Understanding the NIST Privacy Framework: Insights from an Auditor

Understanding the NIST privacy framework

What is NIST, and why is it important? The National Institute of Standards and Technology (NIST) is a government agency whose mission is to “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST was established in 1901 and over time has become a leader in developing best practice technology and security standards. Initially, technology and security standards were developed to be a baseline for Federal agency compliance through NIST Special Publication (SP) 800-53. Over time, additional standards have been released by NIST (more on this below) that are also widely adopted by commercial entities of all sizes.

What Is the NIST Privacy Framework?

In January of 2020, NIST released the NIST Privacy Framework. According to NIST, “The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.” The release of the Privacy Framework followed their Cybersecurity Framework, which has seen heavy adoption across Federal agencies and commercial entities. With the ever-increasing focus on the risks associated with data processing and the privacy rights of data subjects, the NIST Privacy Framework is a timely, relevant, and efficient way for organizations to address such risks.

 

NIST Frameworks

What Are the Different NIST Frameworks?

According to NIST, one of the primary objectives in its mission is to develop “standards to be used throughout society for the betterment of the public and improved quality of life.” The standards range from the mitigation of fire-related issues to standards for securing technology. NIST’s goal is to be the standard – to set the bar for how things should function, across a multitude of processes for use by government agencies and commercial entities alike.

A comprehensive list of NIST’s frameworks by topic area can be found on the NIST website. The list below includes those most relevant to technology and security:

How Do I Create a Privacy Framework?

As companies grapple with the decision to process or store personally identifiable information (PII) while balancing the rights of data subjects, the importance of implementing a privacy framework is clear. A privacy framework is the most comprehensive way to understand privacy obligations associated with processing PII. With the right framework, a structure can be implemented effectively and comprehensively to address regulatory compliance requirements, such as the General Data Protection (GDPR) law. You can learn more about GDPR requirements here:

A privacy framework can help an organization conduct a risk assessment specific to its privacy objectives. A privacy-focused risk assessment should help an organization understand the type of data processed and stored within its environment, how and where that data flows, and how users interact with the system, so that the risk of an adverse privacy event is understood.

Fundamentally, a framework is built through developing an understanding of a company’s strategy and objectives, services and products, technologies, people, and customers/end users.  Specific to privacy, a framework can be developed by understanding the relationship between privacy risk and organizational risk. Using the NIST Privacy Framework, this analysis looks the following diagram:

 

Relationship Between Privacy Risk and Organizational Risk per the NIST Privacy Framework

Image Source – NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0

Understanding this relationship enables an organization to better identify the potential privacy-related adverse events (i.e., risk) that may be inherent in the data processing performed by the organization. These may include risks such as PII disclosure to an unauthorized recipient through improper data processing or that a data subject never gave consent to the processing of their PII.

From there, organization-specific objectives and controls are applied to manage the identified risk to an acceptable level. Organizations often perform risk assessments and implement frameworks using their own standards and methodologies, and this may be sufficient. However, many organizations will find that they can benefit from using an established set of norms through an industry-accepted framework, such as the NIST Privacy Framework. An established framework provides the baseline of standards that can then be adopted by an organization through controls in a manner that applies to their unique environment.

What Are the Components of the NIST Privacy Framework?

The NIST Privacy Framework is structured in a way that is familiar to other technology and security-focused NIST standards. It is written with a common language that can be adapted to any organization’s role in the data processing ecosystem, enabling the alignment of policy, business, and technological approaches to managing privacy-related risk. Below is an outline of the key components that comprise the NIST Privacy Framework:

 

Privacy Framework Core Structure per the NIST Privacy Framework

Image Source – NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0

Core

The Core of the NIST Privacy Framework consists of defined activities and outcomes specific to managing privacy risk. The elements of Core that work together to facilitate this dialogue are Functions, Categories, and Subcategories.

Functions

The Functions of the NIST Privacy Framework exist to aid an organization in identifying, understanding, and managing its data processing in order to better identify the related privacy risk and make decisions on how best to manage that risk. Functions organize the foundational privacy-related activities at the highest level. As you can see, the five Functions are Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P. For the full definition of each Function, refer to the NIST guide.

Note: Those familiar with the NIST Cybersecurity Framework will likely observe that two of the Functions within the Privacy Framework are also found in the Cybersecurity Framework; Identify and Protect. This is why the “-P” indicator is used to distinguish between the two frameworks.

