Privacy Regulations Include Cybersecurity Requirements

You can implement cybersecurity practices without privacy, but you cannot implement privacy practices without cybersecurity! This is an important concept to keep in mind when considering any of the newer privacy laws, regulations and industry frameworks, including the European Union General Data Protection Regulation (EU GDPR), California Consumer Privacy Act (CCPA), and NIST Privacy Framework [draft]. These requirements can be considered "two-sided coins" in regards to the interconnected nature of privacy and cybersecurity where there is a clear expectation that in addition to a formal privacy program, a cybersecurity program also exists:

The determination of "secure practices" is left to the organization to define. In most cases, this means alignment with ISO 27001/27002, NIST Cybersecurity Framework, or NIST 800-53 as the framework used to define what "right" looks like from a cybersecurity perspective. The determination of "privacy practices" are also left to the organization to define. Just like with cybersecurity frameworks, there are numerous privacy frameworks an organization can choose from. The selection of security and privacy frameworks for an organization to align with is a business decision and is not dictated by technology. Those frameworks are meant to support the organization's overall business operations and strategic goals. The selection of frameworks is foremost a business decision. These expectations for both privacy and cybersecurity apply not only to processors and controllers of data, but supply chains as well. An organization's internal "secure practices" are meaningless if there are unmanaged third-party service providers that have unfettered access to sensitive data or the systems / applications / services that store, transmit and process personal data.

Our solutions are applicable for both processors and controllers! We focus on leading industry practices to build documentation that will steer your organization towards building both secure and compliant systems, applications and processes.

Ready To Operationalize Privacy & Cybersecurity Principles To Meet Compliance Needs? We are. 

Please keep in mind that security & privacy engineering principles are not just limited to EU GDPR & CCPA. The requirement to have secure practices that protect the confidentiality, integrity and availability of your sensitive data is very common:

• NIST 800-53 - SA-8
• NIST Cybersecurity Framework - PR.IP-2
• ISO 27002 - 14.2.5 & 18.1.4
• Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012 (NIST 800-171) - 3.13.1 & 3.13.2
• Federal Acquisition Regulations (FAR) 52.204-21 - 4
• National Industrial Security Program Operating Manual (NISPOM) - 8-302 & 8-311
• SOC2 - CC3.2
• Generally Accepted Privacy Principles (GAPP) - 4.2.3, 6.2.2, 7.2.2 & 7.2.3
• New York State Department of Financial Service (DFS) - 23 NYCRR 500.08
• Payment Card Industry Data Protection Standard (PCI DSS) - 2.2
• Center for Internet Security Critical Security Controls (CIS CSC) - 1.2, 5.9, 6.2, 6.3, 6.4, 6.5, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 8.6, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 11.4, 11.5, 11.6, 11.7, 13.4, 13.5 & 16.5

Cybersecurity & Privacy Documentation Done Right - A Solution That Is Scalable, Comprehensive & Efficient

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary cybersecurity and privacy documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks. 

Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.

Free Compliance Resources - EU GDPR Compliance Criteria & Privacy Management Principles

ComplianceForge teamed up with the Secure Controls Framework (SCF) to create the EU GDPR Compliance Criteria (EGCC) and the SCF Privacy Management Principles, which are free resources to help companies understand and manage their privacy-related controls. What is unique about the EGCC and SCF Privacy Management Principles is that they map to the existing frameworks that many companies use for their existing cybersecurity programs (e.g., ISO 27002, NIST 800-53, GAPP, etc.). This mapping to ISO and NIST frameworks, as well as our Digital Security Program (DSP) makes your compliance requirements easy to manage.

At ComplianceForge, we are here to provide businesses with the documentation they need to comply with the EU GDPR, CCPA and other requirements that demand companies "bake in" both cybersecurity and privacy principles into their day-to-day operations and project development processes. We refer to it as Cybersecurity for Privacy by Design (C4P). Privacy and secure engineering are just one component of building an audit-ready cybersecurity and privacy program!

Cybersecurity for Privacy by Design (C4P) Model

ComplianceForge offers a very unique set of solutions, beyond just cybersecurity policies and standards. Our comprehensive documentation addresses common cybersecurity and privacy frameworks that enables companies to obtain quality documentation to prove evidence of due care and due diligence for how cybersecurity and privacy principles are implemented. The EU GDPR & CCPA are more than a checklist of requirements - these regulations expect processes to exist. When a process is audited, it requires documentation to prove their existence. Therefore, documentation is king!

Surprising to many people, privacy protections overlay most existing security protection mechanisms. In a C4P model, the focus is on People, Processes and Technology.

A focus on C4P allows an organization to: Enable privacy principles through an integrated approach with security; Preset security configuration settings so that it is secure by default; “Bake in” security mechanisms, as compared to “bolting on” protections as an afterthought; Keeping things simple to save resources and avoid negatively affecting users; Integrate throughout the lifecycle of projects / applications / systems; Support a common method to “trust but verify” for projects / applications / systems; and Position security to be seen as an enabler through educating users, managing expectations, and supporting change.

Privacy Compliance - Where Do We Start?

Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:

• Step 1 - Make sure your company's policies and standards are "audit ready" for your applicable privacy regulations. This means that they are aligned with an industry-recognized leading framework, which shows that you are aligned with reasonable expectations for your industry.
• Step 2 - Eliminate "tribal knowledge" by documenting how processes actually work and ensure that key stakeholders are aware of what "right" looks like. If you have written processes, audit them to make sure what is published is actually what is being done.
• Step 3 - Establish governance / oversight of processes to ensure your company's processes are actually working as they are supposed to. If not, make fixes and keep verifying.  

Understanding "Security By Design" As It Pertains To Privacy Regulations 

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading security practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing a single framework or even a hybrid model, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are several common sources for "security principles" that a company should leverage:

• International Organization for Standardization (ISO) 27002
• National Institute of Standards and Technology (NIST) 800-53 
• NIST Cybersecurity Framework

Understanding "Privacy By Design" As It Pertains To Privacy Regulations

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading privacy practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing privacy frameworks, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are the most common sources for "privacy principles" that a company should leverage are:

• ISO 27701
• ISO 29100
• Generally Accepted Privacy Principles (GAPP)
• Fair Information Practice Principles (FIPP)
• NIST Privacy Principles [draft]
• US Privacy Shield
• SOC 2 Privacy Principles (AICPA Trust Services Criteria)

Operationalizing Security by Design (SbD) & Privacy by Design (SbD) Begins With Understanding Expectations

Understanding the requirements for both Security by Design (SbD) and Privacy by Design (PbD) principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations to right-size the approach, since every organization is unique:

Applicable best practices based on your company’s industry. ISO 27002 NIST 800-53 SOC II Operational Technology (OT) & Internet of Things (IoT) Statutory obligations (e.g., state, federal and international laws) FTC Act (prohibition on unfair business practices) Family Educational Rights and Privacy Act (FERPA) Children's Online Privacy Protection Act (COPPA) State ID theft laws (e.g., MA 201 CMR 17) Regulatory obligations (e.g., regulatory bodies or governmental agencies) EU General Data Protection Regulation (EU GDPR) NY Department of Financial Services (23 NYCRR 500) FISMA / DIACAP / DIARMF Contractual obligations (e.g., vendor agreements) DFARS / FAR (e.g., NIST 800-171) Privacy Shield PCI DSS