By Donald Heckman Jr.
Cybersecurity normally refers to the security mechanisms an organization puts in place to protect its IT systems and information commonly referred to as data. These mechanisms include policies, people, technology and operations.2 Privacy (or information privacy) is focused on individuals and their rights to have some control over how their personal information is collected, processed, stored, and shared. Like cybersecurity, privacy requires a combination of technology, processes, policies, and people to achieve its objectives to protect an individual’s privacy and personal data. But while the disciplines are similar, they are not interchangeable. For example, a piece of data might be protected, even though the way your organization uses that data violates privacy principles.1 And many organizations are having a hard time finding a common framework that includes privacy and cybersecurity holistically to address its risk. The National Institute of Standards and Technology (NIST) has developed two frameworks, a cybersecurity framework and a privacy framework to assist organizations in developing programs for each discipline. The core functions for each framework are shown in Figure 1 below. The privacy framework functions are shown with a -P following the function name, e.g. Protect-P. The intersection of the two frameworks contains the cybersecurity related privacy events. Protect-P is specifically focused on data protection to prevent cybersecurity related privacy events.3
Data privacy is concerned with proper handling, processing, storage, and usage of personal information. It is about the rights of individuals with respect to their personal information and an understanding how their personal information is collected, used, stored, and shared. Data security is focused on protecting the confidentiality and the integrity of data from any unauthorized access or improper data modification or destruction. Data security controls are implemented to protect personal data and ensure data privacy. Data protection is the combination of both data security and privacy. If we focus on the data protection function, Protect-P, NIST has identified five categories or outcomes to effectively manage cybersecurity and privacy risk. Based on these outcomes and associated activities Guidehouse believes there are 5 key elements for an effective data protection program.
If you should need advice and support for data protection and security, Guidehouse has a robust cybersecurity practice that supports the key elements for data protection.
Special thanks to contributing author Stephen Singam.