In the world of information security if you compare ISO270001 with NIST CSF, ISO is a framework of sets of principles and CSF is much more a set of rules to follow. You can ‘comply’ with NIST and ‘follow’ ISO270001. Best practise is to use CSF as the basis for controls that you implement in your ISO 270001 framework. Let’s see if it’s the same with GDPR vs. NIST privacy framework..:
In recent weeks, the National Institute of Standards and Technology released their latest draft of the new privacy framework. The forthcoming privacy framework will join NIST’s wildly popular Cybersecurity Framework (CSF) as well as Risk Management Framework (RMF), and can’t come a minute too soon. Data privacy and protection has been a rising concern among a more technology literate consumer base and state legislation has already started to respond. With the deadline for European GDPRas well as the impending deadline for the California Consumer Privacy Act, we are only in the early stages of state laws mandating transparent and ethical management of personal data.
This Is Only The Beginning
As we predicted, the CCPA is only the beginning for state-specific legislation around consumer privacy and data protection. The CCPA, modeled after Europe’s GDPR, applies to California residents specifically. Where the law diverges from GDPR, though, is in the sale of personal data – a pressing issue for California residents given the business models of the tech titans of Silicon Valley. The CCPA mandates that covered entities clearly show an “opt out of sale” button for California residents to opt out of data sale.
While not the first state-specific cyber-related legislation, the CCPA is one of the first consumer privacy-focused legislations and certainly the most hotly contested given the regulation it could mean for Silicon Valley. We’ve discussed before, though, that a reactionary check-box approach to compliance will yield superfluous efforts and poor allocation of resources. In terms of data privacy, though, checkbox compliance is all we have so far.
Where’s The Consolidation
The value of the NIST Cybersecurity Framework from a strategy perspective is that most US industry and state-specific requirements use the CSF as a foundation. In short, adopting the CSF will futureproof an organization and allow them to focus on risk-based thinking over constantly worrying about the next compliance requirement. However, to date, there is not a similar data privacy framework. The challenge here is now that we are facing a rise in new regulation on data privacy and the NIST privacy framework can be for privacy what the CSF is for security. Furthermore, as CyberSaint co-founder and Chief Product Officer Padriac O’Reilly discussed in his NIST’s Golden Trio Webinar – these frameworks (the CSF, privacy framework, and RMF) are designed to work together and layer on top of each other to support a holistic data security program.