By: S.E. Williams
October 16, 2020
Course Summary: NIST Privacy Framework
By: S.E. Williams
October 16, 2020
Overview of the NIST Privacy Framework
The data-processing ecosystem of business environments is often highly complex and dynamic, with ever-changing interconnected relationships (Green, 2020). In such environments, every role, depending on its responsibilities, may use privacy-related data for varying outcomes. Implementing the NIST Privacy Framework gives an organization a method to better manage all its systems, controls, and privacy processes. This implementation becomes significant in identifying the organization’s privacy governance objectives.
Why use the NIST Privacy Framework?
If you happen to be in a C-Level position, one word sums up why your organization should consider implementing the NIST Privacy Framework: Accountability. The degree of your understanding of the privacy framework and your willingness to implement (or not) this method may directly impact the attitude and actions of your organization’s effectiveness in maintaining the confidentiality of privacy-related data.
Accountability for protecting privacy data at the senior executive level can result in the business and process management levels buying into the organization’s values and activities towards safeguarding privacy assets. This buy-in is likely to increase the collaboration of those in the development. The operations level better to follow policies, guidelines, standards, and procedures and support the organization’s overall compliance and regulatory obligations to protect private information. Overall, accountability will ensure that the values of collaboration and communication flow from the top-down to support and strengthen the governance of privacy risk controls.
The NIST Privacy Framework Structure
At first glance, the NIST Privacy Framework will be very familiar to those cybersecurity professionals already working with the NIST Cybersecurity Framework (NIST CSF). Where the NIST CSF is structured into functional domains (Identify, Protect, Detect, Respond, and Recover), the Privacy Framework is structured by three functional domains: Core, Profiles, and Implementation. The Privacy Framework similarly follows the NIST CSF mapping and diagnostic numbering scheme. For example, the NIST CSF category of Identify/Responding to Risk (ID.RA) will, in the Privacy Framework, have an added “-P,” designating ID.RA-P as a Privacy Framework category.
The Three Functions: Core, Profiles, and Implementation
Function 1 - The Core: Five functions, 18 categories, and 100 subcategories comprise the Core. The Core uses a number of diagnostic statements to understand the privacy activities and outcomes related to the organization’s practices towards meeting regulatory and legal compliance.
The Core’s five functions are:
- Identify-P (ID-P)
- Govern-P (GV-P)
- Control-P (CT-P)
- Communicate-P (CM-P)
- Protect-P (PR-P)
A “function” groups privacy-related activities. Ranking a step below a function is a “category,” which describes the conditions on which the activity is based. Last, a “sub-category” narrows the focus of a category down to a technical and or management activity. When combined, the functions, categories, and sub-categories are used to reach specified outcomes towards an overall assessment scoring of the privacy-related activity.
For example, the Identify-P (ID-P) “function” addresses how an organization manages risk from individuals as that risk relates to processing data. Within the ID-P function, the category of Inventory and Mapping (ID.IM-P) drills down to how data processing is conducted in systems, products, and services to reduce risk. Next, the sub-category further refines the focus to determine the specific conditions of the privacy-related activity, such as ID.IM-P1, which reviews the actual inventories of each system, product, and service that processes data. The privacy framework uses a worksheet/spreadsheet type format.
Function #2 - Profiles: Comprised of specialized functions, categories, and sub-categories, the “Profiles” function uses descriptive, diagnostic statements to evaluate the state of the privacy protections in place against the privacy management goals. It is a compare and contrast method that helps an organization understand the gaps between the stated Target Profile goals and what is being implemented to protect privacy information. Reviewing the Profile functions can produce measurable metrics that can be applied to reducing both risk and the costs of effectively implementing controls.
Function #3 - Implementation (Tiers): Target Profiles are the goals and outcomes the organization needs to achieve to reduce and manage privacy-related risk. Profiles are used to identify specific activities related to the resources available to manage risk for those activities. Target Profiles are additionally used by the organization to select and implement a tiering level. Tiers define the nature of the privacy risk (e.g., from the company’s products, services, and systems) against the available resources to address those risks.
The Four Tiers are:
- Tier 1 Partial,
- Tier 2 Risk-Informed,
- Tier 3 Repeatable, and
- Tier 4 Adaptive.
Tiering in the Privacy Framework is considerably different from the tiering process of the NIST CSF. Tiering in the Privacy Framework corresponds to the varying degrees of formalization of how privacy is managed while tiering in the NIST CSF addresses the organization’s impact on critical infrastructure and is specific to cybersecurity risks and controls.
Benefits of the NIST Privacy Framework
The NIST Privacy Framework can be used in conjunction with other privacy frameworks, such as the COBIT Framework. Commonalities between privacy frameworks include risk-based assessments, process-focused mapping for better control of privacy in specific environments, and designing performance-based evaluations of an organization’s privacy procedures and processes. For example, the NIST Privacy Framework’s functional category of Identify (Inventory and Mapping, ID.IM-P) is aligned to COBIT’S Governance/Management-Objective, as both functions aim to evaluate the design, development, and management of privacy risk in an organization’s systems, services, products, and applications (Ookeditse, 2020).
Joe Roe, of CMSWire, wrote about the benefits of using the NIST Privacy Framework. He reports that the Privacy Framework allows companies to develop apps, services, and products to meet privacy-compliance requirements from the initial development phases. He explained that the Privacy Framework could work in conjunction with the NIST Cybersecurity Framework (NIST CSF) to assess better how the various elements of data privacy and security controls (collection, use, data flow, storage) are being managed to reduce and or mitigate risk (Roe, 2020). Roe adds that the Privacy Framework can help identify activities that lead towards protecting the organization from individual malicious intent, allowing companies to review, assess, and make procedural changes to their privacy tools (Roe, 2020).
Last, in this writer’s opinion, using the NIST Privacy Framework is a cost-effective tool (it’s free) that allows organizations to customize the management of privacy-related risk while establishing a team project that can have everyone’s buy-in. It is an easy, due diligence-based, and customizable tool for understanding and gauging privacy issues across an organization's facets.
Interested in Learning More?
Cybrary is currently offering a course on the NIST Privacy Framework. The course details each component of the Privacy Framework and how to use it. Cybrary’s presentation also provides realistic examples of how to scope and tailor the privacy framework to better suit your organization’s needs to improve management and reduce privacy risk.
Green, D. (September, 2020). The NIST Privacy Framework. Cybrary. Retrieved, Sept. 26, 2020 from: https://www.cybrary.it/course/nist-privacy-framework/
NIST. (January 16, 2020). NIST Privacy Framework: A tool for improving privacy through enterprise risk management, version 1.0. The National Institute of Standards and Technology (NIST; (pp. 6-7). DOI: https://doi.org/10.6028/NIST.CSWP.01162020
NIST. (April 9, 2020). New to the Framework: Overview and privacy risk management approach. The National Institute of Standards and Technology (NIST), U.S. Department of Commerce. Retrieved September 26, 2020 from: https://www.nist.gov/privacy-framework/new-framework
Ookeditse, K. (Sept. 23, 2020). Building a privacy focus area using COBIT and the NIST Privacy Framework. ISACA Now Blog. ISACA. Retrieved September 26, 2020 from: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/building-a-privacy-focus-area-using-cobit-and-the-nist-privacy-framework
Roe, D. (January 27, 2020). How the NIST Privacy Framework will help manage data safely. CMS Wire. Simpler Media Group, Inc. Retrieved September 26, 2020 from: https://www.cmswire.com/information-management/how-the-nist-privacy-framework-will-help-manage-data-safely/