Managing Data Privacy through the NIST Privacy Framework

Core Function and Category

Profile

Identify

Inventory and Mapping – Tier 3

Perform inventory of data processing systems
Perform inventory on roles that process data
Audit categories of individuals that are subject to data collection
Inventory data actions
Inventory data collection purposes
Inventory individual data elements in collected data
Inventory data processing inputs and outputs

Use Service Now for maintaining formal configuration control of all IT assets including data processing servers. Utilize Wiz.io Cloud Identity Entitlements Manager to control access to data processing roles. Use Datadog Application Performance Monitor to monitor all services associated with data collection and align to requirements in internal engineering documentation. Record data inputs and outputs in data map created in Wiz Data Governance Tool

Business Environment – Tier 3

Identify organization's roles in data processing
Prioritize organizational mission
Identify systems that support organizational priorities

Conduct review of data map and ensure each major section of data map aligns to organizational role. Review mission with stakeholders and discuss if data governance policies align to mission. List systems and rank on a scale of 1-5 graded against criticality in support of organizational priorities

Risk Assessment – Tier 4

Provide context for the necessity of data collection systems
Identify data analytics inputs and outputs
Identify problems with data actions
Prioritize risk with identified problems
Respond to risk and implement mitigations

Perform data mapping exercise and maintain map under configuration management. Review map with executive leadership quarterly. Perform cyber risk assessment with Information Security team once per year.

Data Processing Ecosystem Risk Management – Tier 3

Socialize and accept policies for ecosystem risk management
Identify partners in ecosystem then perform risk assessment
Create contracts with parties to meet objectives
Implement interoperability frameworks
Perform audits on processing ecosystem members

Maintain registry of stakeholders across business functions. Perform yearly review with stakeholders. External stakeholders shall be maintained under contract with contracts reviewed by Legal department every 2 years.

Govern

Governance Policies, Processes, and Procedures – Tier 3

Define organizational privacy values and instill them

Define employee roles with respect to privacy policy

Align privacy roles to service providers and customers

Manage legal requirements

Ensure GRC policies address privacy risks

Our organization values honor, courage, and commitment. We ensure all data collections are accomplished honestly and honorably. We empower our employees to have the courage to report misuse of data. We are committed to our customer privacy concerns and will resolve all issues amicably. Privacy roles are defined in our data governance model and audited regularly. Service accounts are maintained under Privileged Account Management to ensure data collection servers are secured. Legal department has approved all requirements on a yearly review basis.

Risk Management Strategy – Tier 2

Establish risk management processes
Establish organizational risk tolerance

Hold yearly meetings with Legal and executive stakeholders to determine organizational risk tolerance. Risk management processes established using Operational Risk Management framework.

Awareness and Training – Tier 3

Train workforce, senior executives, privacy personnel, and third parties

Established onboarding training with yearly refresher training through Opportunity Lab LMS system

Monitoring and Review – Tier 3

Reevaluate privacy risk regularly
Review and update privacy policies
Establish legal requirements, privacy risk mitigations, and problem report processes
Lessons learned process implemented
Policies to track external concerns are created

Perform yearly risk assessment with 3rd party risk assessor. Review results with Legal department and work with Training department to add to Lessons Learned document. Ensure that policies exist for communicating with customers and recording customer feedback regarding privacy policies. Review feedback quarterly.

Control

Data Processing Policies, Processes, and Procedures – Tier 3

Record, maintain, and revoke authorizations for processing permissions
Provide policies for data review, transfer, sharing, disclosure, alteration, and deletion
Maintain policies for allowing data collection subjects to have sharing preferences
Create data lifecycle

Maintain list of service accounts in Service Now. Grant access only through approved Change Requests recorded in Service Now. Ensure policies are regularly updated and available to stakeholders. Use Securiti tool to establish data lifecycle control and data lineage control.

Data Processing Management – Tier 3

Data elements must be available for review, transmission in a standard format, disclosure, alteration, deletion

Data must be destroyed

Data transmission permissions must be available

Audit logs must be established and with privacy data minimization

Data processing technical tests must be available

Stakeholder privacy preferences included

Maintain data map in Securiti. Ensure that map is available for review to authorized stakeholders. Ensure that data retention policy accounts for secure deletion of files and multipass shred of paper records. Ensure that data may only be transmitted by authorized individuals. Use Datadog centralized logging system to maintain audit logs for privacy-impacting systems. Maintain database of consumer privacy preferences with easy update capability. Ensure that privacy selections default to an "opt-in" approach.

