How to Use NIST Frameworks for GDPR Requirements

NIST Frameworks for GDPR requirements compliance are equivalent to the ISO 27001 Standard and have recently received updates to better meet the consumer data privacy requirements.

The management of privacy as well as security of consumer data is one of the most dynamic challenges facing organizations across industries and geographic boundaries. At the same time, enterprises are also making efforts to attain compliance with an array of national, regional and international regulatory updates on existing laws as well as new regulations. The most recent one in this regard is the EU GDPR (General Data Protection Regulation). Months into the GDPR now, we tried delving into the challenges and attempted to seek some solutions.

The GDPR, in an attempt to enforce security of EU consumer data, has put the onus on data controllers and processors within its geographic boundaries and beyond. Organizations in North America and Europe are now wisely seeking to use the National Institute of Standards and Technology (NIST) frameworks like SP 800-53, the Cybersecurity Framework (CSF), and the the newly updated NIST Risk Management Framework (RMF). The NIST SP (Special Protection) 800 publications, the NIST SP 800-53 in particular, can be successfully used for an entity’s GDPR requirements because it contains multiple recommendations that meet several requirements under Article 32 of the GDPR.

NIST Cybersecurity Framework

NIST has published a Cybersecurity Framework (CSF) which consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The CSF was originally intended for use by organizations operating within the sixteen sectors designated critical infrastructure by Department of Homeland Security. However, several other commercial industries have embraced the CSF standard.

The primary areas in the control families include identification, protection, detection, responsiveness and recovery measures. The framework has been designed in a flexible as well as cost-effective manner aimed at promoting the protection and resilience of critical Federal and private infrastructure including various industry sectors.

The framework and NIST recommendations aids as ready-to-use existing tools for customizing business processes while keeping the organization’s larger business goals intact. However, it is wise to note that one has to initiate with implementation of general solutions, and then move to carry out the specific security guidance leveraging robust management tools.

The NIST publications provide detailed and valuable insights and guidance for creating a robust information security risk management framework in addition to providing guidelines for timely review of the same to update the security landscape to be well prepared to mitigate new-age threats.

For example: NIST SP 800-53 r.4, “Recommended Security Controls for Federal Information Systems and Organizations,” provides best practice and guidance of security responsibilities for an organization as it emphasizes establishing measures for uninterrupted assessments of existing security practices in addition to constant evaluation of procedures in place to keep the framework walled. Thereby, NIST 800-53 helps in creating the fundamentals of a company’s data security and privacy program while at the same time helping in the assessment of the organization’s security and privacy controls and breach response capabilities.

NIST Risk Management Framework

Earlier this year, NIST issued a draft update to the RMF to help businesses meet the cybersecurity threats as well as individual consumer data privacy.  The update connects the RMF with NIST’s CSF. The update is designed to help organizations evaluate and manage risks to their information and systems. While the previous RMF versions mainly focused on cybersecurity protections from external threats, the updated version also focuses on privacy of individual consumers. This helps organizations to better identify and respond to these risks, including those associated with using individuals’ personally identifiable information (PII).

According to NIST Fellow Ron Ross, “The update provides cross-references so that organizations using the RMF can see where and how the CSF aligns with the current steps in the RMF. Conversely, if you’re using the CSF, you can bring in the RMF and give your organization a robust methodology to manage security and privacy risks.”

For organizations planning to build industry-standard cyber security programs that meet GDPR requirements, the update to the RMF has several important objectives which could aid businesses in their efforts. They include: Integrating security and privacy into systems development; Connecting senior leaders to operations; Incorporating supply chain risk management considerations; and Supporting security and privacy safeguards.

While NIST frameworks are not international standards and adhering to the CSF and RMF is not mandatory for private companies, they are valuable to companies and commercial organizations because of the importance they attach to data privacy alongside the guidance they provide on implementing strong privacy controls, policies, and procedures.