Cybersecurity (or security) normally refers to the security mechanisms an organization puts in place to protect its IT systems and information commonly referred to as data. These mechanisms include policies, people, technology and operations.2 Privacy (or information privacy) is focused on individuals and their rights to have some control over how their personal information is collected, processed, stored, and shared. Like cybersecurity, privacy requires a combination of technology, processes, policies, and people to achieve its objectives to protect an individual’s privacy and personal data. But while the disciplines are similar, they are not interchangeable. For example, a piece of data might be protected, even though the way your organization uses that data violates privacy principles.1 And many organizations are having a hard time finding a common framework that includes privacy and cybersecurity holistically to address its risk. The National Institute of Standards and Technology (NIST) has developed two frameworks, a cybersecurity framework and a privacy framework to assist organizations in developing programs for each discipline. The core functions for each framework are shown in Figure 1 below. The privacy framework functions are shown with a -P following the function name, e.g. Protect-P. The intersection of the two frameworks contains the cybersecurity related privacy events. Protect-P is specifically focused on data protection to prevent cybersecurity related privacy events.3
Data Protection = Data Security and Data Privacy
Data privacy is concerned with proper handling, processing, storage, and usage of personal information. It is about the rights of individuals with respect to their personal information and an understanding how their personal information is collected, used, stored, and shared. Data security is focused on protecting the confidentiality and the integrity of data from any unauthorized access or improper data modification or destruction. Data security controls are implemented to protect personal data and ensure data privacy. Data protection is the combination of both data security and privacy. If we focus on the data protection function, Protect-P, NIST has identified five categories or outcomes to effectively manage cybersecurity and privacy risk. Based on these outcomes and associated activities Guidehouse believes there are 5 key elements for an effective data protection program.
5 Key Elements of a Data Protection Program
Data governance program with documented data protection policies, processes, procedures, and training. Having the right policies and procedures in place, informed by conducting data privacy and business impact assessments to identify data you have, where it is stored, and how it needs to be managed by your organization to address legal and regulatory requirements. Additionally, employees need to be appropriately trained on privacy.
Identity, authentication, and access control management employing multi-factor authentication and least privilege principles for all users. Privileged user and users with access to sensitive data should be monitored to identify abnormal or anomalous behavior.
Robust data security utilizing protective technologies should be implemented to secure data through its life cycle. Evaluated encryption technologies supported by well-managed key management system should be implemented. Data should be encrypted at rest on end-user devices, in server and cloud infrastructures, and when transiting between those systems. Data loss prevention technologies should be used when practical.
Proactive system maintenance. Good cyber hygiene for systems holding the data, including cloud, computer, and mobile devices, should be maintained. They should be properly configured, patched, and regularly scanned. Security-relevant patches should be applied as soon as possible. And every system should be part of a security monitoring and incident response program.
Business continuity, backup, disaster recovery and incident response plans for important and sensitive data should be in place. These plans should be regularly maintained and undergo periodic execution to ascertain their effectiveness, especially prior to an event.
Guidehouse Cybersecurity Data Protection and Privacy Capabilities
If you should need advice and support for data protection and security, Guidehouse has a robust cybersecurity practice that supports the key elements for data protection.
Governance, Risk, and Compliance Management
Business and Data Privacy Impact Assessment
Data Security and Privacy Engineering by Design
Data Loss Management, including Data Discovery, Classification, and Encryption