As summer turns to fall, our world is settling into the rhythms of life under COVID-19, preparing for another season of sweatpants, existential dread, and peanut butter cups for lunch. The drumbeat of COVID life also involves skyrocketing rates of digital interaction, with all the privacy implications that go along with it. As an enterprise information security professional, you can’t do much about the sweatpants or the peanut butter cups – we’ll call addressing the dread a stretch goal – but you can take concrete steps to build privacy into your organization’s practices to build trust, improve cybersecurity, and reduce enterprise risk.
Here are three key considerations that you can apply broadly to your organizational privacy practices:
- You don’t need to see all the data, all the time. In fact, humans almost never need to see someone’s actual personal information; you usually just need to know whether it meets certain criteria, such as whether someone is over 18. Enabling data to be processed without associating it to an individual is a core concept reflected in the National Institute of Standards and Technology (NIST) Privacy Framework, particularly in the control family of Dissociated Processing. User privacy is protected when the system “blinds” an individual’s identity or activities from exposure beyond what is essential for system functions, as described in NIST IR 8062’s privacy risk management principles. Try it yourself: think about an example of personal data you encounter at work, such as verifying someone’s identity. Do you need to see their full personal information? Wouldn’t it be more helpful to get a yes/no response on whether they have been verified?
- Process data appropriately. To maximize privacy, limit the amount of personal data you collect in the first place. Then ask whether you need to process these data centrally or whether the processing can take place on the user’s device. The same goes for data storage; try to limit maintaining a large “honeypot” of sensitive information. If you determine you need to handle and store the data, make sure to encrypt at rest and in transit, restrict access to databases, and consider deleting unnecessary data. For inspiration, check out the just-released NIST SP 800-53 revision 5, particularly the control family of “personally identifiable information processing and transparency.”
- Don’t repurpose personal information. OK, so you need to process some personal information. The user should be informed and consent to what you are collecting and how it will be used. Do not – repeat, do not! – repurpose personal information for different uses without obtaining further consent. In particular, don’t use personal data to infer anything about individuals’ behavior or activities beyond your original reasons for collection. This helps keep our biases out of IT management as well as protects user privacy.
There’s so much more
The NIST Privacy Framework is an excellent starting point for understanding your needs, constraints, and risk tolerance. It can help you map your current state, create a target state, and implement privacy controls. Are you eager to learn more about the NIST Privacy Framework? Our Director of Digital Identity, Maria Vachino, offers a simple breakdown here.
Easy Dynamics specializes in enterprise ICAM, cybersecurity, and privacy consulting and boasts some of the original authors of the critical NIST identity standards. Reach out to okocak@easydynamics.com to learn more.