Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Business leadership often views privacy programs as costly efforts with little return, but the changing regulatory environment makes a focus on privacy more imperative now than ever. The good news is the adoption of a cybersecurity framework (CSF) along with a complementary privacy framework can ease the process and gain leadership buy-in by leveraging existing processes/policies and
fostering efficiencies. This piece explains how to help leadership understand both the importance and the benefits of privacy programs.
A slew of new consumer privacy regulations continue to go into force. For example, the California Privacy Rights Act has gone into effect. An update to the California
Consumer Privacy Act, it provides businesses with guidance around consumer data and privacy rights. It is an effort to help consumers understand and have more control over their data. This regulation and others like it are forcing organizations to review their data collection and management processes to minimize the data they manage. They also tend to impose stricter data-sharing requirements as well. All these updated
data-handling requirements may seem daunting for an organization.
Most organizations have been building cybersecurity and data governance practices over the years, and many of these regulations’ new privacy and data-sharing requirements can be addressed by pairing existing cybersecurity frameworks with privacy frameworks and controls.
In fact, much of the heavy lifting for privacy controls is already addressed in the cybersecurity safeguards.
When you use existing cybersecurity frameworks and complementary privacy frameworks, you can merge privacy and security teams efforts, saving cycles for both.
For example, NIST published version 1.0 of the Privacy Framework on Jan. 16, 2020. It was designed to complement existing business and system development operations and
to be used with the NIST Cybersecurity Framework (CSF), which was released on Feb.12, 2014. Both frameworks are built on five domains and two overlapping domains (see Figure 1).
If your organization has adopted the NIST CSF, you have already implemented some of the controls in the NIST Privacy Framework. Figure 2 shows the overlap between the two cyber domains and privacy domains. As you can see, most of the heavy lifting
is already done.
ISO/IEC 27701:2019 is an international standard designed to assist organizations in creating and maintaining policies and procedures to protect data. Not only does ISO/IEC 27701
refer to building an Information Security Management System (ISMS), but it also references a Privacy Information Management System (PIMS). By running these two management systems (ISMS and PIMS) as one centralized control library, organizations can
use the trusted brand strength of ISO/IEC 27701. In fact, ISO/IEC 27701 is intended to be a certifiable extension to the 27001 certifications, meaning an organization can achieve the privacy certification if they have the 27001 certifications.
The ISO 29100 Privacy Framework is another option, because it combines the privacy controls related to the EU’s GDPR into a management system.
How does combining privacy and cybersecurity frameworks make privacy projects more palatable to decision-makers? By sharing a control library, organizations can:
READ: 12 Steps to Build and Improve Your Privacy Program
If approached in the right way, privacy programs and initiatives don’t have to drain time and resources. In fact, combining a CSF with a complementary privacy control library can allow you to capitalize on continuing efforts around maturing their
cybersecurity program, while also enabling you to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.