NIST Privacy Risk Assessment

Privacy regulations create a myriad of remediation and compliance complications. Many companies struggle with determining which regulations apply to their organization and what the scope of their responsibilities are. With the privacy landscape changing at breakneck pace, sorting through the number of industry and government regulations  such as CCPA, GDPR, LGPD, PIPEDA, FERPA, HIPAA Privacy Rule, and the numerous pending state regulations is a daunting task for many organizations.  To compound the issue todays organizations are collecting a large amount of data including names, addresses, phone numbers, IP addresses, geolocation data, drivers license numbers, social security numbers, and much more. The recent pandemic has prompted many organizations to add health data to the data collected about individuals.

Privacy is often considered an IT problem or even a problem for “the folks in legal’. Such a myopic view can be detrimental to the organization with many of these regulations carrying a hefty fine for non-compliance. Privacy effects the whole organization and as such needs to be thought of as an enterprise initiative. As you develop your processes for handling data subject Access Requests, incident response plans, data breach response communications plans and all the requisite technical safeguards you should be approaching these activities with an enterprise lens on these initiatives.

Today we understand much better how important process is to realizing privacy protections in our information technology systems, products, and services. It’s not enough to simply have principles, legal requirements, and PETs; we’ve had to follow the path that security experts set out upon many years before to figure out how to embed security in systems and business development processes.~ NIST


At TBG Security we’ve adopted the new NIST Privacy Framework as we are aware cybersecurity and privacy are connected, but different. That being said, we take a methodical approach to determining any organizations readiness to meet their privacy requirements by leveraging the NIST Privacy Framework as the core of our Privacy Risk Assessments. When conducting our assessments we leverage NIST PRAM (Privacy Risk Assessment Methodology). This consists of the following activities:

  • Framing Business Objectives and Organizational Privacy Governance
    Capturing the mission/business objectives and functional capabilities for the system/product/service to understand its purpose in order to determine how to  to identified privacy risks and support the selection of controls that can mitigate privacy risks while optimizing performance.
  • Assessing System Design; Supporting Data Map
    In this step we’ll document the privacy capabilities for the system/product/service. Determining the risks for privacy arising from data processing or individuals’ interactions with systems, products, or services requires determining the likelihood that a data action will be problematic (i.e. the processing or interaction creates the potential for problems or adverse effects on individuals either singly or as a group) and its impact. The purpose of this phase is to identify and catalog the inputs for this risk analysis. These inputs are the data processing operations or capabilities (i.e. data actions), the data being processed or individuals’ interactions with the system/product/service, and relevant contextual factors.
  • Prioritizing Risk
    In this step we determine the assessment and prioritization of privacy risk in systems.
  • Assessing Your Privacy Readiness
    Once we’ve completed the previous steps we’ll assess your organization’s readiness to meet the applicable controls from the NISt Privacy Framework.  We do this by conducting a series of interviews with key stakeholders in the organizations and by reviewing any and all documentation provided.
  • Report Delivery
    After all the activities are complete we’ll provide you a report identifying any gaps the organization may have in meeting the requirements of the Framework along with a roadmap designed to identify and prioritize all the activities required by the organization to meet the Privacy Framework requirements.
 

Benefits Of Working With Us

  • 20 plus years of cybersecurity consulting services
  • Deep understanding of and appreciation for individual privacy and the regulatory requirements therein. 
  • Product agnostic
  • Range of compliance services available
 

Get In Touch

Want to know more about our privacy Consulting Services? We’re here to help. 

Contact us