And knowing the difference between the two
Depending on the industry you operate in you’re probably tracking a dizzying number of cybersecurity guidelines, frameworks and requirements. A common myth assumes that cybersecurity frameworks are basically carbon copies of one another. Though all cybersecurity frameworks use similar methodologies, they are unique to the audience and intent they serve.
The National Institute of Standards and Technology (NIST) cybersecurity framework is arguably the most recognized and universal framework available, which is why the Cavelo platform aligns to the framework’s classification and reporting guidance. The first iteration of the NIST cybersecurity framework was introduced in 2018, with a data privacy framework following two years later.
It’s important to note that the cybersecurity and data privacy frameworks have separate intentions: the cybersecurity framework is designed to help businesses self-manage cybersecurity risk through policies and controls, while the NIST privacy framework helps business’ identify and manage privacy risk to protect a customer or end user’s individual privacy.
Both are voluntary guidelines. Following and implementing the NIST frameworks will improve your organization’s overall security posture, strengthen data privacy policies and better position your business for other compliance obligations your business might face.
NIST frameworks encourage visibility to the data you use and store
When it comes to data protection and data privacy, both frameworks help IT and security leaders prioritize cybersecurity efforts and achieve five core functions: identify, protect, detect, respond and recover. Not surprisingly, data discovery and classification underpin those core functions, and for good reason: without proper data inventorying, mapping and management, data tracking, response and recovery become next to impossible.
With few exceptions, both frameworks follow the same requirements around data collection, storage and use across the framework’s functions. Here’s a quick look at 15 data classification and management-related categories and whether individual guidance is included in each framework:
Data Classification & Management Guidance
1. Personal Data Inventory
Create and maintain a list of personal data that is collected, used, transferred, stored, processed and created within the organization. This must include the data element, as well as the systems and applications that interact with the data.
2. Data Classification
Classify data according to its category and sensitivity as defined by appropriate statutory, regulatory and contractual contexts.
3. Data Flow Mapping
Maintain a record of processing activities that documents the flow of personal data. Make sure the record includes:
- Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data
- Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data
- The purposes for data storage, transmission and processing
- A description of the categories of data subjects and personal data
- The time limits for erasure of the different categories of data (where possible)
- A description of the cybersecurity and privacy measures of the data controller (where possible)
4. Limited Collection and Use
Limit the collection, use, distribution, retention, disclosure and creation of personal data to what is minimally required, reasonably necessary and has legal basis.