By Tim Buckler
The NIST Privacy Framework
NIST (National Institute of Standards and Technologies) published in January 2020 its Privacy Framework, “a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.” In this week’s Oyster Stew podcast, Oyster Consultant Tim Buckler explains what the Privacy Framework is, why you should implement it, and what is involved, including:
- The 3 sections of the Privacy Framework: Core, Profiles and Implementation Tiers
- Creating a Privacy Risk Assessment
- NIST’s Cybersecurity Framework and how it differs from the Privacy Framework
Welcome to this week’s serving of Oyster Stew, a mix of financial services, commentary and insight . Each week we’ll discuss what is happening in the industry based on what we see as we work with regulators and clients. We hope you come away with the knowledge and tools to help you make the best decisions for your firm’s future. You can learn more about Oyster consulting and the value we can add to your firm by going to our website, www.Oysterllc.com
Elizabeth G: 0:32
Hi everybody. I’m Elizabeth Gatlin, a business analyst at Oyster Consulting and the host of today’s podcast. Last week, NIST published its Privacy Framework. Today’s podcast explains what the Privacy Framework is, why you should implement it, and what is involved. Today, I’m here with Oyster Consultant, Tim Buckler. Tim’s experience and expertise is focused on cybersecurity, data analysis, GDPR assessments, and project management support for clearing platform conversions. So Tim, let’s get started. Can you provide me with a quick overview of the Privacy Framework?
Tim Buckler: 1:12
Yes. The Privacy Framework is a set of structures to help a firm build better privacy foundations and bring your privacy risk into parity with your other risk portfolio. Your firm is identifying organizational risk, reputational risk, and trading risk. Privacy risk deserves to have just as much discussion as those. The framework is designed in order to be ad apted t o your firm, and it’s not a checklist that you’re supposed to run down.
Elizabeth G: 1:43
So who is NIST and why is it important that they’ve put out this Privacy Framework?
Tim Buckler: 1:48
NIST stands for the National Institute of Standards and Technology. It’s under the US Department of Commerce. They are tasked to create a set of standards across all industries, and the US economy to facilitate innovation. They are not a regulatory agency, but rather a cooperative agency set to have everyone speaking in the same terms. Importantly, in this Privacy Framework, like all the other standards that they put out, is supposed to be open to use and adapt as appropriate for each firm. One key event that privacy policies has helped mitigate are breaches. Recently, a credit agency in the US had 148 million records breached. This cost them about $584 million in direct costs. Globally, they estimated it cost about $1.4 billion, including Cybersecurity practices they had to put in place and extra infrastructure they have to add . They are actually quite lucky that the breach came just before the European Union’s GDPR came into effect. They were only fined about 500,000 pounds. If GDPR was in effect, they would have easily been fined millions.
Elizabeth G: 3:01
So what exactly is the Privacy Framework and as a firm, how do we adapt it?
Tim Buckler: 3:09
Like I said before, the Privacy Framework is not a checklist. It is a broad set of structures that your firm should go through and adapt to your individual situation. The Privacy Framework is broken down into three broad sections: Core, Profiles and Implementation Tiers.
Elizabeth G: 3:29
Can you explain the Core?
Tim Buckler: 3:32
The Core is all about communicating your prioritization from your executive level to your operations level. It is broken down into five key functions: identify, govern, control, communicate and protect. Identify starts with a risk assessment to develop the organizational understanding of what your risks are and ways you can manage those risks. The govern function is about developing and implementing a high-level governance structure in order to manage your risks. C ontrol i s about developing and implementing controls for individuals to help manage the individual privacy risks. Communicating is all about making sure that each individual in your organization understands their role within the Privacy Framework. Protect is all about establishing the safeguards that at the end of the day protect your data.
Elizabeth G: 4:29
What are profiles?
Tim Buckler: 4:31
Profiles enable the prioritization of outcomes and activities that are based on your individual organization’s privacy values, mission needs and risks. They’re all about understanding your firm’s current privacy activities and understanding your desired outcomes. You first develop your Core, and then you determine the most important areas you want to focus on as a business, and then put them in place.
Elizabeth G: 4:59
And what are the Implementation Tiers?
Tim Buckler: 5:02
Implementation Tiers help support your decision making and communication about the sufficiency of your process and privacy risk management. They provide a point of reference on how your organization should view privacy risk, and whether all your processes and resources sufficiently manage that risk. T iers reflect the progression from informal reactive responses to a proactive, agile risk informed response.
Elizabeth G: 5:32
So how do we start?
Tim Buckler: 5:35
The first step is a privacy risk assessment. This privacy risk assessment follows many of the guidelines of other risk assessments you probably have done before. The privacy risk assessment is all about identifying and evaluating the individual privacy risks that are part of your firm. In general, it’s about weighing the benefits of undergoing activities, against the potential risks that may come as a consequence of that. Key things you should be focused on are how do you mitigate the risks? Are you able to transfer or share that risk? Can a risk be avoided altogether? And, ultimately, how do you accept risk?
Elizabeth G: 6:13
Doesn’t NIST also have a Cybersecurity Framework?
Tim Buckler: 6:17
Yes, NIST has published a well known Cybersecurity Framework. If you’re familiar and comfortable with the Cybersecurity Framework, you’ll be immediately comfortable with the Privacy Framework. They are designed to work together in order to better understand the risks part of your firm. The Cybersecurity Framework has the same Core, Profiles and Implementation Tier structure that the Privacy Framework is established with. One of the key differences between the two is that NIST’s Core is comprised of five functions: identify, protect, detect, respond, recover. While the identify and protect are shared in the Privacy Framework, in the NIST Cybersecurity Framework, detect, respond and cover are different.Elizabeth G: 7:06
So if I already have their Cybersecurity Framework, do I also need the Privacy Framework?
Tim Buckler: 7:13
I believe it’s important to use both. The Privacy Framework goes beyond what the Cybersecurity Framework governs. The Cybersecurity Framework is foremost an organization-first policy. It’s all about understanding how your firm as a whole can identify and mitigate risks. The Privacy Framework is about the individual. First, one key difference is the Privacy Framework attempts to mitigate what NIST calls the “dignity type effects” – things like discrimination, economic loss, and physical harm. Not all of those will be covered by the Cybersecurity Framework.
Elizabeth G: 7:53
Okay, so how can Oyster help?
Tim Buckler: 7:57
Oyster can help your firm with both a Privacy Framework and a Cybersecurity Framework implementation. We help with risk assessments, systems management, role based access management, your physical and data security policies, vendor due diligence, disaster recovery and business continuity planning, information security roadmap, prioritization, training, things like that.
Elizabeth G: 8:22
Thanks Tim. We’re running low on time, but you can find more information about the Privacy and Cybersecurity Frameworks at www . NIST .gov . Thanks to everybody for listening. If you have any questions about your firm’s Cybersecurity or Privacy Framework, or you have a topic you’d like us to discuss in the future, feel free to call us at (804) 965-5400 or visit our website, www.oysterllc.com.