Privacy Regulations Include Cybersecurity Requirements
You can have security without privacy, but you cannot have privacy without security! This is an important concept to keep in mind when considering any of the newer privacy laws, regulations and industry frameworks, including the European Union General Data Protection Regulation (EU GDPR), California Consumer Privacy Act (CCPA), and NIST Privacy Framework [draft]. These requirements can be considered "two-sided coins" in regards to the interconnected nature of privacy and cybersecurity where there is a clear expectation that in addition to a formal privacy program, a cybersecurity program also exists:
Our solutions are applicable for both processors and controllers! We focus on leading industry practices to build documentation that will steer your organization towards building both secure and compliant systems, applications and processes.
Ready To Operationalize Privacy & Cybersecurity Principles To Meet Compliance Needs? We are.
Please keep in mind that security & privacy engineering principles are not just limited to EU GDPR & CCPA. The requirement to have secure practices that protect the confidentiality, integrity and availability of your sensitive data is very common:
- NIST 800-53 - SA-8
- NIST Cybersecurity Framework - PR.IP-2
- ISO 27002 - 14.2.5 & 18.1.4
- Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012 (NIST 800-171) - 3.13.1 & 3.13.2
- Federal Acquisition Regulations (FAR) 52.204-21 - 4
- National Industrial Security Program Operating Manual (NISPOM) - 8-302 & 8-311
- SOC2 - CC3.2
- Generally Accepted Privacy Principles (GAPP) - 4.2.3, 6.2.2, 7.2.2 & 7.2.3
- New York State Department of Financial Service (DFS) - 23 NYCRR 500.08
- Payment Card Industry Data Protection Standard (PCI DSS) - 2.2
- Center for Internet Security Critical Security Controls (CIS CSC) - 1.2, 5.9, 6.2, 6.3, 6.4, 6.5, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 8.6, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 11.4, 11.5, 11.6, 11.7, 13.4, 13.5 & 16.5
Free Compliance Resources - EU GDPR Compliance Criteria & Privacy Management Principles
ComplianceForge teamed up with the Secure Controls Framework (SCF) to create the EU GDPR Compliance Criteria (EGCC) and the SCF Privacy Management Principles, which are free resources to help companies understand and manage their privacy-related controls. What is unique about the EGCC and SCF Privacy Management Principles is that they map to the existing frameworks that many companies use for their existing cybersecurity programs (e.g., ISO 27002, NIST 800-53, GAPP, etc.). This mapping to ISO and NIST frameworks, as well as our Digital Security Program (DSP) makes your compliance requirements easy to manage.
At ComplianceForge, we are here to provide businesses with the documentation they need to comply with the EU GDPR, CCPA and other requirements that demand companies "bake in" both cybersecurity and privacy principles into their day-to-day operations and project development processes. We refer to it as Cybersecurity for Privacy by Design (C4P). Privacy and secure engineering are just one component of building an audit-ready cybersecurity and privacy program!
Cybersecurity for Privacy by Design (C4P) Model
ComplianceForge offers a very unique set of solutions, beyond just cybersecurity policies and standards. Our comprehensive documentation addresses common cybersecurity and privacy frameworks that enables companies to obtain quality documentation to prove evidence of due care and due diligence for how cybersecurity and privacy principles are implemented. The EU GDPR & CCPA are more than a checklist of requirements - these regulations expect processes to exist. When a process is audited, it requires documentation to prove their existence. Therefore, documentation is king!
Surprising to many people, privacy protections overlay most existing security protection mechanisms. In a C4P model, the focus is on People, Processes and Technology.
A focus on C4P allows an organization to:
Privacy Compliance - Where Do We Start?
Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:
- Step 1 - Make sure your company's policies and standards are "audit ready" for your applicable privacy regulations. This means that they are aligned with an industry-recognized leading framework, which shows that you are aligned with reasonable expectations for your industry.
- Step 2 - Eliminate "tribal knowledge" by documenting how processes actually work and ensure that key stakeholders are aware of what "right" looks like. If you have written processes, audit them to make sure what is published is actually what is being done.
- Step 3 - Establish governance / oversight of processes to ensure your company's processes are actually working as they are supposed to. If not, make fixes and keep verifying.
Understanding "Security By Design" As It Pertains To Privacy Regulations
In terms of the EU GDPR, the regulation is expecting your company to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading security practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing a single framework or even a hybrid model, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are several common sources for "security principles" that a company should leverage:
- International Organization for Standardization (ISO) 27002
- National Institute of Standards and Technology (NIST) 800-53
- NIST Cybersecurity Framework
Understanding "Privacy By Design" As It Pertains To Privacy Regulations
In terms of the EU GDPR, the regulation is expecting your company to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading privacy practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing privacy frameworks, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are the most common sources for "privacy principles" that a company should leverage are:
- ISO 27701
- ISO 29100
- Generally Accepted Privacy Principles (GAPP)
- Fair Information Practice Principles (FIPP)
- NIST Privacy Principles [draft]
- US Privacy Shield
- SOC 2 Privacy Principles (AICPA Trust Services Criteria)
Operationalizing Security by Design (SbD) & Privacy by Design (SbD) Begins With Understanding Expectations
Understanding the requirements for both Security by Design (SbD) and Privacy by Design (PbD) principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations to right-size the approach, since every organization is unique:
Operationalize Security by Design (O-SbD)
Operationalize Privacy by Design (O-PbD)
Security by Design (SbD) requirements come from numerous sources. In this context, the most important are:
Privacy by Design (PbD) requirements come from numerous sources. In this context, the most important are: