This is the final installment in a series of articles on the core functions of the National Institute of Standards and Technology (NIST) Privacy Framework where we cover the Protect function.
As previously published in an article outlining the best ways to leverage the NIST Privacy (NIST-P) Framework to assess data privacy posture, develop readiness roadmaps, and mature organizational privacy programs, The NIST Privacy Framework is a widely known control set used to assist organizations in identifying privacy risks within their business environment and allocating resources to mitigate these risks.
We also previously published the first four core functions of Identify, Govern, Control, and Communicate. This is the final article covering Protect and the corresponding privacy management activities to consider in order to align with the NIST Privacy Framework.
NIST defines the Protect function as the ability to develop and implement appropriate data processing safeguards. The Protect function includes five categories: Data Protection Policies, Processes, and Procedures, Processes, and Procedures; Identity Management, Authentication, and Access Control; Data Security; Maintenance; and Protective Technology. The categories within the Control function include 30 subcategory controls as listed in Table 1 below.
The Protect function aligns closely with technical and security measures as required in many privacy regulations and supports the NIST Cybersecurity Framework (CSF) that those in Information Security may be familiar with. This alignment illustrates how data protection is achieved by implementing strong security safeguards.
| Table 1 |
| Category |
Subcategory |
| Data Protection Policies, Processes, and Procedures (PR.PO-P): Security and privacy policies (e.g., purpose, scope, roles, and responsibilities in the data processing ecosystem, and management commitment), processes, and procedures are maintained and used to manage the protection of data. |
PR.PO-P1: A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality). |
| PR.PO-P2: Configuration change control processes are established and in place. |
| PR.PO-P3: Backups of information are conducted, maintained, and tested. |
| PR.PO-P4: Policy and regulations regarding the physical operating environment for organizational assets are met. |
| PR.PO-P5: Protection processes are improved. |
| PR.PO-P6: Effectiveness of protection technologies is shared. |
| PR.PO-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. |
| PR.PO-P8: Response and recovery plans are tested. |
| PR.PO-P9: Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening). |
| PR.PO-P10: A vulnerability management plan is developed and implemented. |
| Identity Management, Authentication, and Access Control (PR.AC-P): Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access |
PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. |
| PR.AC-P2: Physical access to data and devices is managed. |
| PR.AC-P3: Remote access is managed. |
| PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. |
| PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). |
| PR.AC-P6: Individuals and devices are proofed and bound to credentials, and authenticated commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks). |
| Data Security (PR.DS-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and availability. |
PR.DS-P1: Data-at-rest are protected. |
| PR.DS-P2: Data-in-transit are protected. |
| PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition. |
| PR.DS-P4: Adequate capacity to ensure availability is maintained. |
| PR.DS-P5: Protections against data leaks are implemented. |
| PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. |
| PR.DS-P7: The development and testing environment(s) are separate from the production environment. |
| PR.DS-P8: Integrity checking mechanisms are used to verify hardware integrity. |
| Maintenance (PR.MA-P): System maintenance and repairs are performed consistent with policies, processes, and procedures. |
PR.MA-P1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools. |
| PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. |
| Protective Technology (PR.PT-P): Technical security solutions are managed to ensure the security and resilience of systems/products/services and associated data, consistent with related policies, processes, procedures, and agreements. |
PR.PT-P1: Removable media is protected and its use restricted according to policy. |
| PR.PT-P2: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. |
| PR.PT-P3: Communications and control networks are protected. |
| PR.PT-P4: Mechanisms (e.g., failsafe, load balancing, hot-swap) are implemented to achieve resilience requirements in normal and adverse situations. |
Assessing an Organization’s Privacy Posture for the Protect Function
These following questions can be used by an organization to assess their current privacy posture relative to the Protect function within the NIST Privacy Framework:
- Are principles of least-functionality followed when configuring systems?
- Are configuration change controls established and in place?
- Are backups for critical assets and databases being made routinely? Are they stored in a secured location?
- Does the organization routinely assess risks to our critical assets and identify ways to improve our security and privacy controls? Are these risk findings documented?
- Does the organization have an Incident Response Plan and a defined Incident Response Team?
- Does the organization have insight into network device vulnerabilities?
- Does the organization have a formal identify and access management, including credentialing and verifying access for authorized individuals?
- How are access privileges determined, requested, approved, and documented for each user?
- What standards are followed for encrypting data at rest and in-transit?
- What tools are in place for data loss protection (DLP) and integrity monitoring on software and hardware?
As alluded above, it is important to include the organization’s information security or cybersecurity team to properly assess its posture for the Protect function.
Privacy Management Activities to Align with the Protect Function
After assessing an organization’s governance maturity level based on the Protect function, organizations may consider implementing privacy management activities such as those below to align and remediate gaps towards privacy maturity.
- Formally document all protection controls in a Written Information Security Policy.
- Develop an Incident Response Plan.
- Identify access roles for employees based on their department and job function and implement
- an access management solution such as Active Directory to inventory all access rights across the environment.
- Implement a network monitoring program using tools such as Endpoint Detection and Response (EDR) or a Security information and event management (SIEM) solutions.
- Update network and cloud architecture diagrams and data flow mappings.
- Implement a Data Backup and Disaster Recovery Program.
- Perform routine vulnerability scanning and penetration tests on the network and cloud environments.
- Conduct routine testing of resiliency and incident response processes.
The privacy management activities in the Protect function are critical for organizations to ensure all personal data is managed and protected appropriately with strong technical and security measures and safeguards. An organization should consider assessing and implementing these foundational activities in collaboration with their information security and cybersecurity team as it progresses toward complying with the NIST Privacy Framework.
