Introduction to the NIST Privacy Framework

00:05

Hello. I'm Desiree Green. I will be your instructor for this course. I'm a compliance professionals specializing in the areas of cybersecurity and privacy and I'm also a licensed attorney. I hold a couple of certifications and privacy and cybersecurity, namely the GEAC information security fundamentals

00:23

as well as the certified information privacy professional through I a P P.

00:28

Feel free to reach out to me via linton or through email if you wish to connect or if you have any questions regarding the course.

00:39

By the end of this course, students should be able to understand why then this privacy framework was developed and created,

00:45

demonstrate knowledge of in this privacy framework core

00:48

demonstrate knowledge of this privacy framework profiles as well as the framework implementation tears, how to adopt in this privacy framework through the ready set go methodology

01:00

and lastly comparing with this privacy framework to other privacy frameworks so that you can make the right determination for what framework work best for your organization.

01:11

Prerequisite that you should take prior to enrolling in this course is the introduction to data privacy course and the reason for that is that if you're not familiar with data privacy,

01:22

some of the terminology that we may use during this course may sound foreign to you.

01:26

So it's good to have an introduction of data privacy where you've been introduced some of the laws and regulations, um the govern data privacy as well as what it is so that you'll have a better understanding of how the um miss privacy framework should be applied within your organization

01:46

really, this course is intended for individuals who have a privacy risk management, cybersecurity or other similar roles and responsibilities within their enterprise. Um that could be anyone maybe that sits in a data privacy officer role um assist so role or someone who reports to the sea. So um

02:06

as well as just others who may have a genuine interest in the subject matter.

02:12

So the syllabus for this course includes 10 modules and module one will go through an overview of the MS privacy framework.

02:20

Modules two through six, we'll look at the Miss privacy framework core, the functions of identity govern control, communicate and protect.

02:29

And Module seven will look at in this privacy framework profiles.

02:34

And then module Aid will move into the Miss privacy framework implementation tears

02:38

next in Module nine will look at how to adopt in this privacy framework. And finally in module tonight will go through privacy framework comparisons.

02:50

So for this course, I've compiled many resources to help you um learn throughout this course and the previous slide we went through the syllabus but in the resources tab, you'll also find a study guide to help you through this course.

03:02

There will be two case studies in module nine that will cover on how to adopt it, how to adopt in this privacy framework, there'll be multiple references that you can click on. The hyperlinks within the resources tab Throughout a lot of the modules too.

03:17

Get additional information on how you might implement,

03:21

especially within the core functions, really how to look at um implementing or adopting whether it's the function, the category subcategory

03:31

There will be quizzes in some of the lessons as well as in order to um get the certificate of completion for this course, you do have to complete a 20 question assessment.

03:45

So in this video we covered the course objectives, the prerequisites and the syllabus. I hope that you'll join me as we move into module one.

03:53

Welcome to module one of 10. Introduction to the mist privacy framework.

04:00

As we go through this course, I will be showing the course outline and where we currently are within the course. So, as you can see from the slide here, we've completed the introduction and we're now moving into module one overview of the mist privacy framework.

04:17

Welcome to less than 1.1 privacy risk management.

04:25

So the learning objectives that we will cover in this video are what is privacy risk management?

04:30

The difference between cybersecurity risk versus privacy risks and attributes of a privacy risk management program?

04:39

So what is privacy risk management?

04:41

Privacy risk management is cross organizational set of processes that helps organizations to understand how their systems, products and services may create problems for individuals and how develop effective solutions to manage such risks.

04:55

So I'm sure most of you and your organization's collect personal data of some kind, whether that's from employees or potential employees or customers. And so what privacy risk is focused on is really the risk to those individuals. Should something happen to that personal data, whether

05:14

um it becomes unavailable

05:15

or its integrity has been violated

05:19

or its access by individuals that have no authority to access that data.

05:25

Um And we're going to see on the next slide, sort of how that plays into impacting the organization as well.

05:34

So why is privacy risk management important?

05:38

The issue is that problems arise from data processing. So from collecting personal data, whether that's from a potential candidate was applying for a job within your company or customer who is responding to a marketing campaign

05:50

um or other information that you may be collecting um even from partners or vendors

05:57

or even other individuals. The personal day that you have on hand has the risk of basically being

06:03

um authorized by individuals who have no business to access it

06:09

and possibly ending up in the hands of people that intend to sell it to others. Um whether that's from an identity theft standpoint,

06:17

um or from some other in the various standpoint. So problems arise from the data processing that as you can see here, impact the individual. It's a direct impact of the individual because as I mentioned before, they could suffer identity theft and from identity theft comes an economic loss, possibly even embarrassment.

