Information security and privacy put to the test
In the U.S., the Constitution’s Fourth Amendment protects the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” However, these words conceive personal privacy in physical terms. The advent and explosive growth of the digital world are putting information security and privacy to the test.
At the beginning of the digital age, the founder of Sun Microsystems, Scott McNealy, famously proclaimed in Wired magazine (1999),“You have zero privacy anyway … Get over it.”
However, a growing number of information security and privacy laws are making it impossible for today’s companies to get over it when keeping their customer’s data secure.
In the past few years, we have seen an explosion of new laws (both state and federal), new business practices, new diligence on the part of regulatory agencies, new international mandates, and more sensitive judicial decisions on privacy.
These new and expanding rules directly respond to the ratcheting up of the risks we face in our expanding digital world. Every day more personal information is made available on the web or, worse, the dark web.
More data provokes the need for more information security and privacy
We are witnessing and taking part in the greatest information technology revolution in the history of mankind as our society undergoes the transition to a fully digital world.
As these technologies expand, so does the sheer volume of information contained in the millions of billions of lines of code and millions of applications on every type of computing platform — from smart watches to mainframes.
Far from being something we can just “get over,” privacy as a concept is perhaps even more relevant now, as the sheer volume of personal data about any given individual is so much larger than ever before.
As a result, along with their core business operations, companies today need to also enter into the personal data business. In other words, they need to need to become concerned about the confidentiality, integrity, and availability of the data contained in their systems.
And they need to take decisive action to make keeping other people’s data secure a priority. Otherwise, they’ll face consequences from compliance regulators, law enforcement, and the public.
In fact, how companies navigate the shifting landscape of digital privacy and security will have a profound impact on both customers’ trust and the bottom line.
NIST’s new best practice guidelines
In response to the challenges companies face managing information security and privacy in our digital world, organizations are expanding their best practices recommendations. For example, this year the National Institute of Standards and Technology (NIST) released an updated draft of one of its key documents to achieve this goal.
In May 2018, NIST released an update second installment of its NIST Special Publication 800-37, Revision 2, for review. The final version is scheduled to be released in October 2018.
The release of the first installment of NIST Special Publication 800-53, Revision 5, provided, for the first time in the standards community, a consolidated catalog of security and privacy controls — standing side-by-side with the broad-based safeguards needed to protect systems and personal privacy.
The release of RMF 2.0 draft kicks the recommendations up several notches.
The draft provides guidelines for creating a disciplined, structured, and repeatable process for organizations to select, implement, assess, and continuously monitor security and privacy controls, empowering customers to take charge of their protection needs.
To this end, it includes a new organizational preparation step, designed to achieve more timely, effective, efficient, and cost-effective risk management processes.
The organizational preparation step incorporates concepts from the NIST Cybersecurity Framework to facilitate better communication between senior leaders and executives at the enterprise and mission and business process levels and system owners.
Thereby, conveying acceptable limits regarding the implementation of security and privacy controls within the established organizational risk tolerance.
Among the benefits are significantly reducing the workload on individual system owners, providing more customized security and privacy solutions, and lowering the overall cost of system development and protection.
NIST RMF 2.0 — Preparation is key
The addition of the prepare step is one of the key changes to the RMF 2.0 draft.
The purpose of the prepare step is to carry out essential activities at the organization, mission and business process, and information system levels of the enterprise to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.
According to RMF 2.0, the primary objectives for institutionalizing organization-level and system-level preparation are:
- To facilitate better communication between senior leaders and executives at the organization and mission and business process levels and system owners on the front lines of execution and operation.
- To facilitate organization-wide identification of common controls and the development of organization-wide tailored control baselines, to reduce the workload on individual system owners and the cost of system development and asset protection.
- To reduce the complexity of the information technology (IT) and operations technology (OT) infrastructure using Enterprise Architecture concepts and models to consolidate, optimize, and standardize organizational systems, applications, and services.
- To identify, prioritize, and focus resources on the organization’s high-value assets and high- impact systems that require increased levels of protection—taking steps commensurate with the risk to such assets.
- Recognizing that organizational preparation for RMF execution may vary from organization to organization, achieving the objectives outlined above can reduce the IT footprint and attack surface of organizations, promote IT modernization objectives, conserve security resources, prioritize security activities to focus protection strategies on the most critical assets and systems, and promote privacy protections for individuals.
Seven tasks for optimal preparation
NIST’s RMF 2.0 recommends these seven tasks to prepare for a stronger information security and privacy infrastructure:
Task 1 — Identify and assign individuals to specific roles associated with security and privacy risk management
Task 2 — Establish a risk management strategy for the organization that includes a determination of risk tolerance.
Task 3 — Assess organization-wide security and privacy risk and update the results on an ongoing basis.
Task 4 — Establish, document, and publish organization-wide tailored control baselines and/or profiles.
Task 5 — Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems.
Task 6 — Prioritize organizational systems with the same impact level.
Task 7 — Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.
RMF 2.0’s security and privacy guideline recommendations facilitate the development of stronger, more robust security and privacy programs by strengthening security foundations, achieving greater efficiencies in control implementation, promoting greater collaboration, and providing an appropriate level of data protection for systems and individuals.
In this way, companies will take significant strides forward in their ever-expanding job of maintaining the information security and privacy of the data that flows through their businesses as the digital revolution continues its uncontrolled expansion.