Privacy regulations boil down to protecting information. In other words, privacy is about the security of data. The various privacy rights can be traced back to core security principles defined by NIST as Confidentiality, Integrity, and Availability (CIA). The different privacy regulations, regardless of approach, reach the same end: to protect the CIA of sensitive information. When organizations establish a firm foundation in security, they can implement controls along with security that can anticipate future regulations and evolve accordingly. The starting point is a proper risk assessment.
Security teams are most likely familiar with the concept of doing risk assessments. In addition, common security frameworks and audit standards require such assessments. For example, one can find a requirement for a risk assessment in the NIST Cybersecurity Framework, ISO 27001, SOC 2, and more. If the organization aligns with the NIST CSF or is audited annually on another standard, combing risk assessments can help ensure all internal controls are coordinated and updated appropriately.
A best practice in conducting risk assessments is to start with an asset and analyze the various threats and vulnerabilities associated with that particular asset. This asset-based approach is most effective in the combined security and privacy risk assessment because the essential ingredient for triggering privacy is personal data, i.e., an asset. By combining the risk assessment, privacy teams may find that existing security controls mitigate identified risks, or they may find that there is a gap in security controls. Then, effective mitigation can be implemented to ensure that personal data is protected appropriately.
Risk Management Efficiency – Risk Assessment Example
Separate Risk Assessments
Security and privacy teams each conduct independent risk assessments.
Somewhere down the line, a discrepancy requires resolution. Disagreements arise, a mediator is brought in, followed by protracted negotiations. It can become a mess.
Combined Security & Privacy Risk Assessment
The combined risk assessment identifies security and privacy risks. The remediation plan maps to unified controls mitigating risk. The risk assessment is updated when the threat landscape changes and the controls are refreshed. Done.
Since the early 2000s, HIPPA and the Gramm Leach Bliley Act (GLBA) have demonstrated the convergence of privacy and security. Each recognizes that reasonable security begins with an appropriate risk assessment. Combining disciplines yields a unified roadmap for cybersecurity and privacy policies and controls. With such as process, new laws and changes to the cyber-threat landscape are updates to a centralized core process.
The Truvantis Privacy Risk Program
Your Truvantis consulting team is a legal, security, and privacy expert all in one and can help align internal resources. Truvantis knows security, privacy, and the risk frameworks’ ins and outs. As a result, we can help make sure combined assessments are efficient. In addition, we are experienced in standardization through popular frameworks and applying those standards across various organization types.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations.
Ready to move forward? Contact Truvantis for more information and to schedule a privacy workshop.
Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations and products. We specialize in helping our clients improve their cybersecurity posture by implementing testing, auditing and operating information security programs – balancing budget with risk appetite.