NIST Privacy Framework – A focus on the identify function

Managing privacy using a risk-based approach is a consistent theme in many recent privacy regulations, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). From a practical perspective, leveraging a risk-based best practice framework that focuses on improving capabilities is a great approach to address an ever-changing compliance landscape and protect personal information. The NIST Privacy Framework, issued in January 2020, is intended to help organizations build better privacy foundations by bringing privacy risk into parity with your broader enterprise risk portfolio.

The NIST Privacy Framework was established with a transparent, consensus-based process including both private and public stakeholders. This framework uses a common language and the framework core provides a set of best practice actions designed to achieve specific outcomes. The NIST Privacy Framework uses the following core elements:

• Functions: Functions are basic cyber security or privacy activities at their highest level. Functions aid an organization in expressing its management of cyber security or privacy risk by organizing information understanding and managing data processing, enabling risk management decisions, determining how to interact with individuals, addressing threats and improving by learning from previous activities.
• Categories: Categories are subdivisions of a function into groups of cyber security and privacy outcomes closely tied to programmatic needs and group of activities.
• Subcategories:  Categories are further divided into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help support the achievement of the outcomes in each category.

Know your data processing ecosystem – Identify

The NIST Privacy Framework Identify function is the first of five functions. This function focuses on maintaining an inventory of data processing activities, ensuring that the privacy interests of individuals are understood and tracked using a risk-based approach. Many organizations struggle with having a clear understanding of their privacy risks associated with their data processing. Establishing, maintaining, or improving control categories and subcategories is critical as the foundation of a risk-based privacy program. This foundation can be accomplished in 4 control categories:

Inventory and Mapping: Maintaining current inventories of what data processing occurs, by which systems, for what products and services is key to informing management of privacy risks. Many organizations may struggle with this step due to lack of visibility, legacy processes, recent acquisitions, or the absence of solid Enterprise Data Management (EDM) practices.

Key considerations and data elements for Inventory and Mapping are:

• Ensuring that there is a process to record and maintain a listing of systems, products, and services that process data.
• Documenting owners or operators that process data, including external third parties.
• Defining categories of individuals whose data is processed such as customers, prospects, current or former employees, and consumers.
• List all data actions, data elements and the purpose for each.
• Establish the roles of data owners and interactions with third parties.

Business Environment: Ensures that the organization’s mission, objectives, stakeholders and activities are used to support risk management decisions. Clarity from leadership is key.

• Ensure that roles for data processing are identified and communicated.
• Communicate organizational privacy mission, objectives and activity priorities.
• Publish key requirements for systems, products and services that support privacy priorities.

Risk Assessment: Privacy risks to individuals are understood and their impacts to other risk management priorities are considered.  Looking at your processing activities from the perspective of the individual’s data that is being processed.

• Context of individuals privacy interests or perceptions around data actions are understood.
• Data inputs and outputs are identified and evaluated for potential bias.
• Potential problematic data actions are identified and the likelihood and impacts of data actions are evaluated and prioritized.
• Risk responses are identified, prioritized, and implemented.

Data Processing Ecosystem Risk Management: Priorities, constraints, risk tolerance are used to support privacy risk management decisions for the organization and third parties involved in the data processing ecosystem.  You cannot offload the risks to your third-party providers.

• Data processing risk management policies, processes and procedures are managed and approved by organizational stakeholders.
• Identify and assess the risk of all parties involved within the ecosystem.
• Ensure that contracts with partners involved in data processing align with current privacy program objectives.
• Audit, test and evaluate the performance of your partners to ensure that they are meeting privacy obligations and expectations.

OpenText Advisory Services – Identify

Using the NIST Privacy Framework is a great way to mitigate privacy risk, and enable control capabilities to address current and future compliance requirements. Focus on the Identify function will result in the following positive outcomes:

• Clear understanding of data processing activities. You cannot protect what you do not know exists.
• Organizational alignment for the mission and objectives of data processing actions that are integrated into overall risk management activities.
• Increased clarity of the risks from the perspective of the individual’s data that is being processed.
• Improved alignment and management of partners or third-parties involved in data processing activities.

OpenText Professional Services can advise, guide and assist an organization with their Cyber-Security and Privacy objectives:

• Data Classification Services – Leveraging OpenText’s AI/ML capabilities to ensure that personal data risks are managed effectively.
• Security and Incident Response Training – Curated Table-Top Exercises and Security Awareness Workshops to reinforce cyber security best practices.
• Incident Response Documentation Review – Analysis of the adequacy and completeness of incident response policy or procedure documentation against best practice like NIST 800-61 rev.2.
• Threat Hunting Services – Integrates the best in breed technologies with custom workflows, leveraging machine learning and the MITRE ATT&CK framework to quickly find patterns, relationships and indicators of compromise.

For more information on our Risk & Compliance Services, contact us.