As more privacy regulations are released, organizations must evaluate their privacy capabilities. However, it is difficult to know where to start. The first thing organizations need to do to make sure they are being responsible is to determine what data they possess. This can be challenging without a structured approach. The US National Institute of Standards and Technology (NIST) Privacy Framework provides a structure to help organizations understand common outcomes expected from a privacy program and provides recommendations on how to begin by identifying and inventorying data.1 By understanding their data, organizations can then better evaluate their privacy risk and implement the appropriate data processing safeguards. Every organization has some form of sensitive data—proprietary data related to how they run their business, personal data about their employees, and customer data on the individuals or organizations that use or purchase their products and services. This data needs to be categorized to determine how to appropriately handle and protect them, which is often a challenge.
The NIST Privacy Framework includes 5 functions: Identify, Govern, Control, Communicate and Protect. Together, these functions provide the structure for organizing privacy capabilities within an organization. The first function seeks to identify what data an organization processes to help set a solid foundation. Once a foundation is in place, the framework moves on to governing privacy-related risk, controlling data to manage that privacy risk, communicating to ensure understanding of data processing and, ultimately, protecting data by implementing data processing safeguards. Leveraging the categories from the Identify function is a great way to get started.
For an organization to fully understand what types of data it has, it must understand the proprietary data, personnel data and customer data that it stores, processes and transmits. The best way to do this is to map the data. This begins with creating an inventory as defined in the first category within the NIST Privacy Framework, Inventory and Mapping (ID.IM-P), to understand the known types of data used across systems, products and services. This inventory may include the data owners and operators, the actions taken on the data, the purpose of the data and even the location of the data. Once the known data are inventoried, organizations can circulate the information across teams, business units, and divisions to get input and learn about what they do not already know. Although this may sound like a fairly straightforward task, it is often more difficult than it sounds. Personal data can be mixed into everything from an organization’s websites for marketing testimonials to backups for system restoration and even into development environments for testing purposes. Organizations must be aware of what information they collect, process and, ultimately, store.
Once an organization is confident it has an understanding of the data it possesses and the systems, products, and services that process that data, it can begin to determine what to do about it. How much of these data are absolutely required to do business vs. how much is bringing a disproportionate amount of risk to the organization? The NIST Privacy Framework Business Environment (ID.BE-P) Category drives understanding and prioritization based on the needs of the business.
Organizations often process and store unnecessary data without considering the risk that data bring.
Organizational data, specifically personal information, are typically requested and provided every time someone signs up for a new service or registers to buy a product, and sometimes the data are captured even without the customer having to do anything. Organizations often process and store unnecessary data without considering the risk that data bring. This can be seen in the collection of excess information for store loyalty programs, keeping sales or customer information years after accounts have been closed, and even from employees sharing unnecessary personal information during the hiring process. It is important for organizations to consider their business needs and leverage the NIST Privacy Framework Risk Assessment (ID.RA-P) Category to understand the privacy risk that comes with processing personal information and how it can affect them long term.
Data should be divided into 3 categories based on what an organization:
- Must have
- Would like to keep
- Does not have a business need for
This helps an organization better understand its needs and make decisions to better manage its privacy-related risk. The final category in the Identify function of the NIST Privacy Framework is the Data Processing Ecosystem Risk Management (ID.DE-P) Category. This category recommends that organizations take what they have learned and build out processes to ensure that their data processing, including collection, generation, use, storage, sharing, and disposal, fits their business needs and falls within their risk tolerance. If the data are not needed, then the organization needs to get rid of them.
Conclusion
Once an organization has walked through the necessary steps to inventory its data, understand its business needs, assess its privacy risk, and manage its risk to fit its business, it can have confidence that it has a solid foundation to begin expanding its privacy capabilities to also Govern, Control, Communicate and Protect its data in accordance with the NIST Privacy Framework. It is extremely difficult to protect the unknown, which is why it is essential for organizations to develop an understanding of the data they have today and map it.
Endnotes
1 National Institute of Standards and Technology (NIST), The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0, USA, January 2020
Kelly Hood, CDPSE
Works for Optic Cyber Solutions. She assists organizations in implementing cybersecurity and privacy best practices, controls and standards to manage risk and meet compliance goals. As a member of the NIST Cybersecurity Framework team, Hood supported the evolution and outreach of the Cybersecurity Framework through the current version and participated in working groups during the development of the NIST Privacy Framework. Hood has also been supporting the development and expansion of ISACA's Capability Maturity Model Integration (CMMI) Cybermaturity Platform. The patent-pending approach she helped develop for ISACA® translates cybersecurity risk to cybermaturity goals and identifies mitigation strategies to help organizations improve their cybersecurity capabilities.