Article
NIST releases version 1.0 of its privacy framework
Feb. 17, 2020 · Authored by Mike Vanderbilt, Rachael Reinis
In response to an increasingly complex data privacy regulatory environment, the National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework, subtitled “A Tool for Improving Privacy Through Enterprise Risk Management.” NIST intends the framework “to be widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction.” Given that current privacy regulations apply to a host of different industries, the NIST framework was built to help all organizations create a foundation for their data privacy practices and quickly adapt to the various compliance requirements.
NIST Privacy Framework overview
Somewhat similarly to how the International Organization for Standardization (ISO) 27701 guideline for privacy information management is an extension of ISO 27001; the NIST Privacy Framework was built with the same structure as the NIST Cybersecurity Framework (CSF), allowing the two to be used together and resulting in a more innovative and effective solution.
The framework is made-up of three components: the Core, Profiles and Implementation Tiers.
- The Core is built to allow collective communication from the C-suite to the technical team about the privacy activities and outcomes that are of biggest importance to the organization. The framework defines five key Functions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P, each with their own categories and subcategories adding granularity along the way. (Those familiar with the NIST CSF should recognize these terms). These elements work together to provide a holistic view of the privacy activities needed within an organization. The terminology and acronyms allow consistent communication across departments and teams.
- The Profile allows the organization to assess their “as-is” state and set a clear target, or “to-be” state using the Core. Organizations can use the Core to create their “as-is” Profile – assessing existing processes and capabilities against the categories and subcategories prescribed under each Function. The next step is to create the “to-be” or target profile. It is important to note that NIST points out “organizations may not need to achieve every outcome or activity reflected in the Core” and it is for these reasons that there are no template Profiles provided.
- The
