So it begins the actual work of creating a privacy-centric cybersecurity program. It was a long path that got us here, but you made it! We will divide the work into several phases:

1. Assets: What are we protecting and why?
2. Threats: Who's out there to get us?
3. Vulnerabilities: What are our weak points?
4. Environments: What is our operating environment?
5. Controls: How are we protecting ourselves?
6. Incident Response Planning: When all else fails, what's our plan?

We will deal with each phase separately, breaking down the various steps needed to build your cybersecurity program. Step one is a review of your assets. In my view this is the most critical phase of the program, because without proper asset identification and valuation, you will have no idea of what, or how, to protect it.

As discussed, a prerequisite for all our privacy-focused cybersecurity work will be input from your counterpart who's running the privacy program. She will have gone through the hard work of implementing one of the privacy frameworks, and we'll be the beneficiaries! That's the “privacy metadata intake” we referenced earlier. For our purposes, we'll assume that your counterpart is wicked smart and has implemented the NIST Privacy Framework—that way we can use the NIST terminology throughout our discussions.

You'll recall that we defined assets as anything of value. So what exactly are these things of value ...