In time for Data Privacy Day, Security Engineer Philippe Langlois reflects on the relationship between privacy and security—and the important role that tools like the National Institute of Standards and Technology (NIST) Privacy Framework can play.
Security and privacy, privacy and security. More and more, we see these terms intertwined and intermixed as organizations grapple with the complex issues of managing and maintaining the overabundance of data that they must process, store, and leverage. Nowadays, it seems like every website and organization takes privacy seriously based on all the cookie policies I have to accept, but is that where privacy starts and ends? What role does security play in terms of privacy? While I won't be able to cover the full topic in depth, I do want to use this article to talk about some of the high-level components of security and privacy.
Privacy, much like security, can be seen as an ambiguous term—when are we truly secure? When is our privacy really being protected? Fortunately, there’s been a lot of effort from privacy experts—I am not one, but I have had opportunities to work with some—to create standards, regulations, and guidance in order to direct organizations’ privacy practices. One of these projects and efforts is the NIST Privacy Framework, a standalone framework designed to can help organizations tackle issues of privacy. While NIST had included privacy in some fashion in some of its other works, such as the NIST Special Publication 800-53 series, the NIST Privacy Framework attempts to provide a holistic approach to privacy rather than a piecemeal set of controls and recommendations. The good news is that if you’re familiar with how the NIST Cybersecurity Framework functions, you’ll be glad to know that the Privacy Framework works in pretty much the same way.
So why do we need a framework?
Privacy frameworks like the NIST Cybersecurity Framework or the Privacy Framework allow organizations to approach security and privacy as core components, integrated directly into key business decision-making. If the business connects security and privacy to its ethos and needs, the business will be in a better place to drive the direction of the efforts.
Both NIST Frameworks share a similar structure and some similar core practices. For instance, both consist of three major components:
- The Framework Core, which describes associated outcomes organized by Function, Category, and Subcategory;
- A Profile, which captures current and desired state of the organization’s adoption of the outcomes found in the Core; and
- Implementation Tiers which describe how the organization overall views and manages risk.
As an organization embarks on either their privacy or security journey—or hopefully both—they can use the Framework to communicate with the various stakeholders within the organization what is currently being done as described in their Current Profile and work with the stakeholders to define their ideal future state based on their risks and business needs called their “Target Profile.” While the elements within the Core are different between the Cybersecurity and Privacy Frameworks, the logical process is the same and is intended to provide a lingua franca and also a repeatable and consistent methodology.
In addition to their structural and procedural similarities, these two frameworks also have a direct cross-over between the Core practices. In the Privacy Framework, the main Functions found in the framework consists of Identify, Govern, Control, Communicate, and Protect, while the Cybersecurity frameworks consists of the following functions: Identify, Protect, Detect, Respond and Recover. If you guessed that the activities found in Privacy Protect and many of the elements found in Cybersecurity Framework function Protect overlapped, you’d be correct. Not only are some of the practices directly related—equivalent in both frameworks—but there are also various practices from Detect, Respond and Recovery which have been modified to align more directly with requirements specific to Privacy (Note: For more information, refer to the Appendix A of the Privacy Framework—it does a great job of communicating and visualizing those relationships).
While privacy and security aren’t identical, they are certainly strongly tied together. Any organization that has a security program should strongly consider having a privacy program, and vice-versa. Both programs are really about managing risk that the organization is facing, either purely from security- or from privacy-related actions. Privacy, much like security, is a team sport that requires buy in from the various stakeholders and having a framework provides a common language and playbook to leverage.