06:36

And this in turn um is a resulting impact to the organization because when individuals personal data is affected, they can no longer really trust the company um is going to protect the information that's been collected from them. So you may see customer abandonment from that,

06:55

you could end up basically paying costs derived from a data breach, um whether that's from having to set up a call center to deal with uh notifying individuals and them being allowed being allowed to call in

07:10

From reputation to your um internal culture as well. So it becomes sort of a uh 360 sort of view here. So the problems arise and that it has a direct impact of the individual and the resulting impact of the organization and its why privacy risk management is important.

07:31

So when we start talking about privacy risk, we really want to differentiate that from a cybersecurity risk

07:38

and those of you that may be taking this course that may work um within the cyber security field may feel that these are synonymous with each other, but there really is a difference between a cyber security risks and privacy risk, but it doesn't mean that there isn't an overlap.

07:54

So in this instance, um a cybersecurity risk is a risk that is associated with the cybersecurity incident arising from loss of confidentiality integrity or availability.

08:05

Um And you'll notice here that a privacy risk is a risk that's defined as being associated with a privacy event arising from data processing. So what this means, it's a risk to basically how that data is handled, possibly, and how it's being stored, how it's being shared with another individual.

08:24

So that's what we mean by a privacy risk. And as you can see where the overlap here is that you could have a cybersecurity related privacy event,

08:33

so it could be that access to um to personal information basically is compromised, which means that it now becomes a cybersecurity related privacy event.

08:46

But we do want to show here that there is a clear difference between

08:50

really a security risk is what a cybersecurity risk is versus a privacy risk um where it's a risk basically to

08:58

um the stem from events from processing that personal data,

09:05

so attributes of a privacy risk management program. As we go through this course, you're going to get additional information on how you should be looking to possibly build your privacy management program.

09:18

But really what this is going to show you is really how you should be looking to assess um how to build that. So your privacy capabilities, this is really looking at um what you have, the bandwidth that you have within your company, the resources funding you want to know sort of where you stand because this is really gonna help determine how you can really build out your program. Um Next is really privacy requirements you really want to look to see. Uh and this is where sometimes scoping becomes a concern because depending on your type of organization, there may or may not be certain

09:52

laws and regulations that are applicable to you. For instance, if you're in healthcare, you have the hipAA privacy rule to be concerned about. Um If you're in finance, you possibly have G. L. B. A. That can um to be concerned with. So if you're not in either of those um arenas, those aren't necessarily regulations that you have to be

10:11

um compliant with. However,

10:13

if you do business in the EU um or marketing to individuals within the EU and transferring that data outside of the EU to another country,

10:22

then you could possibly uh G. D. P. R. Would be applicable to you.

10:26

So that's what we're looking at from privacy requirements standpoint. Um Once you kind of know what laws and regulations or other um privacy requirements you may have to adhere to and knowing your capabilities, um you that's when you really get into conducting privacy risk assessments and determining what are the privacy risks to an individual

10:48

and then how does that impact the company, looking at the likelihood of those events occurring? And really trying to lay out the framework for where there are privacy risks within your organization.

11:00

Um from there, that's when you get into requirements testing, is that you're looking to see um

11:05

can you be compliant basically with your privacy requirements based on the controls that you're putting in place to mitigate risks? Um and then you want to continue to monitor changing risks. So there may be new laws or regulations that come on the horizon. You want to be able to

11:24

add those possibly to your risk register

11:26

and continue to monitor um even the risks that you already have on that register, because sometimes you may be able to reduce the risk level or accept a risk. So just realize that the attributes you're putting in place for your privacy risk management program require continuous monitoring.

11:48

So before we move into the next lesson, let's take a quick quiz.

11:52

So privacy risks are associated with privacy events arising from one loss of confidentiality

11:58

To loss of integrity or three data processing.

12:05

So the correct answer here is data processing. You want to remember that? I said that there is a difference between cyber security risks and privacy risks and loss of confidentiality. Loss of integrity have more to do with security.

12:18

Data processing is what we're concerned with with data privacy. Um, so it's how you're processing the data that you want to be mindful of.

12:31

So in this video we covered the importance of privacy risk management,

12:35

how privacy risks differ from cyber risks and how privacy risk management practices and looking at the privacy risk management practice areas.