The current global crisis is disrupting and disabling many core business functions. For many, in-office work has transitioned to remote work, requiring virtual conferencing tools and the sharing of sensitive information with a dispersed workforce. As this shift continues indefinitely, your organization must consider the risk associated with the digital privacy of personal information—your customers, employees, contractors and prospects expect privacy.
To meet these expectations, you must understand the state of your organization's privacy program in this current crisis. A solid privacy framework, such as the US National Institute of Standards and Technology (NIST) Privacy Framework, can help you evaluate your program and develop a clear path to maturity. Our recent ISACA® Journal article discusses ways you can couple your existing audit principles with this framework to unify your privacy and audit efforts.
Since it was released in January, we have seen a number of organizations embrace the NIST Privacy Framework because of its integration with the widely adopted NIST Cybersecurity Framework (CSF). Together, they enable enterprises to evaluate and address both security and privacy controls.
But another reason this framework has grown in popularity is its simple approach to privacy and compliance. The Privacy Framework is built upon what it calls “the Core,” a set of fundamental privacy activities and their associated outcomes. Organizations are instructed to build a Current Profile that identifies their current privacy activities and outcomes. Say your organization created an inventory of all systems that process personal information to increase its understanding of privacy risk. The outcome of that activity would be documented in your organization’s Current Profile as a centralized record of those systems.
But knowing where you are is just the first step. You also need to know where you are going. Using the Core, the Privacy Framework helps you map out a Target Profile for privacy outcomes. For example, your organization may have a standard privacy awareness training, which results in a basic understanding of privacy concepts. But for your Target Profile, you could aim for more detailed privacy trainings for specific functions, e.g., human resources or marketing, to better equip employees when handling personal information. This helps you build an action plan and involve the necessary parties.
Image Source: NIST Privacy Framework
Right now, it is hard for anyone to know what each day or week holds, making planning a challenge. But a strong privacy framework can help you understand where you are and where you want to go, even in uncertain times.
Editor’s note: For further insights on this topic, read the recent Journal article: “Aligning COSO and Privacy Frameworks to Manage Privacy in a Post-GDPR World” ISACA Journal, volume 2, 2020. And for additional privacy resources from ISACA, visit https://www.isaca.org/credentialing/certified-data-privacy-solutions-engineer.