NIST Privacy Framework 10: An Overview

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello everyone. My name is Chris
00:00
>> and I'm Cybrary's instructor
00:00
>> for its US Information Privacy course.
00:00
I hope you're having a great day
00:00
regardless of where you are,
00:00
or wherever you are on Google Earth.
00:00
I've got a pesky raccoon problem,
00:00
I had to call in a company called
00:00
Crito Control to get some
00:00
raccoon that had made residence in
00:00
my vacant home that I'm getting ready for sale,
00:00
so my day started off in that fashion.
00:00
But otherwise I'm happy because once again,
00:00
I have a chance to talk to you about
00:00
important privacy related topics and concepts.
00:00
In Lesson 4.1, we're going to
00:00
continue our discussion on NIST,
00:00
and now standing guidance,
00:00
it gives executive branch agencies
00:00
and also to the public sector,
00:00
should they choose to implement some of
00:00
this guidance on privacy and security.
00:00
In Lesson 4.1,
00:00
we're going to examine the NIST privacy framework.
00:00
The longer title was a tool for improving
00:00
privacy through enterprise risk management,
00:00
which is important because there is a nexus between
00:00
good effective risk management that incorporates privacy,
00:00
dairy aspect of an organization
00:00
at the organizational mission,
00:00
business, and information system levels.
00:00
We have several learning objectives.
00:00
We're going to look at the frameworks purpose.
00:00
We're also going to examine the role that
00:00
privacy risk management plays
00:00
and to some degree privacy engineering
00:00
and ensuring that those trustworthy systems that
00:00
collect and process personifiable information.
00:00
Those products and services that
00:00
do the same or safe and can provide
00:00
end-to-end data processing of
00:00
that precious information without
00:00
any unauthorized access and
00:00
also accounting for authorized usage.
00:00
They may result in a problematic data action,
00:00
which I'll describe later.
00:00
We're going to look at the basics of
00:00
the framework and then we'll
00:00
conclude with a discussion on ready, set, go,
00:00
which is the model espoused by
00:00
the framework when you're trying to
00:00
establish or improve a privacy program.
00:00
Let's get to it. Let's talk about it.
00:00
I waited for a long time for NIST
00:00
to finalize a privacy framework just
00:00
because I was so impressed with the work that it had
00:00
done on its cybersecurity framework.
00:00
Now, when comparing the two frameworks,
00:00
they're not mirror images of each other.
00:00
There are some overlap.
00:00
You do have areas to where
00:00
cybersecurity focuses more exclusively on
00:00
ensuring that you're addressing
00:00
those cybersecurity incidents that
00:00
might arise because of a lack or loss of confidentiality,
00:00
integrity availability,
00:00
the CIA triad normally
00:00
associated with information security.
00:00
Then you have privacy risks and that's
00:00
associated from the frameworks perspective,
00:00
looking at those privacy events that
00:00
might occur during data processing.
00:00
When you look at how the framework helps
00:00
these organizations manage privacy risks,
00:00
and like I said, this isn't only applicable
00:00
to the executive branch that has that doubt,
00:00
this framework, but also to
00:00
those private sector companies out there that are
00:00
also looking to improve
00:00
their privacy risk management
00:00
and privacy program management.
00:00
The framework looks at all aspects
00:00
of product or service acquisition, development,
00:00
deployment to ensure that the data process that
00:00
occurs does not place
00:00
individuals and more broadly, organizations at risk.
00:00
It helps them to be able to communicate
00:00
their privacy practices both internally and externally,
00:00
and it also promotes
00:00
the cross organizational workforce collaboration,
00:00
making sure every level of the organization
00:00
understands the current state of privacy,
00:00
then desired state of privacy,
00:00
and then the desired state of outcomes from implementing
00:00
good sound privacy risk management practices
00:00
and privacy program practices.
00:00
I have long been a fan of privacy risk management,
00:00
that's one reason why I went out and got our sacas
00:00
certified in risk and information system controls,
00:00
because I understood the nexus between
00:00
privacy and information security
00:00
and enterprise risk management.
00:00
The framework tend to use terms that you might see
00:00
associated with systems engineering
00:00
or privacy engineering,
00:00
like a data action which is akin to
00:00
the definition of an information lifecycle.
00:00
The collection, retention, login generation,
00:00
transformation, use disclosure, sharing,
00:00
transmission, and disposal of sensitive data,
00:00
in this case, we're talking about PII.
00:00
Collectively, we would define it as data processing.
