In the U.S., the Fourth Amendment of the Constitution protects the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” However, these words conceive personal privacy in physical terms. The advent and explosive growth of the digital world is putting information security and privacy to the test.
At the beginning of the digital age, the founder of Sun Microsystems, Scott McNealy, famously proclaimed in Wired magazine (1999): “You have zero privacy anyway … Get over it.”
However, a growing number of information security and privacy laws are making it impossible for today’s companies to just “get over it” when it comes to keeping their customers’ data secure. In the past few years, we have seen an explosion of new laws (both state and federal), development of new business practices, new diligence on the part of regulatory agencies, new international mandates, and more sensitive judicial decisions on privacy.
These new and expanding rules are in direct response to the ratcheting up of the risks we face in our expanding digital world. Every day more personal information is made available either on the web or, worse, the dark web. We are witnessing and taking part in the greatest information technology revolution in the history of mankind as our society undergoes the transition to a fully digital world.
As these technologies expand, so does the sheer volume of information contained in the millions of billions of lines of code and millions of applications on every type of computing platform — from smart watches to mainframes. Far from being something we can just “get over,” privacy as a concept is perhaps even more relevant now, as the sheer volume of identity about any given individual is so much larger than ever before.
As a result, along with their core business operations, companies today need to also enter into the personal data business. In other words, they need to need to become concerned about the confidentiality, integrity, and availability of the data contained in their systems. And they need to take decisive action to make keeping other people’s data secure a priority. Otherwise, they’ll face consequences from compliance regulators, law enforcement, and the public. In fact, how companies navigate the shifting landscape of digital privacy and security will have a profound impact on both customers’ trust and the bottom line.
NIST’s New Best Practice Guidelines
In response to the challenges companies face managing information security and privacy in our digital world, organizations are expanding their best practices recommendations. For example, this year the National Institute of Standards and Technology (NIST) released an updated draft of one of its key documents to achieve this goal. In May 2018, NIST released an update second installment of its NIST Special Publication 800-37, Revision 2, for review. The final version is scheduled to be released in October 2018.
The release of the first installment of NIST Special Publication 800-53, Revision 5, provided, for the first time in the standards community, a consolidated catalog of security and privacy controls — standing side-by-side with the broad-based safeguards needed to protect systems and personal privacy. The release of RMF 2.0 draft kicks the recommendations up several notches.
The draft provides guidelines for creating a disciplined, structured, and repeatable process for organizations to select, implement, assess, and continuously monitor security and privacy controls, empowering customers to take charge of their protection needs. To this end, it includes a new organizational preparation step, designed to achieve more timely, effective, efficient, and cost-effective risk management processes.
The organizational preparation step incorporates concepts from the NIST Cybersecurity Framework to facilitate better communication between senior leaders and executives at the enterprise and mission and business process levels and system owners — thereby, conveying acceptable limits regarding the implementation of security and privacy controls within the established organizational risk tolerance.
Among the benefits are significantly reducing the workload on individual system owners, providing more customized security and privacy solutions, and lowering the overall cost of system development and protection.
NIST RMF 2.0 — Preparation is Key
The addition of the “prepare step” is one of the key changes to the RMF 2.0 draft. The purpose of the Prepare step is to carry out essential activities at the organization, mission and business process, and information system levels of the enterprise to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.
According to RMF 2.0, the primary objectives for institutionalizing organization-level and system-level preparation are:
- To facilitate better communication between senior leaders and executives at the organization and mission and business process levels and system owners on the front lines of execution and operation.
- To facilitate organization-wide identification of common controls and the development of organization-wide tailored control baselines, to reduce the workload on individual system owners and the cost of system development and asset protection.
- To reduce the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services.
- To identify, prioritize, and focus resources on the organization’s high-value assets and high- impact systems that require increased levels of protection—taking steps commensurate with the risk to such assets.
- Recognizing that organizational preparation for RMF execution may vary from organization to organization, achieving the objectives outlined above can reduce the IT footprint and attack surface of organizations, promote IT modernization objectives, conserve security resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.
7 Tasks for Optimal Preparation
NIST’s RMF 2.0 recommends these seven tasks to prepare for a stronger information security and privacy infrastructure:
Task 1 — Identify and assign individuals to specific roles associated with security and privacy risk management
Task 2 — Establish a risk management strategy for the organization that includes a determination of risk tolerance.
Task 3 — Assess organization-wide security and privacy risk and update the results on an ongoing basis.
Task 4 — Establish, document, and publish organization-wide tailored control baselines and/or profiles.
Task 5 — Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems.
Task 6 — Prioritize organizational systems with the same impact level.
Task 7 — Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.
RMF 2.0’s security and privacy guideline recommendations will help organizations facilitate the development of stronger, more robust security and privacy programs by strengthening their foundational security and privacy programs, achieving greater efficiencies in control implementation, promoting greater collaboration of security and privacy professionals, and providing an appropriate level of security and privacy protection for systems and individuals.
In this way, companies will take significant strides forward in their ever-expanding job of maintaining the information security and privacy of the data that flows through their businesses as the digital revolution continues its uncontrolled expansion.
TrustArc has a team of privacy experts who help design our privacy platform and solutions to incorporate best practices and standards from many laws, frameworks, and privacy & security guidelines. Our partner program, TrustArcConnect, provides a great opportunity to capitalize on the GDPR ‘enforcement’ era by selling the TrustArc privacy platform.
If you are interested in becoming a partner, contact us for more information.