The CIS Controls Privacy Guide provides best practices and guidance for implementing the CIS Critical Security Controls (CIS Controls) while considering the privacy impacts on the workforce, customers, and third-party organizations such as contractors. The Privacy Guide supports the objectives of the CIS Controls by aligning privacy principles and highlighting potential privacy concerns that may arise when using the CIS Controls.
Who Should Use the CIS Controls Privacy Guide?
This Privacy Guide is intended for both IT security professionals, who are familiar with the CIS Controls, and privacy or legal staff within an enterprise. This document provides a bridge between IT security professionals looking to better understand how privacy applies to IT security controls, and privacy or legal professionals who need to better understand how modern technology and IT processes might impact privacy.
Want to learn how you can design a cyber defense program using the CIS Controls? Check out our video below.
The guide enables a line of communication between these two groups and enhances the overall governance process by which business and legal management communicate with IT and cybersecurity teams. Proper data governance helps enterprises better understand the privacy implications associated with implementing specific CIS Controls, and enables them to develop additional mitigations to assist with meeting their privacy objectives. In noting privacy implications of the CIS Controls and suggesting mitigations, the CIS Controls Privacy Guide takes a broad view of privacy, since laws vary from country to country. It’s therefore critical that IT security and privacy teams work in tandem to achieve both regulatory and internal privacy goals.
Adapting the CIS Controls for Privacy
In order to place the CIS Controls in the context of privacy, CIS leveraged the Fair Information Practice Principles (FIPPs) and the General Data Protection Regulation (GDPR). The FIPPs are a set of eight principles that come from the United States Privacy Act of 1974. The GDPR is a multifaceted regulation governing the processing of personal data, as well as other technical aspects of an enterprise, in the European Union and beyond. The essential characteristics of the regulation are to protect personal data as a fundamental right and that privacy is to be respected. Many new privacy regulations across the world are using the GDPR as a framework for privacy law in their own country, state, or region.
Privacy Implications of CIS Controls
For each CIS Control, the following items are considered:
- Privacy Applicability – Explores the degree to which a CIS Control pertains to privacy. Only specific Safeguards within a Control contribute toward privacy. This could include protecting the privacy of employees and customers, but may also include the enterprise’s IT systems.
- Privacy Implications – Includes the privacy issues and/or risks associated with implementing specific CIS Controls.
- Data Collection – This focuses on the types of data collected by the enterprise when implementing a CIS Control. While there is always a specific focus on personally identifiable information (PII), other data types may also be assessed, such as open data, commercial data, and customer data (e.g., information about individuals using a company’s services).
- Data Storage – After data is collected, it must be stored somewhere until it is deleted. This portion analyzes issues associated with storing data, such as where and how it is stored, and the parties involved in the storage process.
- Fair Information Practice Principles – Includes concerns and other information associated with FIPP.
- General Data Protection Regulation Principles – Includes concerns and other information associated with the GDPR principles. Only pre-specified GDPR principles will be listed.
- Additional Discussion – A general guidance area to include relevant tools, products, or threat information that could be of use can be found here.
Looking to the Future of Privacy
Privacy regulations are changing everywhere, and all the time. Our mindset around how to collect and protect enterprise and personnel data needs to adapt to this new reality. Privacy regulations from one country may affect organizations not residing in that country via IT policy or contractual means. Cursory approaches to privacy will be insufficient in the near future. Privacy engineering, privacy risk analysis, and other practices detailed within the CIS Controls Privacy Guide can play an important role in meeting new privacy regulations and maintaining confidence in their approach.