Implementing the NIST Privacy Framework – Protective Function | Ankura Cybersecurity and Data Privacy
This is the last installment in a series of articles on the Essential Functions of the National Institute of Standards and Technology (NIST) Privacy Framework where we cover the Protect function.
As previously published in an article outlining the best ways to leverage the NIST Privacy Framework (NIST-P) to assess data privacy posture, develop readiness roadmaps and mature organizational privacy programs, The NIST Privacy Framework is a widely known set of controls used to help organizations identify privacy risks in their business environment and allocate resources to mitigate those risks.
We have also previously published the first four main functions of identifying, governing, controlling and communicating. This is the final article covering Protect and the corresponding privacy management activities to consider in order to align with the NIST Privacy Framework.
NIST defines the protection function as the ability to develop and implement appropriate protections for the processing of data. The Protect function has five categories: Data Protection Policies, Processes and Procedures, Processes and Procedures; Identity management, authentication and access control; Data security; Maintenance; and protection technology. The categories within the control function include 30 subcategory controls listed in Table 1 below.
The Protect feature aligns closely with the technical and security measures required in many privacy regulations and supports the NIST Cybersecurity Framework (CSF) with which those responsible for information security may be familiar. This alignment illustrates how data protection is ensured through the implementation of strong security measures.
|Data Protection Policies, Processes and Procedures (PR.PO-P): Security and privacy policies (e.g. purpose, scope, roles and responsibilities in the data processing ecosystem and management commitment), processes and procedures are maintained and used to manage data protection.||PR.PO-P1: A basic information technology configuration is created and maintained incorporating security principles (eg, the concept of least functionality).|
|PR.PO-P2: Configuration change control processes are established and in place.|
|PR.PO-P3: Information backups are made, maintained and tested.|
|PR.PO-P4: Policy and regulations regarding the physical operating environment of organizational assets are followed.|
|PR.PO-P5: Protection processes are improved.|
|PR.PO-P6: The effectiveness of protection technologies is shared.|
|PR.PO-P7: Response plans (incident response and business continuity) and recovery plans (incident recovery and disaster recovery) are established, implemented and managed.|
|PR.PO-P8: Response and recovery plans are tested.|
|PR.PO-P9: Confidentiality procedures are included in human resources practices (eg, decommissioning, staff screening).|
|PR.PO-P10: A vulnerability management plan is developed and implemented.|
|Identity management, authentication and access control (PR.AC-P): Access to data and devices is limited to authorized people, processes and devices, and is managed in accordance with the assessed risk of unauthorized access||PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized people, processes, and devices.|
|PR.AC-P2: Physical access to data and devices is managed.|
|PR.AC-P3: Remote access is managed.|
|PR.AC-P4: Access permissions and permissions are managed, incorporating the principles of least privilege and segregation of duties.|
|PR.AC-P5: Network integrity is protected (eg network segregation, network segmentation).|
|PR.AC-P6: Individuals and devices are verified and linked to credentials, and authenticated in proportion to the risk of the transaction (for example, individual security and privacy risks, and other organizational risks).|
|Data security (PR.DS-P): Data is managed in accordance with the organization’s risk management strategy to protect the privacy of individuals and maintain the confidentiality, integrity and availability of data.||PR.DS-P1: Data at rest is protected.|
|PR.DS-P2: Data in transit is protected.|
|PR.DS-P3: Systems / products / services and associated data are formally managed throughout withdrawal, transfers and disposal.|
|PR.DS-P4: Adequate capacity to ensure continued availability.|
|PR.DS-P5: Data leakage protections are in place.|
|PR.DS-P6: Integrity checking mechanisms are used to verify the integrity of software, firmware, and information.|
|PR.DS-P7: The development and test environment is separate from the production environment.|
|PR.DS-P8: Integrity checking mechanisms are used to verify the integrity of the hardware.|
|Maintenance (PR.MA-P): System maintenance and repairs are carried out in accordance with policies, processes and procedures.||PR.MA-P1: The maintenance and repair of organizational assets is carried out and recorded, with approved and controlled tools.|
|PR.MA-P2: Remote maintenance of organizational assets is approved, recorded, and performed in a manner that prevents unauthorized access.|
|Protection technology (PR.PT-P): Technical security solutions are managed to ensure the security and resiliency of systems / products / services and associated data, in accordance with associated policies, processes, procedures and agreements.||PR.PT-P1: Removable media are protected and their use restricted in accordance with policy.|
|PR.PT-P2: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.|
|PR.PT-P3: Communication and control networks are protected.|
|PR.PT-P4: Mechanisms (eg, fail-safe, load balancing, hot swapping) are implemented to meet resiliency requirements in normal and adverse situations.|
The following questions can be used by an organization to assess its current position on privacy in relation to the protection function under NIST’s privacy framework:
- Are the principles of least functionality observed when configuring the systems?
- Are configuration change controls established and in place?
- Are backups of critical assets and databases performed regularly? Are they stored in a secure place?
- Does the organization regularly assess the risks to our critical assets and identify ways to improve our security and privacy controls? Are these risk findings documented?
- Does the organization have an incident response plan and a defined incident response team?
- Does the organization have an overview of network device vulnerabilities?
- Does the organization have formal identity and access management, including authentication and access verification for authorized persons?
- How are access privileges determined, requested, approved and documented for each user?
- What standards are followed for encryption of data at rest and in transit?
- What tools are in place for data loss protection (DLP) and software and hardware integrity monitoring?
As mentioned above, it is important to include the organization’s information security or cybersecurity team to properly assess its position for the protection function.
Privacy management activities to align with the protection function
After assessing the maturity level of an organization’s governance based on the protection function, organizations may consider implementing privacy management activities such as the ones below to align and fill in the gaps. towards the maturity of confidentiality.
- Formally document all protective controls in a written information security policy.
- Develop an incident response plan.
- Identify access roles for employees according to their department and function and implement
- an access management solution such as Active Directory to inventory all access rights in the environment.
- Implement a network monitoring program using tools such as Endpoint Discovery and Response (EDR) or Security Information and Event Management (SIEM) solutions.
- Update network and cloud architecture diagrams and data flow mappings.
- Implement a data backup and disaster recovery program.
- Perform routine vulnerability scans and penetration testing on network and cloud environments.
- Perform routine testing of resiliency and incident response processes.
The privacy management activities in the Protect function are essential for organizations to ensure that all personal data is managed and protected appropriately with strong technical and security measures and safeguards. An organization should consider evaluating and implementing these core activities in conjunction with its Information Security and Cyber Security team as it progresses toward compliance with the NIST Privacy Framework.