Disassociated Processing – Tier 2

Data should be decoupled from individuals
Data should be tokenized
Data processing should be decentralized to avoid identifying the subject
Data collection techniques should mask data elements that are not required at processing time
Pass attributes by references rather than by value when possible

Data was evaluated and anonymized to the maximum extent possible. Individual names were renamed with an internal serial number which cannot be referenced back to the original user. Data processing strictly users user serial numbers in all situations to avoid referencing the data subject directly. As part of anonymizing efforts, Date of Birth and Gender were removed from data collection scheme as this was not necessary for privacy data processing.

Communicate

Communication Policies, Processes, and Procedures – Tier 2

Establish data use transparency policies
Establish roles for communicating data processing purposes and risks

Data transparency policies created and stored in Service Now repository. Public version is available on the website in the Privacy Policy section.

Data Processing Awareness – Tier 4

Mechanisms for communicating privacy practices are established
Mechanisms for receiving feedback from data subjects are established
Data processing visibility is provided
Records of data sharing are available to data subjects
Data corrections or deletions can be communicated
Data lineage is maintained
During a breach, impacted subjects can be notified
Breach playbook for data subject protection is established

Quarterly privacy reports are available for download on website. Report allows for direct feedback to be submitted which is anonymized prior to collection. Users may use a special PIN provided to reference their user serial number for data correction as required. Data lineage is maintained in Securiti and Wiz data governance tools. Playbook for data breach incident response has been updated with an automation script to notify users of a privacy data impact and may be run by a designated member of the privacy team. Retainer established with Norton Lifelock to ensure that credit monitoring will be provided to impacted users in the event of a breach.

Protect

Data Protection Policies, Processes, and Procedures – Tier 3

Maintain basic configuration control, change board management, backups, physical security, and protection of assets
Evaluate asset protection practices
Provide a response and recovery plan for assets
Ensure human resources is involved in data privacy (ie onboarding)
Establish cyber vulnerability management plan

Configuration Control is maintained in Service Now. This includes change board management. Backups are maintained using our SaaS backup solution. Ransomware decryption protection is provided through Rubrik. Physical security is provided through Allied Security and includes implementing badge reader, motion-activated alerting on fencing, security cameras, and a new mantrap to access the server room. Quarterly response and recovery plans are executed as part of the disaster recovery exercise plan.

Identity Management, Authentication, and Access Control – Tier 3

Ensure identities and credentials are issued, managed, verified, revoked, and audited for individuals and devices
Manage physical and remote access to devices
Manage access permissions using least privilege and separation of duties
Utilize network protection schemes such as network segregation
Ensure transactional risk is accounted for with device safety requirements

Established robust playbook for onboarding. Users are provisioned immediately into required credentials. These credentials are tracked and automatically audited periodically and during special conditions such as security alerts. User devices are tracked in Service Now with highly privileged users or users with access to privacy data being subject to more intense audit playbooks. Upon termination, a fully automated process is run to deprovision the user and immediately lock them out of sensitive services and servers. Users are not permitted to have local administrator nor utilize administrative functions on their own device. Bastion hosts and Privileged Account Workstations are used to ensure administrative credentials are not misused. Users are not overly provisioned with special access to ensure adequate separation of duties. Network segregation is accomplished using both traditional VLAN segregation and Zero Trust architecture. Any system conducting sensitive transactions is hosted in a special segregated VLAN where normal network traffic is blocked.

Data Security – Tier 3

Protect data-at-rest, data-in-transit
Manage assets through full lifecycle
Ensure availability, confidentiality, and integrity are maintained
Segregate production and development environments
Utilize system integrity checks

Maintain all privacy data on encrypted S3 buckets. Ensure TLS 1.3 in use on all servers involving data privacy transmissions. Do not send unencrypted data privacy packets. Maintain data privacy processing servers on separate subnet. Ensure S3 buckets with data privacy information have security group permissions restricting access only to the data privacy subnet. Utilize bastion hosts for all maintenance and code update activities. Regular Next Generation Antivirus sweeps are conducted as well as a full Stairwell hash check on critical systems.

Maintenance – Tier 3

Repair systems per process
Allow remote repair of systems per process

Use Service Now process to manage all device repairs. Do not permit remote desktop tools to be installed by users under any conditions. Only permit RDP tools to be installed by Helpdesk. Generate a security alert for each installation and usage for sensitive endpoints. Remote connections into sensitive systems shall require the system administrator to log their usage each time via Slack message into security channel.

Protective Technology – Tier 4

Restrict removable media as necessary
Use principle of least functionality
Protect communication and control networks
Maintain high availability technology solutions

Restrict USB access via GPO, Intune Policy objects, and Endpoint Detection and Response rules. Perform monthly audit of active directory roles to ensure least privilege. Utilize intrusion detection/prevention system on all privacy subnets with gateway detection rules. Ensure that all privacy data processing servers are maintained on high-availability Type1 hypervisor ruleset.