Make privacy a competitive advantage with NIST risk management framework

You may have received a number of emails recently from companies sharing their updated privacy policies. These revised policies coincided with the May 25 enactment of the General Data Protection Regulation (GDPR), the European Union’s new data privacy directive.

While most of the world was fretting over compliance with GDPR, NIST drafters were quietly working away on a holistic approach for managing risk, privacy and security that culminated in the NIST SP 800-37 Rev 2 risk management framework. Using the framework can help simplify and streamline compliance with GDPR and other privacy regulations.

Next-generation risk management framework
NIST SP 800-37 Rev. 2 was published in late May with comment period ending Friday, June 22. Designed to answer the call for a next-generation risk management framework, NIST SP 800-37 Rev. 2 delivers on seven major objectives:

  1. Collaboration and communication between departments, C-suite and board
  2. Institutionalization of critical organization-wide risk management preparatory activities
  3. Demonstration of alignment between the framework and the NIST cybersecurity framework
  4. Integration of privacy risk management concepts and principles with the framework and access to NIST security and privacy control catalog (SP 800-53 Revision 5)
  5. Alignment between the framework and lifecycle-based systems engineered processes in NIST SP 800-160
  6. Integration of supply chain risk management concepts into the framework
  7. Harmonization between traditional baseline control selection approach and alternative organization-generated control selection

The NIST SP 800-37 framework is a more holistic solution with this update because it integrates privacy risk management concepts and principles, along with its security and privacy control catalog, into the ver. 2 framework. NIST makes the case for why security and privacy matter in a digital world:

“New technologies are not only compelling, but also intoxicating and addicting—leaving us with a huge blind spot that puts us at great risk of losing our property, our privacy, our security and, in some cases, our lives.”

What’s promising in the seven objectives is the movement toward integrated risk management through collaboration and communication between departments and leadership. Informed leadership equipped with the framework are better positioned to make smarter decisions about managing risk.

Privacy’s moment
GDPR’s May 25 enforcement date was a watershed moment for privacy. It’s not just about compliance with a regulation; it’s more impactful than Wells Fargo’s 20-month nightmare and it’s bigger than Facebook’s data scandal. It’s the consciousness-raising of millions thinking or saying, “Wait a second, my data belongs to me and privacy matters.”

What the public demands, business stands at the ready to serve. If your company can safeguard customer data and ensure privacy, you could have an advantage over the competition. That’s why the NIST SP 800-37 Rev 2 risk management framework’s timing couldn’t be better.

If you’re a Keylight user, you can take advantage of our U.S. Federal Cybersecurity Content Pack that contains, among others, the NIST SP-800 Series of frameworks, including the security and privacy controls. The content pack saves you from transposing, mapping and validating NIST guidance from PDF.

Any company can email out an updated privacy policy. How many will extend privacy beyond policies to impact operational areas like product development and the supply chain? NIST has made it easier to infuse privacy and security into your company’s DNA, not to mention create a competitive advantage.

If you enjoy reading the Lockpath blog, consider subscribing. Each week, a new blog will hit your Inbox.

Related Articles