Security is a key pillar of any privacy program – meaning holistic security and privacy compliance is crucial to business strategy. Before you can properly manage personal data in your IT ecosystem you need the assurance of best practices as well as basic and advanced security protections. Privacy best practices for data mapping and management help to both champion the value of transparent operations and build intern and external trust.
Trust – an earned outcome that results from actioning consistent, integrity-based commitments across the enterprise – is the foundation of relationship building between a brand, its customers, and all of its partners. To establish trust, it’s imperative that brands implement privacy-informed security practices to achieve holistic privacy and security compliance.
Watch the webinar to learn more about how you can enhance privacy accountability across your organization.
Why is Privacy-Informed Security Oversight Important?
As privacy programs have evolved, they have largely been executed as a compliance function rather than a security activity. Today privacy management is recognized as an essential business function, and many organizations have successfully enhanced their security programs by adapting practices with a privacy lens. Privacy management is a key indicator of proper IT asset management and holistic risk and security program implementation, both of which are the necessary functions of data and asset protection.
When privacy-informed security oversight is implemented across an organization, teams are enabled to streamline both internal and external auditing. Organizations can dynamically execute compliance processes to demonstrate effectiveness, align teams and provide measurable output across privacy and security compliance activities.
Key Privacy and Security Compliance Considerations
Confidentiality, integrity, and accessibility of data are key components of privacy-informed security oversight. To achieve all three, organizations must implement a holistic security and privacy compliance program. The following are key considerations for privacy and security professionals when standing up a privacy-informed security solution:
- Potential for risk blind spots: Teams and leadership should have visibility across risk domains to ensure critical areas are protected and risk blind spots are mitigated from both a security and privacy subject matter expert. Where do your risks lie and what is the potential impact on customer data if a risk is realized because it was overlooked?
- The value of the singular workflow: A number of teams operate ad-hoc or parallel programs for privacy and security management. When standing up a comprehensive privacy and security program, it’s important to instill alignment across teams and reduce the number of workflows where possible.
- Program redundancies: When working across teams there are often multiple different documentation processes and sources of information across controls and reporting channels. How can your team work to reduce the number of documentation sources that it’s using?
- Testing & reporting processes: Teams are often required to test controls and report across overlapping security and privacy requirements. Establishing a trust-based security and privacy compliance program can help reduce redundancy in these processes to save organizations time and money.
Read our blog to learn more about the impact of trust management in establishing a singular workflow.
Examples of Privacy Expansions from Security Frameworks
Security references are found throughout privacy regulatory guidance, there are also a number of pre-existing information security frameworks that can be leveraged. Although they come from different perspectives, ISO 27001 and the GDPR at their core are both about reducing risk to people and organizations caused by misuse of personal data, with a demonstrable overlap in both principles and requirements. In the past, privacy and security were related, but separate areas of focus.
Both ISO and NIST have published expansions to their existing security frameworks focused on privacy best practices designed to be a companion guide to flagship materials ISO 27001 and NIST CSF.
NIST Privacy Framework
The NIST Privacy Framework is intended to help organizations better manage privacy risks that could potentially occur and demonstrate and maintain compliance with global privacy laws. By taking a risk and information security-centric approach, the NIST Privacy Frameworks lends itself to support holistic privacy-by-design programs for businesses.
The NIST Privacy Framework is broken down into three parts: Core, Profiles, and Implementation Tiers.
The Core component covers how organizations need to connect privacy best practices to their missions and goals. The Profiles section reinforces the roles each member of the organization plays in risk management. And the Implementation Tier talks about privacy protection action items. With this in mind, the NIST Privacy Framework addresses:
- How to integrate privacy as you design and deploy new systems, products, and services.
- How to communicate about your privacy practices.
- How to avoid silos and spur collaboration across teams.
ISO 27701 Privacy Information Management System (PIMS)
ISO 27701 Privacy information management system (PIMS), (formerly known as “ISO 27552”) is a privacy extension to ISO/IEC 27001 that establishes additional requirements and provides guidance for the safeguarding of privacy as potentially affected by personal data processing. The guidelines focus on leveraging technology for the continual improvement of privacy management, as well as the planning and implementation of global privacy laws and frameworks.
Additionally, there is significant overlap with the AICPA Trust Service Criteria (TSC), which serves as the basis for the popular SOC 2 report, as well as with the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR), the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) and more. Moreover, many of these frameworks, and others like them, have been mapped to one another to reveal their many areas of overlap (e.g., as seen in the CSA CAIQ6). These frameworks are well-respected, have served as industry standards for many years and are be immensely valuable when establishing overall security posture.
How can OneTrust help with Privacy and Security Compliance?
OneTrust provides a shared inventory your IT assets and the data processes throughout your business across key risk and compliance domains such as privacy, IT, and vendor risk management. Additionally, OneTrust delivers a dynamic infrastructure for control management to enable businesses to crosswalk common controls from various standards, frameworks, and regulations. With a common reporting channel to measure practices in place, teams can test common controls and comply across both internal and external auditing authorities to demonstrate effectiveness and ultimately enhance oversight across both privacy and security compliance by aligning programs and sharing information.
Further privacy and security compliance reading:
- Blog: Privacy and IT Risk: How Secure Are Your Assets Securing Personal Data?
- Blog: Mature Your Privacy Program with DSAR & Incident Management Automation
- Blog: The Necessary Evolution of Privacy Program Automation
Next steps on privacy and security compliance: