And knowing the difference between the two

Depending on the industry you operate in you’re probably tracking a dizzying number of cybersecurity guidelines, frameworks and requirements. A common myth assumes that cybersecurity frameworks are basically carbon copies of one another. Though all cybersecurity frameworks use similar methodologies, they are unique to the audience and intent they serve.

The National Institute of Standards and Technology (NIST) cybersecurity framework is arguably the most recognized and universal framework available, which is why the Cavelo platform aligns to the framework’s classification and reporting guidance. The first iteration of the NIST cybersecurity framework was introduced in 2018, with a data privacy framework following two years later.

It’s important to note that the cybersecurity and data privacy frameworks have separate intentions: the cybersecurity framework is designed to help businesses self-manage cybersecurity risk through policies and controls, while the NIST privacy framework helps business’ identify and manage privacy risk to protect a customer or end user’s individual privacy.

Both are voluntary guidelines. Following and implementing the NIST frameworks will improve your organization’s overall security posture, strengthen data privacy policies and better position your business for other compliance obligations your business might face.

NIST frameworks encourage visibility to the data you use and store

When it comes to data protection and data privacy, both frameworks help IT and security leaders prioritize cybersecurity efforts and achieve five core functions: identify, protect, detect, respond and recover. Not surprisingly, data discovery and classification underpin those core functions, and for good reason: without proper data inventorying, mapping and management, data tracking, response and recovery become next to impossible.

With few exceptions, both frameworks follow the same requirements around data collection, storage and use across the framework’s functions. Here’s a quick look at 15 data classification and management-related categories and whether individual guidance is included in each framework:

Data Classification & Management Guidance

NIST Cybersecurity Framework Rev 5 NIST Privacy Framework V 1.0

1. Personal Data Inventory

Create and maintain a list of personal data that is collected, used, transferred, stored, processed and created within the organization. This must include the data element, as well as the systems and applications that interact with the data.





2. Data Classification

Classify data according to its category and sensitivity as defined by appropriate statutory, regulatory and contractual contexts.




3. Data Flow Mapping

Maintain a record of processing activities that documents the flow of personal data. Make sure the record includes:

- Geographic locations and third-parties involved in the storage, transmission and/or processing of personal data

- Contact details of the controller(s) involved in the storage, transmission and/or processing of personal data

- The purposes for data storage, transmission and processing

- A description of the categories of data subjects and personal data

- The time limits for erasure of the different categories of data (where possible)

- A description of the cybersecurity and privacy measures of the data controller (where possible)















4. Limited Collection and Use

Limit the collection, use, distribution, retention, disclosure and creation of personal data to what is minimally required, reasonably necessary and has legal basis.





5. Data Minimization

Take steps to minimize the collection, use, distribution, retention, disclosure and creation of personal data to what is directly relevant and necessary to accomplish a legally authorized purpose.





6. Data Lifecycle Management

Create the processes and policies around the entirety of the data lifecycle from creation and collection, to storage and destruction.



7. Custody of Data

Identify the owners or operators of systems, products and services that process data, or with which data subjects are interacting.



8. Retention of Personal Data

Ensure that all records containing personal data are maintained in accordance with the organization's records retention schedule and comply with applicable statutory, regulatory and contractual obligations.






9. Quality Management

Maintain quality assurances throughout the information lifecycle with such accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual.





10. Secure Data Processing

Implement secure data processing practices so that the confidentiality, integrity and pertinent attributes of sensitive data is maintained throughout  the data lifecycle.



11. Data Lineage

Maintain records of the inputs, entities, systems, applications and processes that influence data of interest, providing a historical record of the data and its origins.



12. Data Subject Rights

Provide individuals with appropriate access to their personal data.



13. Inquiry Management

Maintain a capability to receive and respond to privacy-related requests, complaints, concerns or questions from individuals.



14. Updating Personal Data

Provide individuals with appropriate opportunity to correct or amend their personal data.



15. Right to Erasure

Provide individuals with appropriate opportunity to request the deletion of personal data where it is used, disseminated, maintained, retained and/or disclosed, including where the personal data is stored or processed by third-parties.






We’re highlighting sections of the frameworks that focus specifically on the areas where data discovery and classification matter most, but it’s important to note that data discovery and classification are critical to all five core functions. You can’t identify, protect, detect or respond to data you don’t know about – let alone recover it.

Whether you’re building new security policies and controls or revising an existing cybersecurity framework, start with the latest NIST cybersecurity and data privacy frameworks and ensure you’ve got scalable tools and automated processes in place that can identity and catalog all data on your network, wherever it lives.

Not sure where to start?

Regulatory compliance programs and initiatives are time intensive and complex. Let’s talk about how Cavelo data discovery and classification aligns to NIST guidelines and other industry requirements your business needs to align to.