The Center for Internet Security has released a new guide to help organizations address privacy concerns as they implement each of the 18 CIS Critical Security Controls, offering a new tool for integrating privacy protections and cybersecurity best practices.
CIS says the new “Privacy Companion Guide” addresses “some of the privacy implications of the CIS Controls and suggests mitigation approaches. Technical staff may not be aware of topics like regulatory requirements, data protection standards, requirements within partner agreements, and breach disclosure laws, which they need to prepare for reporting. There is no silver bullet to approaching privacy considerations as they are often complex and will vary by country, state, industry, customer type, and other factors.”
The Privacy Guide was developed by information security experts from a range of industries. Its approach is based on other guiding principles for privacy, including the International Association of Privacy Professionals’ Fair Information Practice Principles and the General Data Protection Regulation that is used in the European Union and forms the basis for laws and guidelines in many other countries.
CIS says the information in the guide will be useful for businesses of any size and takes into account privacy concerns of both employees and end users.
“This document provides a bridge between IT security professionals looking to better understand how privacy applies to IT security controls, and privacy or legal professionals who need to better understand how modern technology and IT processes might impact privacy. Hopefully this document can enable a line of communication between these two groups and enhance the overall governance process by which business and legal management communicate with IT and IT security teams,” the guide says.
The document addresses the relevancy of privacy to all 18 of the CIS controls, particularly in areas like data protection, data recovery and account management.
The privacy guide follows the release of version eight of the CIS Controls in May 2021. The latest version shifts the focus to prioritize evolving threats, for example by including more information on cloud computing as opposed to physical devices. -- Jessica Karins (jkarins@iwpnews.com)