Begin with the End in Mind
The NIST Privacy Framework is a tool for managing risk. In order to manage risk, you must first understand risk. This first step entails understanding the business, its operations, the clients, customers, vendors, partners and others it interacts with and most importantly, what it values and, in some cases, doesn’t value. Consistent with the Implementation Tiers in the framework, this can be done at different levels of detail and care, whether its more intuitive (“Partial”) or deliberative and systematic (“Optimized”).
1
Develop Your Target Profile
With your mission, business objectives and company values in mind, the next step is to decide what you need to do (from a privacy perspective) to achieve those objectives and live those values. This will directly impact what you need to do for your privacy program. Operating at the Function, Category or Outcome level, we help you identify the procedural steps and substantive components of your desired Target Profile.
2
Find Your Current State
Assuming your not starting from a blank slate, you may have some processes in place already. What are they? How do they fit in the privacy framework? Aligning your current work to the framework Functions, Categories or outcomes will help you get quick wins for the things you’re already doing successfully.
3
Bridge the Gap
You’re never where you want to be. The purpose of a gap analysis is to find the delta between your current state and where you need to be to address privacy risks. For each of the Functions, Categories or outcomes, you need to know how big the gap is before you can hope to get from point A to point B.
4
Roadmap to Success
Bridging the gap is the penultimate step to success. The ultimate step is to cross that bridge. Developing a roadmap, a step-by-step instruction prioritized instruction guide will help you take one step at a time until you cross the finish line. Note that implementation of the roadmap requires another step and one we don’t normally handle, but will discuss on a case by case basis. In other words, we’ll tell you what policies, procedures, processes and system changes you need, how you should prioritize them, what resources and timeframe but your organization is tasked with budgeting resources and actually implementing the roadmap.