Insights

Why the NIST privacy framework maturity assessment drives organizational value

Mark Keelan, Director, Privacy Practice

Businesses that operate internationally have to account for the fact that not only are there unique privacy laws and regulations per continent (e.g., GDPR in Europe) but also per country (e.g., LGPD in Brazil) and even individual states (such as CCPA/CPRA in California).

Adherence to applicable laws is crucial. Unfortunately, the purchase of a privacy solution does not ensure they have a quality privacy program.

With more and more digital information tracked and stored online and more malicious actors looking to breach firewalls combined with a steady flow of new legislation, companies need a robust and comprehensive privacy policy.

By being good stewards of consumers’ personal identifiable information, companies not only minimize risk but also reduce data request costs and increase customer loyalty and trust. It not only decreases liability but increases organizational value.

It takes significant planning, expertise, comprehensive scope, and adopting world-class standards and measurements. Rome wasn’t built in a day, and neither will be a quality privacy program.

While COVID-19 may have forced some companies to put off upgrading their privacy programs, there is no longer a valid excuse. Now is the time to overhaul your program to ensure it is both measurable and actionable. But with what?

UST has evaluated numerous privacy approaches and concluded that The National Institute of Standards and Technology (NIST) Privacy Framework (PF) offers the best shot at a quality program. As a horizontal standard, it works across industries and verticals.

The NIST Privacy Framework is a tool for improving privacy through a qualitative approach to enterprise risk management. There are many privacy standards out there, but the market consolidating around one standard will help provide clarity for companies interested in data privacy compliance.

Why We Chose NIST

• Since an independent governmental body created NIST PF, it is free to use and does not create commercial conflict amongst different privacy providers.
• It benefits from overlapping with the NIST Cybersecurity Framework, adopted by an estimated 50%+ of the cybersecurity industry.
• It also offers the best privacy framework for companies to follow as they seek better data compliance procedures.

The NIST Privacy Framework is logically structured and designed to help communicate risk across the enterprise. It also overlaps with the NIST Cybersecurity Framework just as privacy and cybersecurity logically overlap. The fact that the NIST Cybersecurity Framework is the dominant standard adds significant weight behind the NIST Privacy Framework that follows suit.

The NIST Privacy Framework has five functions:

1. Identify
2. Govern
3. Control
4. Communicate
5. Protect

Within each of these functions are unique categories and subcategories that outline the characteristics and requirements of data privacy that must be adhered to for a company to be fully compliant and responsible with its data use.

Each function, category, and subcategory corresponds directly to the NIST Cybersecurity Framework, further improving uniformity across organizations as they strengthen their data privacy and cybersecurity operations.

While the NIST Privacy Framework is a good place to start, it is not, however, designed to optimize “value,” nor does it have a “quantitative” measurement ability.

The Capability Maturity Model Integration (CMMI) picks up where the NIST Privacy Framework leaves off and is designed to optimize “value” and “quantitatively” analyze your program. CMMI numerically measures your privacy program maturity/quality while simultaneously providing a process for continuous improvement.

CMMI, which Carnegie Mellon University developed in 1987 for the US Airforce, is useful in translating these qualitative characteristics into a quantitative score, providing a definitive measure of data maturity. In addition, there are decades of successful use cases that used CMMI for measuring and improving business processes.

CMMI Maturity Levels

1. Initial: Unpredictable and reactive. Work gets completed but is often delayed and over budget
2. Managed: On a project level. Projects are planned, performed, measured and controlled
3. Defined: Proactive, rather than reactive. Organization-wide standards provide guidance across projects, programs and portfolios
4. Quantitatively managed: Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders
5. Optimizing: Stable and flexible. The organization is focused on continuous improvement and is built to pivot and respond to opportunities and changes. The organization’s stability provides a platform for agility and innovation

If you are interested in learning more about how to make sure your organization complies with growing data regulations, UST PrivacyProof, in partnership with Salesforce®, has developed a free assessment for companies to take to understand how they score in the area of data maturity. This assessment follows both the NIST PF and CMMI, providing a measurable understanding of your current situation and how to improve your privacy and data management.

Learn more here.