Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Third-Party Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Cyber Security

Dear NIST Privacy Framework, I have a problem

Dear NIST Privacy Framework, I have a problem
Written by

Kathleen Randall

Published on

30 Oct 2020

Dear NIST Privacy Framework, I have a problem

 

By Kathleen Randall, EVP North America

This was my Groundhog Day situation in the 6 months before the CCPA update:

Customer:  “We are concerned about CCPA.”

Me: “Understandable, given the deadline date. What do you need to do for CCPA to make sure your organization is in compliance?”

Customer: “I have no idea.”

OR

Customer: “We have to comply with GDPR and 6 states’ privacy laws. We know we need to put in a privacy program, but we don’t want to wait until the entire U.S. privacy landscape settles. However, it would be great to receive guidance that we feel confident will meet most or all of the regulations.”

 

Data privacy and compliance regulations change regularly and vary considerably depending on your country or state. Managing all of these elements alongside your business objectives is complex, so you need expert guidance and the best CCPA compliance software.

Why is Data Privacy Management a challenge?

Technology advancements rapidly create new ways of using personal data. When combined with decentralized regulations issued by governing bodies across each of the 50 states – in addition to country-specific regulations, like in the UK and Japan – it’s been a challenge for national or global organizations to understand what they need to do to comply from a privacy regulation perspective.

 

What’s with the Data Privacy struggle for U.S. companies?

This struggle has been a relatively new one for American companies. The U.S. landscape is maturing, with state Attorneys General getting in the enforcement game to protect their citizens. Legal practitioners have been stepping into DPO roles and need to catch up with cybersecurity and technology practices, which typically aren’t their speciality. 

 

CISOs are a big part of the privacy program foundation, but remember that the goal is not just protecting personal data. Privacy practices are the operational practices of the business following good ethical procedures – thus, enter the COO. Organizations’ operations, legal, cybersecurity, and risk departments are trying to collaborate to solve the problem. Since each of these groups traditionally has only dealt with a piece of the puzzle, and not solely from a privacy lens, the conversations have been a bit like the blind-leading-the-blind.

 

Technology is outpacing government regulations

Technology advancements themselves are also posing an ongoing challenge to privacy professionals. While trying to create baseline policies and company practices for protecting privacy, organizations continue to evolve their internal systems with automation and business strategies with AI and big data uses. They are increasing their technology ecosystem with vendors who provide technology offers to realize the company’s digital transformation vision as well. Setting standard control activities and auditing practices in the data privacy space is like a golfer trying the same iron and same stroke at every par and every course, no matter what the weather conditions.

What is NIST Privacy Framework and why is it important?

The NIST Privacy Framework is a voluntary outline intended to help organizations identify privacy protection activities aligned to the business objectives, company policies and values, regulations, and risk management strategies. This long-awaited framework is a necessary tool in today’s digital and regulatory landscape for many industries. 

 

NIST provides a common language and set of standard activities that are regulatory-agnostic but also flexible enough to use in different businesses and regulatory drivers. With NIST, companies that fall under multiple privacy regulations can use this single framework to take an “implement once, comply with many” approach rather than developing separate programs for each regulation.

 

The Privacy Framework is also integrated with the NIST Cyber Security Framework, which aids in identifying the overlap between cybersecurity and data privacy activities. The harmonized frameworks facilitate collaboration between cybersecurity and privacy teams within an organization. Although data privacy and cybersecurity activities are closely related, they are not the same. Privacy risks can arise from non-security-related incidents.

 

A strength of the Privacy Framework is that it is not meant to be a one-size-fits-all checklist. The initial approach guides an organization through a privacy risk assessment. This assessment helps the organization understand what requirements to drive that are suited to their regulatory requirements, business practices, risk tolerance, and ethical values of the company.

 

The framework also provides a mechanism to assess future data privacy concerns with emerging digital and technology projects, which are critical for today’s changing digital landscape.

 

Where do I start to implement the NIST Privacy Framework?

SureCloud is the first combination data privacy, risk, and compliance management solution that supports the new NIST Privacy Framework. It provides a Turbo-Tax-like setup to guide a privacy team through the end-to-end workflow of ultimately building a privacy program based on the framework to provide best practice guidance.

 

The goal is to substantiate and ensure that privacy practices are in place at the organization. For privacy programs in a state of infancy – to those that are fully mature – SureCloud provides flexibility from out-of-the-box guidance to fully configurable templates and workflow to meet company-specific practices. Businesses looking for the best CCPA compliance software and a one-stop-shop solution to all GDPR and compliance conundrums need to look no further.

As mentioned, privacy is just a piece of the risk, compliance, and governance requirements that a company must maintain. Thus, it’s important to create a single place where a company’s risk, legal, compliance, and security teams can identify, track, and monitor its programs.

 

Centralizing these requirements results in:

  1. An enterprise view of risks at a company rather than siloed point issues
  2. A reduction in duplicative work effort amongst teams
  3. The elimination of contradicting activities that result in a negative risk impact to the company

SureCloud brings together the different program siloes by:

    • Supporting a rationalized compliance program that aligns with multiple regulations and frameworks such as
      • NIST Cyber security framework
      • NIST Privacy Framework
      • ISO standards
      • PCI
      • IRAM2
    • Providing real-time dashboards to report risks and compliance posture from all angles (business units, stakeholder accountability, regulations, policies, etc.)
    • Linking your data privacy program to other risk and compliance initiatives in your organization to report true risk impact across your business in terms that executives and the Board of Directors can understand.
    • Providing risk programs integrated into SureCloud, including:
    • Supporting a common language for risk and control assessments throughout the business
    • Centralizing and streamlining issues and remediation tracking activities across audits and assessments

 

Take a look at our follow-up on this topic, where we explain how the NIST Privacy Framework has been integrated with our software solution.

 

What to know more about how SureCloud’s GRC, cyber, & risk management software could provide you with the compliance answers your business needs to manage the varying data privacy regulations in your area? Take a look at our Data Privacy Management solutions.