00:00
What we hope to do from
00:00
a privacy risk management perspective is,
00:00
to look at our systems, our services,
00:00
our products, and look at where we
00:00
have gaps in our protections.
00:00
Now from a privacy perspective,
00:00
where we're looking at is anytime that you
00:00
process personified information,
00:00
whether it's in a system, a product,
00:00
or service, there's an inherent risk.
00:00
There's a case that whether it's
00:00
authorized or unauthorized use of this system,
00:00
you're going to have what is known as
00:00
a problematic data action.
00:00
That's where we focus our risk efforts to determine
00:00
whether we are seeing those problematic data actions,
00:00
and then what can we do to mitigate the impact of
00:00
those actions on organizations and individuals.
00:00
One of the things we can do is,
00:00
we can conduct periodically
00:00
privacy risk assessments that I've talked about before,
00:00
that privacy threshold analysis,
00:00
that privacy impact assessment to identify
00:00
those deficiencies and then
00:00
be able to come up with ways to address them.
00:00
This is through this process where we can
00:00
establish our risk acceptance levels,
00:00
our risk tolerance level,
00:00
so we can make the appropriate risk response
00:00
or take their appropriate risk response,
00:00
whether that's mitigating the risk,
00:00
transferring the risk, avoiding the risk,
00:00
or accepting the risk.
00:00
Let's talk about the basics of the framework.
00:00
We have cores, profiles, and implementation tiers.
00:00
When we talk about the core,
00:00
they consist of functions, categories and subcategories.
00:00
Functions are the high
00:00
level foundational privacy activities
00:00
that we're looking at,
00:00
managing and also using risks to mitigate
00:00
threats or problematic data actions.
00:00
We have categories that in our groups and
00:00
privacy outcomes that are linked to
00:00
programmatic needs and particular activities.
00:00
Then we have sub categories that
00:00
divide those categories into
00:00
specific outcomes of
00:00
technical and/or management activities.
00:00
The functions themselves are identified P,
00:00
govern P, control P, communicate P,
00:00
and protect P. When we talk about profiles,
00:00
we're talking about the current state of privacy,
00:00
privacy risk management within an organization,
00:00
that would be your current profile and
00:00
then what's the desired outcome?
00:00
Your target profile, and then
00:00
assessing a gap in-between so that
00:00
the organization can still move toward
00:00
achieving its desired outcome.
00:00
We have the implementation tiers of which we have four.
00:00
They're there to make sure that organizations have
00:00
the appropriate resources and capabilities
00:00
in place that you can develop and maintain
00:00
a good privacy risk management program
00:00
as well as a privacy program.
00:00
Now those four tiers are partial.
00:00
For tier 1 risk of informed,
00:00
for tier 2 repeatable,
00:00
for tier 3 and adaptive for tier 4.
00:00
Now, the framework also
00:00
gives us guidance on how to establish,
00:00
order improve a privacy program by using three steps.
00:00
Ready, set, and go.
00:00
Ready is when the organization prepares
00:00
to really develop a program,
00:00
it looks at its risk tolerance, its risk acceptance.
00:00
It looks at the privacy risks there,
00:00
it uses identified P and govern P to get ready.
00:00
To ensure that as it looks at is
00:00
develops this current profile and target profile,
00:00
it can start to identify those gaps.
00:00
Set is when you develop an action plan
00:00
that's designed to address those gaps between
00:00
your current profile and
00:00
your desired outcome or target profile.
00:00
Then go is when you implement
00:00
that plan and put it in an action to
00:00
address those privacy risks and gaps between the two;
00:00
so you move steadily towards your desired outcome.
00:00
Question 1 asks;
00:00
the framework assist organizations
00:00
imagine privacy risk by doing what?
00:00
The appropriate answers are A,
00:00
C and D. Question 2 asks;
00:00
what are the basic components of the privacy framework?
00:00
The answers are B, C,
00:00
and D. Question 3 asks;
00:00
what are the components use so establish
00:00
and to improve a privacy program?
00:00
A, B, and C are the appropriate answers.
00:00
In summary before I conclude my discussion of 4.1,
00:00
I want to encourage you to take Cybrary's more in-depth
00:00
and detailed privacy framework
00:00
course, is going to be worth it.
00:00
We talked about the frame was there to
00:00
help organizations manage privacy risk.
00:00
We talked about the basic components,
00:00
core profiles and implementation tiers,
00:00
and we talked about the model for
00:00
establishing and improving a privacy program.
00:00
Ready, set, go.
Up Next