In January of 2020 the National Institute of Standard and Technology (NIST) released the Privacy Framework tool to the public. The framework was released with the goal of “helping your organization define privacy goals, identify privacy risks, and optimize the use of personal information while limiting privacy violations.” However, this framework by NIST isn’t a new law of standard we all must follow. Rather, it is a free tool that organizations may choose to use and abide by, akin to NIST’s previously released Cybersecurity Framework.
Like previously in our article on the MITRE ATT&CK® framework, we will be defining and outlining the basics of the framework. This will provide you with a great jumping off point for the framework. While covering the entirety of the framework is near impossible in one post, this article should provide a “Privacy Framework 101” for those new to it. However, if you’d like to read the entirety of the framework it can be found here.
Advancements in the Internet and associated information technologies have driven unprecedented innovation across the globe. However, that innovation and excitement that came with these developments also came with a heightened threat for our privacy. This threat affects both individuals and companies alike. The truth is that people’s data is more accessible by dangerous adversaries than ever before. This fact is what drove NIST to develop the Privacy Framework for widespread usage.
Like previously stated, the NIST Privacy Framework is a tool for organizations to use. This tool aims to “improve privacy through enterprise risk management.” Simply put, Enterprise Risk Management is defined as “the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of those objectives.”
As stated in the official NIST Privacy Framework, the framework supports organizations in:
Like the Cybersecurity Framework, the Privacy Framework is composed of three core parts: Core, Profiles, and Implementation Tiers. Each of these components “reinforce how organizations manage privacy risk through the connection between business or mission drivers, organizational roles and responsibilities, and privacy protection activities.” Explanations of the three parts can be found below:
The Core is the set of privacy protection activities and outcomes that allows for communicating prioritized privacy protection and activities and outcomes across the organization, from the executive level to the operations level. The Core comprises of five functions that organize foundational privacy activities at their highest level. Each of these five functions help an organization express how they currently manage privacy risk. Each of these five functions are detailed below:
Overall, the Core provides a very granular set of activities and outcomes that enable al dialogue about the overall management of privacy risk by the organization and its employees.
The Profile of an organization represents their current privacy activities, and the desired outcomes of these. To develop a Profile an organization needs to review all of the activities and outcomes in their Core to determine which are the most crucial focus based on business and mission drivers, data processing ecosystem roles, types of data processing, and the privacy needs of individuals. An organization can then create or add Functions, Categories, and Subcategories to these Core activities and outcomes as needed.
This Profile is used to identify opportunities for improving current security posture by comparing the “current” Profile to the organization’s “target” Profile. Overall, Profiles are used both to conduct self-assessments and to communicate within an organization about how privacy risks are currently being managed.
The Tier part of the framework serves as a point of reference for how an organization views privacy risk and whether it has sufficient processes and resources in place to manage that risk. These Tiers represent a shift from the informal, reactive responses to a more agile and risk informed one. Tiers support decision making about how to efficiently manage privacy risks, and allow organizations to communicate internally about the allocation of resources necessary to progress to the next tier. These four tiers are listed below:
When using Tiers, an organization should consider its Target Profile(s) and how achievement may be hampered by its current risk management practices, the degree of integration of privacy risk, its data processing ecosystem, and workforce composition and training program .
When NIST created the Cybersecurity Framework they made efforts to make the process open and collaborative. NIST had this same mindset in with the Privacy Framework. However, there are key differences between the two frameworks, as seen below:
Since 2014 the Cybersecurity Framework has helped users communicate and manage cybersecurity risk. However, the framework simply wasn’t enough to account for all privacy issues. Many privacy issues don’t relate directly to cybersecurity. This created the Venn diagram-type framework model you see above.
Countering cybersecurity-specific risks, NIST considers risks under the privacy-specific event umbrella as potential problems rising from system, product, or service operations in data. These data operations are referred to in singular as data action and collectively as data processing. Problems stemming from data processing risks vary widely, ranging from dignity-type effects like stigma and embarrassment to more tangible harm like discrimination, economic loss, or physical harm.
Key definitions to know:
Data action: A data lifecycle operation, including but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal.
Data processing: The collective set of data actions.
Also included in NIST’s Privacy Framework is a privacy risk assessment framework. This risk assessment is a cross-organizational set of processes that helps organizations understand how their different systems, products, and services may cause problems for the individuals using them. This risk assessment also helps organizations develop effective solutions to manage these risks. Basically, this privacy risk assessment is a sub-process for identifying and evaluating individual privacy risks.
Different organizations will want to prioritize and respond to their risks in different ways. This all depends on the potential impact these individuals and the resulting impact to organizations. These risk assessments are carried out to establish objectives and an overall call to action based on the organization’s current capacity and mindset. The different ways an organizations prioritize risks are as follows:
Overall, risk assessments are incredibly important to the Privacy Framework and your organization as a whole. These assessments provide methods for safeguarding your data and allow organizations to remove priority tension from the workplace. A risk assessment allows your organization to clearly label, and thus, prioritize your assets. Additionally, risk assessments help distinguish between privacy and compliance risk. Being able to identify when data processing may cause problems for an individual, even if the process is compliant with organizational security, can help guide ethical decision-making for your organization.
Overall, the Privacy Framework provides many useful tools and guiding points for many organizations and their data. Privacy, largely coinciding with increased number of data-based attack vectors, has never been more important to maintain than it is in the present. This fact is why NIST developed the Privacy Framework, and why your organization should consider using the framework in your workplace.
If you’d like to read the entirety of the Privacy Framework you may do so here. We simply cannot cover all of the content includedin the framework in one post, so we strongly recommend giving it a read. Additionally, NIST recorded an information webinar titled “Ready, Set, Adopt” explaining all parts of the framework, which can be viewed here.