In recent years, we have seen an increase in data privacy
laws around the world. In the United States, the California Consumer Privacy
Act (CCPA) went into effect this year, joining similar data privacy regulations
in Maine and Nevada. Five states have also implemented privacy task forces, and
many other state legislatures are considering consumer privacy laws.
As new privacy regulations are introduced, organizations
that conduct business and have employees in different states and countries are
subject to an increasing number of privacy laws, making the task of maintaining
compliance more complex. While these laws require organizations to administer
reasonable security implementations, they do not outline what specific actions
should be taken to satisfy this requirement. As a result, many risk managers
are turning to proven security frameworks that specifically address privacy.
Doing so can help organizations build privacy and security programs that make
compliance more manageable, even when beholden to multiple regulations.
Understanding Privacy and Security Frameworks
While no two frameworks are the same, each is designed to
help organizations identify and address potential security gaps that could
negatively impact data privacy. Such frameworks include the Center for Internet
Security (CIS) Top 20, Health Information Trust Alliance Common Security
Framework (HITRUST CSF), and the National Institute of Standards and Technology
CIS Top 20 features defensive security actions that serve as
a reliable starting point to reduce the probability of data breaches, organized
into three sections:
- Basic Controls include inventory of software and hardware assets, continuous vulnerability management, and controlled use of administrative privileges.
- Foundational Controls are more wide-ranging and detailed actions that fortify an organization’s defense, such as email protections, boundary defense, data protection and wireless access control.
- Organizational Controls deal more directly with actions businesses should take to create a culture of security, including employee training, incident response and management, and penetration tests/red team exercises.
California’s attorney general has called the CIS Top 20 an
example of “reasonable” security practices, though it is unclear if using this
framework as a program baseline will be considered defensible. Still,
industry-wide, it is considered the minimum level of security that
organizations collecting information should implement.
Originally designed for health care organizations and
third-party vendors that serve health care clients, HITRUST CSF leads
organizations beyond baseline security practices to establish a strong, mature
security program. Recently, HITRUST has expanded its relevancy and
applicability beyond health care to provide organizations in any industry with
a comprehensive and efficient approach to regulatory compliance and risk
HITRUST incorporates input from data protection professionals
and existing regulations and standards into a single overarching security and
privacy framework. Taking both risk and compliance concerns into account,
HITRUST CSF is suitable for organizations of varying sizes and industries,
regardless of risk profile.
Before pursuing HITRUST certification, organizations should
identify key stakeholders and define the scope. HITRUST recommends a
self-assessment to determine what areas should be addressed prior to a
validated assessment for certification. Based on the results of the readiness
assessment, the organization should develop a remediation plan for any issues
identified and work with its external assessor to define timing of the
The NIST Framework also helps organizations move beyond baseline
controls to build a stronger security posture. It is composed of three parts:
- The Framework Core is a set of activities that helps an organization achieve certain cybersecurity outcomes and provides guidance to do so. Within the Framework Core are five functions to organize cybersecurity activities at their highest levels: identify, protect, detect, respond and recover.
- Framework Implementation Tiers are four categories of cybersecurity maturity:
- Tier 1: Partial. Risk management practices are not formalized, and there is little awareness of cybersecurity risk.
- Tier 2: Risk Informed. Some cybersecurity practices are in place, but may not be implemented in a consistent manner across the organization.
- Tier 3: Repeatable. A formalized, consistent, and enforced cybersecurity policy exists across the organization.
- Tier 4: Adaptive. An organization has a formalized cybersecurity policy and is continuously adapting it based on past experiences and trends that may alter the way it protects data. While organizations should strive to advance their level of cybersecurity maturity, it may not always be possible or necessary to do so, as tiers are based on an organization’s risk tolerance and other business needs.
- The Framework Profile aligns functions from the Framework Core and categories and subcategories within those functions with an organization’s business requirements, risk tolerance and resources to determine the current or desired state of cybersecurity activities. This profile can help set the stage for creating a plan to improve overall security posture.
Implementing any of these frameworks will better position an
organization for compliance with the security components of privacy
regulations, but always remember that it is not a one-time activity. Security
frameworks are regularly adjusted to reflect changes to existing laws,
introduction of new laws and the evolution of threats. Organizations should
regularly reassess their methods for addressing data privacy and security
against updated frameworks, determine how changes impact the risk of
noncompliance, and adjust their strategies accordingly.
With a number of consumer data privacy laws in effect and
more being proposed, businesses must take aggressive, proactive measures to
achieve compliance and prepare for enforcement. The absence of definitive
guidance from these laws will not preclude liability. Following the
prescriptive measures outlined in proven security frameworks will ensure
organizations not only meet industry-accepted standards, but also achieve
comprehensive security maturity that will yield benefits far beyond compliance.