Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Business leadership often views privacy programs as costly efforts with little return, but the changing regulatory environment makes a focus on privacy more imperative now than ever. The good news is the adoption of a cybersecurity framework (CSF) along with a complementary privacy framework can ease the process and gain leadership buy-in by leveraging existing processes/policies and
fostering efficiencies. This piece explains how to help leadership understand both the importance and the benefits of privacy programs.
A slew of new consumer privacy regulations continue to go into force. For example, the California Privacy Rights Act has gone into effect. An update to the California
Consumer Privacy Act, it provides businesses with guidance around consumer data and privacy rights. It is an effort to help consumers understand and have more control over their data. This regulation and others like it are forcing organizations to review their data collection and management processes to minimize the data they manage. They also tend to impose stricter data-sharing requirements as well. All these updated
data-handling requirements may seem daunting for an organization.
Most organizations have been building cybersecurity and data governance practices over the years, and many of these regulations’ new privacy and data-sharing requirements can be addressed by pairing existing cybersecurity frameworks with privacy frameworks and controls.
In fact, much of the heavy lifting for privacy controls is already addressed in the cybersecurity safeguards.
When you use existing cybersecurity frameworks and complementary privacy frameworks, you can merge privacy and security teams efforts, saving cycles for both.
For example, NIST published version 1.0 of the Privacy Framework on Jan. 16, 2020. It was designed to complement existing business and system development operations and
to be used with the NIST Cybersecurity Framework (CSF), which was released on Feb.12, 2014. Both frameworks are built on five domains and two overlapping domains (see Figure 1).
If your organization has adopted the NIST CSF, you have already implemented some of the controls in the NIST Privacy Framework. Figure 2 shows the overlap between the two cyber domains and privacy domains. As you can see, most of the heavy lifting
is already done.
ISO/IEC 27701:2019 is an international standard designed to assist organizations in creating and maintaining policies and procedures to protect data. Not only does ISO/IEC 27701
refer to building an Information Security Management System (ISMS), but it also references a Privacy Information Management System (PIMS). By running these two management systems (ISMS and PIMS) as one centralized control library, organizations can
use the trusted brand strength of ISO/IEC 27701. In fact, ISO/IEC 27701 is intended to be a certifiable extension to the 27001 certifications, meaning an organization can achieve the privacy certification if they have the 27001 certifications.
The ISO 29100 Privacy Framework is another option, because it combines the privacy controls related to the EU’s GDPR into a management system.
How does combining privacy and cybersecurity frameworks make privacy projects more palatable to decision-makers? By sharing a control library, organizations can:
READ: 12 Steps to Build and Improve Your Privacy Program
If approached in the right way, privacy programs and initiatives don’t have to drain time and resources. In fact, combining a CSF with a complementary privacy control library can allow you to capitalize on continuing efforts around maturing their
cybersecurity program, while also enabling you to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.