NIST has released Version 1.0 of its privacy risk framework. The draft version of the NIST Privacy Risk Framework was released for comment in September 2019. Further, the present version incorporates the feedback and provides guidance for organizations working to improve their practices.
It’s complementary to the NIST Cybersecurity Framework. Security and privacy are closely related, but having secure data doesn’t necessarily mean privacy is being appropriately guarded. Privacy depends on information handling policies and safeguards as well as technical protection.
The framework isn’t a legally binding regulation or even a standard to comply with. Rather, it’s a way of organizing the issues that need addressing and measuring progress with them. It helps evaluate and document compliance with privacy requirements and standards such as the ones in GDPR, HIPAA, and CCPA.
Naomi Lefkovitz, the leader of the framework effort, said in its announcement that “you need a framework for privacy risk management, not just a checklist of tasks. You need an approach that allows you to continually reevaluate and adjust to new risks.”
Overview of the NIST Privacy Risk Framework
The framework consists of three main components: the core, profiles, and implementation tiers.
The core of the framework defines a set of activities and outcomes, aimed at talking clearly and consistently about privacy risk. They are defined at three levels: functions, categories, and subcategories. They aren’t intended as a checklist, but rather as ongoing processes for achieving what is often a moving target.
Profiles are sets of functions, categories, and subcategories that fit an organization’s priorities. They let the organization describe its current state of privacy management and compare it with where they want to be.
Implementation tiers measure the level of privacy risk awareness and management under a profile. There are four tiers, characterized by increasing levels of awareness and adaptability. Not everyone needs to reach the highest tier, but organizations should know what they’ve achieved and would like to achieve.
The Framework Core
At the highest level, the core of the NIST Privacy Risk Framework defines five functions, all named with the suffix “P”. In fact, this letter aids in distinguishing them from functions in the Cybersecurity Framework and elsewhere.
Identify-P: Developing organizational understanding. It includes taking an inventory of data processing practices, understanding what privacy interests are involved, and conducting risk assessments.
Govern-P: Setting up governance policies related to privacy. The approach to governance needs to consider regulatory requirements and the acceptable level of risk tolerance.
Control-P: Setting up data management activities to handle privacy risks. Indeed, these activities apply to the organizational level and to individuals who handle data.
Communicate-P: Developing and implementing activities supporting communications on how data is processed and what the privacy risks are.
Protect-P: Setting up data processing safeguards for privacy. Further, this function deals with the intersection of privacy and cybersecurity.
Categories subdivide functions into groups of privacy outcomes. Subcategories relate to specific technical and management activities. The subcategories provide the most concrete guidance for achieving the goals defined in a profile.
The core defines an all-purpose set of goals that an organization may pursue. However, privacy requirements will differ greatly among organizations, and each one needs to determine its priorities. The framework offers profiles as a tool for identifying an organization’s privacy requirements, assessing its current status, and creating a path to where it needs to be.
At least two profiles are necessary. An organization’s current profile describes its present state, using the measures defined in the core. It describes the measures which are in place to the extent that they’re identifiable. Further, the target profile defines where the organization should be. Comparing the two helps to figure out what needs to be done. Any effort at change requires allocating resources, and putting the current and target profiles side by side helps to determine what will be needed.
A large organization may need multiple current and target profiles for its branches and departments. An HR department has different privacy requirements from health service, even if both are under the same top management.
The creators of the NIST framework decided not to offer any profile templates. Indeed, there are just too many different scenarios to reduce to a manageable set of prototypes.
Privacy practices vary not just in their goals but also in the level of detail and agility in pursuing them. Not everything needs the same degree of focus. The NIST Privacy Risk Framework defines four implementation tiers:
Partial: The practices aren’t well formalized and understood. The implementation may be largely ad hoc. This is a risky approach if there’s any private information to protect.
Risk informed: People in the organization understand the issues and are taking some appropriate actions, but high-level coordination is limited. This may be sufficient if the privacy risks aren’t high.
Repeatable: Formal policies and an organization-wide approach to direct privacy management. Privacy specialists handle key issues, and the entire workforce gets training. The organization understands its role in external interactions.
Adaptive: In addition to the Tier 3 activities, the organization adapts its practices to changing needs, and privacy considerations are incorporated into all decision-making processes.
Implementation tiers specify the level of effort that a profile entails. The appropriate tier for a profile depends on factors such as regulatory requirements, the sensitivity of the information, and the organization’s acceptable risk level.
The Role of the Nist Privacy Risk Framework
The point of the NIST Privacy Risk Framework is to help organizations categorize their goals and achievements in protecting privacy. It’s not a tool for calculating a security score, though it could help in designing such tools. It doesn’t prescribe paths, but rather gives a way to describe whatever paths are appropriate and measure their progress. It obtains a broad picture of how information is protected when used with the Cybersecurity Framework.
There are many standards that enumerate specific requirements for protecting privacy. This framework can be useful in achieving compliance with any of them. We can help with achieving your privacy and security gals, including CCPA compliance using Microsoft 365. Thus, to find out more, all you have to do is schedule a call with us.