- Contact Us
Take a look at your recent SOC 2 Type ll Service Organization Audit, where there are five Trust Service Criteria (Security, Confidentiality, Processing Integrity, Availability, and Privacy). How about your last Health Insurance Portability and Accountability Act (HIPPA) Audit, where there is a Security Rule and Privacy Rule? Was privacy included in the scope of either audit? Chances are it was not. As an experienced IT audit and security firm, Compass IT Compliance’s IT Auditors review and perform these independent audits all the time, and rarely do we see privacy included in scope - even in the healthcare industry! So why do companies, including audit firms, avoid privacy?
Here is what we are seeing and hearing:
We live in an ever-changing, data-driven society that struggles to balance creating and using innovative products and services that use personal data while still protecting people’s privacy. As a result, individuals may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services.
What has been missing is a common language and practical tool that is flexible enough to address different privacy needs. That is where the National Institute of Standards and Technology (NIST) comes to the rescue. NIST created a new tool for managing these privacy risks.
NIST developed this privacy framework with input from private and public sources. It’s a tool for improving privacy through enterprise risk management, currently titled “NIST Privacy Framework”. It enables better privacy engineering practices that support privacy by design concepts, and it will help organizations protect individuals’ privacy.
The NIST Privacy Framework supports organizations in:
When used as a risk management tool, the NIST Privacy Framework can assist an organization in optimizing beneficial uses of data and the development of systems, products, and services while minimizing negative consequences for individuals. It also helps organizations answer the fundamental question, “How are we considering the impact to individuals as we develop our systems, products, and services?”
The NIST Privacy Framework is flexible, so it can assist in addressing the unique needs of an organization, although it is designed to complement existing business and system development operations. Please reach out to your trusted partner, Compass IT Compliance to see how we can help you get started today!