Categories

As defined within the framework, Categories are the “subdivisions of a Function into groups of privacy outcomes closely tied to programmatic needs and particular activities”. An example of a Category from each Function in the framework is illustrated below:

  • Inventory and Mapping (Identify-P)
  • Awareness and Training (Govern-P)
  • Data Processing Policies, Processes, and Procedures (Control-P)
  • Data Processing Awareness (Communicate-P)
  • Data Security (Protect-P)

Subcategories

Subcategories further break down Categories into desired outcomes of both technical and management activities. The goal of Subcategories is to support the achievement of the outcomes defined within each Category. Building on the illustration above, example Subcategories for each Category noted above include:

  • ID.IM-P1: Systems/products/services that process data are inventoried (Inventory and Mapping).
  • GV.PO-P5: Legal, regulatory, and contractual requirements regarding privacy are understood and managed (Awareness and Training).
  • CT.PO-P3: Policies, processes, and procedures for enabling individuals’ data processing preferences and requests are established and in place (Data Processing Policies, Processes, and Procedures).
  • CM.PO-P2: Roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices, and associated privacy risks are established (Data Processing Awareness).
  • PR.PO-P10: A vulnerability management plan is developed and implemented (Data Security).

Up until this point, we have focused strictly on the text within the NIST Privacy Framework, written as Functions, Categories, and Subcategories. Now let’s tailor the framework to an organization using unique control statements written alignment with the Subcategories in a manner that manages the Company’s identified risks. Example controls that align with the Subcategories illustrated above may include:

  • Inventory and Mapping: The organization maintains an inventory of all assets that support data processing activities.
  • Awareness and Training: The organization requires all employees and contractors to complete annual privacy awareness training and the completion status is tracked by the Privacy Officer.
  • Data Processing Policies, Processes, and Procedures: A Data Processing Policy has been implemented to govern the rights of data subjects and is reviewed annually by the Privacy Officer.
  • Data Processing Awareness: The Privacy Officer is accountable for managing risk relative to the Company’s data processing activities and engages each functional group within the Company quarterly to ensure privacy obligations are understood and maintained.
  • Data Security: Continuous vulnerability scans are performed across the data processing environment. The results of scans are reviewed by the Security team monthly and remediation is performed commensurate with the risk of each identified vulnerability.

As you can see, the framework first helps to identify your organization’s privacy risk in the form of Categories and Subcategories. Unique controls are the link between the framework standards and the implementation of the framework within your organization.

 

Relationship Between Core and Profiles per the NIST Privacy Framework

Image Source – NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0

Profiles

The concept of Profiles within the NIST Privacy Framework enables an organization to select specific Functions, Categories, and Subcategories from the Core in order to manage privacy risk. This allows the organization to identify the current state (Profile 1) versus the target state (Profile 2) for a particular set of privacy activities. This can be particularly useful when conducting a gap analysis between an organization’s current state to an end state objective that includes compliance with a specific compliance regulation. The results of the gap assessment allow Privacy and Risk practitioners to communicate the resulting compliance risk to management stakeholders and set expectations on how compliant (or non-compliant) the Company is in its current state.

 

Implementation Tiers (1-4) for the NIST Privacy Framework

Implementation Tiers

Within the NIST Privacy Framework, there are four distinct Tiers defined so that management can evaluate their current risk posture and the maturity of the organization’s processes and controls relative to privacy. The tiers are defined as follows:

  • Tier 1: Partial
  • Tier 2: Risk-Informed
  • Tier 3: Repeatable
  • Tier 4: Adaptive

Being able to quantify the organization’s current posture may help management better understand what it will take to get to the desired state. This in turn helps Privacy and Risk practitioners to secure resources and prioritization of privacy-related projects necessary to meet the organization’s regulatory compliance requirements.

 

NIST Privacy Framework Mapping

NIST Privacy Framework Mapping: How Does it Align to Other Privacy Standards?

As with the NIST Cybersecurity Framework, the NIST Privacy Framework was not developed with the intent of certification. The NIST Privacy Framework is agnostic to any one regulation or law, instead aiming to provide guidance to organizations in the form of generally accepted standards. This allows an organization to tailor the framework to its unique business, technologies, and regulatory requirements.

To support this, NIST Privacy Framework crosswalks between the NIST Privacy Framework and the leading privacy regulations are readily available. If your organization is required to comply with the following:

– you’re in luck, as a crosswalk between the NIST privacy standards to each of these regulations is available in the online Resource Repository. Through the NIST Privacy Framework, your organization can approach its regulatory compliance requirements with a risk-based approach, applying the categories and subcategories from the framework in a way that is relevant to your business, products, services, and technologies in the form of unique controls.

Further, NIST Privacy Framework mappings are available between the NIST Privacy Framework and the following standards/frameworks:

Final Thoughts on the NIST Privacy Framework

If your organization is subject to privacy laws but lacks the structure necessary for compliance, it may be worth considering how the NIST Privacy Framework can help. Instead of starting from scratch, use the framework to establish a baseline of standards you can build on. If you would like to learn more about NIST, check out some of our other related articles:

At Linford & Company, we understand how frameworks can be used to achieve varying compliance requirements, so don’t hesitate to contact us for more information.