NIST Privacy Risk Assessment

Cybersecurity experts working on protecting company from digital attacks and keeping their information and networks safe.

NIST Privacy Risk Assessment

Privacy regulations create a myriad of remediation and compliance complications. Many companies struggle with determining which regulations apply to their organization and what the scope of their responsibilities are. With the privacy landscape changing at breakneck pace, sorting through the number of industry and government regulations such as CCPA, GDPR, LGPD, PIPEDA, FERPA, HIPAA Privacy Rule, and the numerous pending state regulations is a daunting task for many organizations. To compound the issue todays organizations are collecting a large amount of data including names, addresses, phone numbers, IP addresses, geolocation data, drivers license numbers, social security numbers, and much more. The recent pandemic has prompted many organizations to add health data to the data collected about individuals.

Privacy is often considered an IT problem or even a problem for “the folks in legal’. Such a myopic view can be detrimental to the organization with many of these regulations carrying a hefty fine for non-compliance. Privacy effects the whole organization and as such needs to be thought of as an enterprise initiative. As you develop your processes for handling data subject Access Requests, incident response plans, data breach response communications plans and all the requisite technical safeguards you should be approaching these activities with an enterprise lens on these initiatives.

Contact Us

Two Professional IT Programers Discussing Blockchain Data Network Architecture Design and Development Shown on Desktop Computer Display. Working Data Center Technical Department with Server Racks

“Today we understand much better how important process is to realizing privacy protections in our information technology systems, products, and services. It’s not enough to simply have principles, legal requirements, and PETs; we’ve had to follow the path that security experts set out upon many years before to figure out how to embed security in systems and business development processes.”


Our Approach

At TBG Security we’ve adopted the new NIST Privacy Framework as we are aware cybersecurity and privacy are connected, but different. That being said, we take a methodical approach to determining any organizations readiness to meet their privacy requirements by leveraging the NIST Privacy Framework as the core of our Privacy Risk Assessments. When conducting our assessments we leverage NIST PRAM (Privacy Risk Assessment Methodology). This consists of the following activities:

Framing Business Objectives and Organizational Privacy Governance

Capturing the mission/business objectives and functional capabilities for the system/product/service to understand its purpose in order to determine how to to identified privacy risks and support the selection of controls that can mitigate privacy risks while optimizing performance.

Assessing System Design; Supporting Data Map

In this step we’ll document the privacy capabilities for the system/product/service. Determining the risks for privacy arising from data processing or individuals’ interactions with systems, products, or services requires determining the likelihood that a data action will be problematic (i.e. the processing or interaction creates the potential for problems or adverse effects on individuals either singly or as a group) and its impact. The purpose of this phase is to identify and catalog the inputs for this risk analysis. These inputs are the data processing operations or capabilities (i.e. data actions), the data being processed or individuals’ interactions with the system/product/service, and relevant contextual factors.

Prioritizing Risk

In this step we determine the assessment and prioritization of privacy risk in systems.

Assessing Your Privacy Readiness

Once we’ve completed the previous steps we’ll assess your organization’s readiness to meet the applicable controls from the NISt Privacy Framework. We do this by conducting a series of interviews with key stakeholders in the organizations and by reviewing any and all documentation provided.

Report Delivery

After all the activities are complete we’ll provide you a report identifying any gaps the organization may have in meeting the requirements of the Framework along with a roadmap designed to identify and prioritize all the activities required by the organization to meet the Privacy Framework requirements.

Two Electronics Development Engineers Working on Computers. Team of Professionals Use CAD Software for the Modern Industrial Engineering Design. In the Background Specialist Using Digital Whiteboard

Benefits Of Working With Us

  • 20 plus years of cybersecurity consulting services
  • Deep understanding of and appreciation for individual privacy and the regulatory requirements therein.
  • Product agnostic
  • Range of compliance services available

Contact Us

Related Services

Want to know more about our privacy Consulting Services? We’re here to help.