NIST Cyber Security Framework

NIST Privacy Framework: A tool for improving privacy and enterprise risk

Greg Belding
July 26, 2021 by
Greg Belding

Data drives the world today and organizations have the responsibility to balance the increasing use of personal data with protecting privacy. You know what they say privacy is the ultimate luxury. All adages aside, something needs to be done to help organizations with this balancing act. The National Institute of Standards and Technology (NIST) has created a voluntary tool to help with this called the NIST Privacy Framework. 

Get NIST CSF training

Get NIST CSF training

Build your understanding of the NIST Cyber Security Framework with seven courses taught by Ross Casanova.

Why privacy is important for enterprise organizations

Privacy is the ultimate luxury and organizations should know this. After all, what is an organization without the people that it works with daily to both conduct business let alone function? Moreover, privacy is embedded in the United States Constitution as an underpinning of many of the rights and freedoms that we all enjoy. Simply put, privacy is an integral part of life and this extends to the personal information that people give to organizations, with the assumption that the organization will do its due diligence in protecting the privacy of said information.

When an organization does not pay attention to the privacy of its clientele, it can lead to reputation loss as well as loss of revenue and lawsuits involving breach of privacy. NIST created the NIST Privacy Framework to account for the rising importance of privacy for organizations where regulatory obligations alone cannot adequately give the privacy protection that the organization needs, as well as for organizations that simply need a guiding hand in improving their data privacy practices.

What is the NIST Privacy Framework?

The NIST Privacy Framework is a new tool that organizations can use to manage privacy risks. This framework offers helpful privacy protection strategies that allow organizations that follow the framework to improve their approach to both protecting and using personal data. It also offers privacy risk management concept guidance that organizations can use as a guiding light as they improve their data privacy practices. 

In practice, the NIST Privacy Framework assists organizations in identifying the privacy outcomes that are desirable to the organizations as well as the prioritized actions that will get the organization to these outcomes. It is important to note that as useful as the NIST Privacy Framework is, it is voluntary for organizations to use the framework that is law agnostic, so you can use it anywhere.

How does the NIST Privacy Framework fit alongside the NIST Cybersecurity Framework?

Part of what the NIST Privacy Framework has to offer is that it was made to complement the NIST Cybersecurity Framework. The NIST Privacy Framework, which is currently on version 1.0, was modeled after the Cybersecurity Framework and was built to fill in the proverbial gaps in the NIST Cybersecurity Framework. After all, while the Cybersecurity Framework covers cybersecurity, it does not touch upon privacy very much. This is where the NIST Privacy Framework comes into play and practically speaking, if you are using one of these frameworks, you may want to think about using the other as well. It should be noted that both frameworks were intended to be regularly updated with future versions accounting for changes in technology.

NIST Privacy Framework components

The NIST Privacy Framework is made up of three components:

  1. Core
  2. Profile
  3. Implementation tiers

Core

This component is a group of increasingly granular privacy protection activities and outcomes that allow for prioritized communication across the organization from top to bottom for managing privacy risk. Core is composed of functions, categories and subcategories. Let’s look at the functions, presented below. Functions are the highest-level foundational privacy activities for organizations meant to tackle the dynamic nature of privacy and privacy risk as a whole:

  • Identify-P: develop the organizational understanding to manage privacy risks for individuals arising from data processing. These activities are foundational to the effective use of the framework.
  • Govern-P: develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities (informed by privacy risk).
  • Control-P: develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  • Communicate-P: develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
  • Protect-P: develop and implement appropriate data processing safeguards.

Profile

This component is used to describe the current state and target state (or desired state) of specific privacy activities. Using the functions, categories and subcategories from the Core component, the profile shows where you are and where you want to go in terms of data privacy activities.

Implementation tiers

This component describes the tiers organizations should use for decision-making regarding managing privacy risks. Selecting tiers should be based on your target profile and how getting there may be helped or hampered by your current risk management practices. These tiers are:

  1. Partial
  2. Risk informed
  3. Repeatable
  4. Adaptive

Progression to higher tiers is intended for times when your resources or processes how they currently are will not be sufficient to manage privacy risk.

Privacy risk assessment

Privacy risk assessments identify and evaluate specific privacy risks that help organizations weigh the benefits and risks associated with data privacy to produce the right response for the situation. Response approaches are:

  • Mitigating the risk
  • Transferring or sharing the risk
  • Avoiding the risk
  • Accepting the risk

The real power of privacy risk assessments is they help you understand the context of the values you want to protect, the methods to employ privacy protection measures as well as how to balance the implementation of different types of privacy protection measures when needed. It not only gives you the big picture but shows a balanced approach where multiple competing privacy protection measures are used.

The importance of data privacy and the NIST Privacy Framework

Privacy of data is going to be an important issue for organizations for years to come and there is no end in sight. To help guide organizations, NIST released its Privacy Framework that is intended to be used in tandem with the NIST Cybersecurity Framework. The NIST Privacy Framework is voluntary; however, when your organization is facing privacy issues that your current data privacy activities are not adequately handling, the NIST Privacy Framework may be just what the doctor ordered.

 

Sources:

NIST Privacy Framework. NIST.

The growing importance of privacy and confidentiality. Wipro.

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.