privacy policy development - privacy policies, standards & procedures

Privacy Regulations Include Cybersecurity Requirements

You can implement cybersecurity practices without privacy, but you cannot implement privacy practices without cybersecurity! This is an important concept to keep in mind when considering any of the newer privacy laws, regulations and industry frameworks, including the European Union General Data Protection Regulation (EU GDPR), California Consumer Privacy Act (CCPA), and NIST Privacy Framework [draft]. These requirements can be considered "two-sided coins" in regards to the interconnected nature of privacy and cybersecurity where there is a clear expectation that in addition to a formal privacy program, a cybersecurity program also exists:

security-privacy-2-sided-coin.jpg
  • The determination of "secure practices" is left to the organization to define. In most cases, this means alignment with ISO 27001/27002, NIST Cybersecurity Framework, or NIST 800-53 as the framework used to define what "right" looks like from a cybersecurity perspective.
  • The determination of "privacy practices" are also left to the organization to define. Just like with cybersecurity frameworks, there are numerous privacy frameworks an organization can choose from.
  • The selection of security and privacy frameworks for an organization to align with is a business decision and is not dictated by technology. Those frameworks are meant to support the organization's overall business operations and strategic goals. The selection of frameworks is foremost a business decision.
  • These expectations for both privacy and cybersecurity apply not only to processors and controllers of data, but supply chains as well. An organization's internal "secure practices" are meaningless if there are unmanaged third-party service providers that have unfettered access to sensitive data or the systems / applications / services that store, transmit and process personal data.

Our solutions are applicable for both processors and controllers! We focus on leading industry practices to build documentation that will steer your organization towards building both secure and compliant systems, applications and processes.

Ready To Operationalize Privacy & Cybersecurity Principles To Meet Compliance Needs? We are. 

Please keep in mind that security & privacy engineering principles are not just limited to EU GDPR & CCPA. The requirement to have secure practices that protect the confidentiality, integrity and availability of your sensitive data is very common:

Cybersecurity & Privacy Documentation Done Right - A Solution That Is Scalable, Comprehensive & Efficient

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary cybersecurity and privacy documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks. 

Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.

Hierarchical Cybersecurity Governance Framework - policies standards procedures controls metrics

At ComplianceForge, we are here to provide businesses with the documentation they need to comply with the EU GDPR, CCPA and other requirements that demand companies "bake in" both cybersecurity and privacy principles into their day-to-day operations and project development processes. We refer to it as Cybersecurity for Privacy by Design (C4P). Privacy and secure engineering are just one component of building an audit-ready cybersecurity and privacy program!

2020.1-complianceforge-products-data-protection-privacy-engineering.jpg

Cybersecurity for Privacy by Design (C4P) Model

ComplianceForge offers a very unique set of solutions, beyond just cybersecurity policies and standards. Our comprehensive documentation addresses common cybersecurity and privacy frameworks that enables companies to obtain quality documentation to prove evidence of due care and due diligence for how cybersecurity and privacy principles are implemented. The EU GDPR & CCPA are more than a checklist of requirements - these regulations expect processes to exist. When a process is audited, it requires documentation to prove their existence. Therefore, documentation is king!

Surprising to many people, privacy protections overlay most existing security protection mechanisms. In a C4P model, the focus is on People, Processes and Technology.

data privacy documentation - privacy by design

 

A focus on C4P allows an organization to:
    • Enable privacy principles through an integrated approach with security;
    • Preset security configuration settings so that it is secure by default;
    • “Bake in” security mechanisms, as compared to “bolting on” protections as an afterthought;
    • Keeping things simple to save resources and avoid negatively affecting users;
    • Integrate throughout the lifecycle of projects / applications / systems;
    • Support a common method to “trust but verify” for projects / applications / systems; and
    • Position security to be seen as an enabler through educating users, managing expectations, and supporting change.

Privacy Compliance - Where Do We Start?

Before you can jump in and just start "doing privacy and security," your company needs to first address some fundamental building blocks that are often overlooked:

Understanding "Security By Design" As It Pertains To Privacy Regulations 

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading security practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing a single framework or even a hybrid model, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are several common sources for "security principles" that a company should leverage:

Understanding "Privacy By Design" As It Pertains To Privacy Regulations

In terms of the EU GDPR, the regulation is expecting your company  to define “adequate level of data protection” and “appropriate technical or organizational measures” in terms of its alignment with leading privacy practices. Therefore, your company is not only expected to adopt a “best in class” approach to implementing privacy frameworks, but your company needs to have evidence that it has done so. Every framework is unique and has its own strengths and weaknesses, but these are the most common sources for "privacy principles" that a company should leverage are:

Operationalizing Security by Design (SbD) & Privacy by Design (SbD) Begins With Understanding Expectations

Understanding the requirements for both Security by Design (SbD) and Privacy by Design (PbD) principles involves a simple process of distilling expectations. This process is all part of documenting reasonable expectations to right-size the approach, since every organization is unique:

  • Applicable best practices based on your company’s industry.
    • ISO 27002
    • NIST 800-53
    • SOC II
    • Operational Technology (OT) & Internet of Things (IoT)
  • Statutory obligations (e.g., state, federal and international laws)
    • FTC Act (prohibition on unfair business practices)
    • Family Educational Rights and Privacy Act (FERPA)
    • Children's Online Privacy Protection Act (COPPA)
    • State ID theft laws (e.g., MA 201 CMR 17)
  • Regulatory obligations (e.g., regulatory bodies or governmental agencies)
    • EU General Data Protection Regulation (EU GDPR)
    • NY Department of Financial Services (23 NYCRR 500)
    • FISMA / DIACAP / DIARMF
  • Contractual obligations (e.g., vendor agreements)
    • DFARS / FAR (e.g., NIST 800-171)
    • Privacy Shield
    • PCI DSS
pbd sbd

 

  Operationalize Security by Design (O-SbD)  

 operationalize cybersecurity by design

  Operationalize Privacy by Design (O-PbD)  

data privacy documentation 

Security by Design (SbD) requirements come from numerous sources. In this context, the most important are:

  • International Organization for Standardization (ISO)
  • National Institute for Standards & Technology (NIST)
  • US Government (HIPAA & FedRAMP)
  • Information Systems Audit and Control Association (ISACA)
  • Cloud Security Alliance (CSA)
  • Center for Internet Security (CIS)
  • Open Web Application Security Project (OWASP)

Privacy by Design (PbD) requirements come from numerous sources. In this context, the most important are:

  • Fair Information Practice Principles (FIPPs)
  • European Union (EU) General Data Protection Regulation (GDPR)
  • Organization for the Advancement of Structured Information Standards (OASIS
  • International Organization for Standardization (ISO)
  • National Institute for Standards & Technology (NIST)
  • Information Systems Audit and Control Association (ISACA)
  • US Government (HIPAA & FTC Act)

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $9,500.00
    Choose Options
  • DSP Bundle 1: DSP-CSOP

    DSP Bundle 1: Policies, Standards, Procedures & Controls

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...

    $15,325.00
    $15,325.00
    $11,494.00
    Choose Options
  • DSP Bundle 2

    DSP Bundle 2: Enhanced Digital Security Documentation

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $26,850.00
    $26,850.00
    $17,453.00
    Choose Options
  • DSP Bundle 3: Whole Enchilada

    DSP Bundle 3: Robust Digital Security Documentation

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $45,350.00
    $45,350.00
    $24,943.00
    Choose Options

Learn More About Cybersecurity & Data Privacy