that a data action will be problematic (i.e. the processing or interaction creates the potential for problems or adverse effects on individuals either singly or as a group) and its impact. The purpose of this phase is to identify and catalog the inputs for this risk analysis. These inputs are the data processing operations or capabilities (i.e. data actions), the data being processed or individuals’ interactions with the system/product/service, and relevant contextual factors.
In this step we determine the assessment and prioritization of privacy risk in systems.
Once we’ve completed the previous steps we’ll assess your organization’s readiness to meet the applicable controls from the NISt Privacy Framework. We do this by conducting a series of interviews with key stakeholders in the organizations and by reviewing any and all documentation provided.
After all the activities are complete we’ll provide you a report identifying any gaps the organization may have in meeting the requirements of the Framework along with a roadmap designed to identify and prioritize all the activities required by the organization to meet the Privacy Framework requirements.
