Skip to main content

NIST Privacy Framework a Flexible Tool for Managing Privacy Risks

March 04, 2020

The new NIST Privacy Framework should be popular due to the simplicity of integration into existing security and risk management frameworks.

Privacy isn’t new concept, but organizations of all sizes continue to struggle with it as the digital age generates new data-driven products and services at a dizzying pace.

In November 2019 I addressed some of the struggles that even organizations with mature data protection capabilities are facing as a result of new data regulations requirements – issues like subject access requests, the right to erasure and data portability, for instance. In an effort to help organizations address these challenges, enable better privacy practices and provide a common language to communicate privacy requirements the National Institute of Standards and Technology (NIST) has published the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (NIST PF). This document leaves no doubt that the focus on consumer privacy will continue to sharpen.

The good news is that the NIST PF doesn’t establish a lot of new expectations. In a very real sense, it simply formalizes what we, as security risk and privacy professionals, already know should be done.

The Privacy Framework is deliberately organized similarly to the NIST Cyber Security Framework (CSF) to facilitate the parallel use of both tools. The PF is composed of three parts: Core, Profiles and Implementation Tiers.

  • Core contains the control objectives for privacy protection activities and desired outcomes
  • Profiles enable an organization to identify and prioritize the activities key to their specific requirements
  • Implementation Tiers help organizations evaluate the program’s maturity and privacy risk management capability

The framework’s Core consists of five functions:

IDENTIFY-P (ID-P): Develop the organizational understanding to manage privacy risk for individuals arising from data processing.

GOVERN-P (GV-P): Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.

CONTROL-P (CT-P): Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.

COMMUNICATE-P (CM-P): Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.

PROTECT-P (PR-P): Develop and implement appropriate data processing safeguards.

The integration with the NIST CSF is highlighted in the Core by a key labeling or subcategories which are identical to the CSF (or if they align with the CSF but the descriptions has been adapted). This approach reinforces the idea that an effective privacy program requires the integration with our information security and risk management programs. Of the 100 Subcategory items in the Privacy Framework, 53 are carried over from the NIST CSF, meaning the Privacy Framework suggests 47 new activities (predominantly in the Control-P and Communicate-P functions).

Here is a summary of the and subcategories that are pulled from the CSF into the Privacy Framework:

Of the 18 :

  • One (Risk Management Strategy) is imported directly from the CSF
  • 10 are imported from the CSF but the descriptions have been adapted for the Privacy Framework
    • Identify Function (3)
    • Governance Function (2)
    • Protect Function (5)

Of the 100 subcategories:

  • 27 subcategories are pulled directly into the NIST PF from the CSF
    • 22 of those are in the Protect Function
  • 26 subcategories are from the CSF but the descriptions have been adapted
    • Identify Function (7)
    • Governance Function (9)
    • Protect Function (8)

The 47 subcategories that do not have a direct link to the CSF focus on capabilities such as inventorying processing activities, privacy by design, privacy impact assessments and handling subject access requests; activities that security and privacy professionals will be familiar with. In their simplest form we could summarize these as:

  • Maintain an inventory of processing activities and data flows
  • Maintain procedures to respond for requests for information
  • Maintain procedures to respond for requests to correct/modify information
  • Maintain procedures to respond to requests to be forgotten or for erasure of data
  • Maintain procedures to respond to requests to opt-out of, restrict or object to processing
  • Maintain policies and procedures for obtaining valid consent
  • Integrate Privacy by Design into system and product development
  • Conduct Privacy Impact Assessments for new programs, systems and processes

Given the explosion of privacy-related legislation both in the US and globally (CCPA and Nevada SB220 recently, as well as GDPR, PIPEDA, Brazil’s GDPL and several other state-level laws currently being considered in the United States), the NIST PF should be added to the toolbox of all privacy and risk management stakeholders. In doing so, they will be positioned with a framework that, if used correctly, will demonstrate reasonable efforts to protect consumer information.

It’s also important to note that the FTC provided public comments to the preliminary draft of the Privacy Framework. This is an important consideration given the commission’s focus on consumer protections in the United States as well as past statements it has made indicating the CSF approach to integrating cybersecurity into overall risk management is consistent with its approach to enforcement.

I expect the NIST Privacy Framework will become as popular as the CSF because of the simplicity of integration into existing security and risk management frameworks. By complementing and extending these frameworks that organizations already employ, we help ourselves build scalable, flexible programs that can adapt to evolving requirements (such as emerging privacy regulations) with minimal effort.

    John Clark

By: John Clark

Executive Director, Office of the CISO

See More

Related Blogs

November 13, 2019

Building a Holistic Privacy Management Program

Rather than building programs for individual jurisdictions, organizations should develop holistic programs that address the overarching commonalities.

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

November 07, 2019

Risk Transformation: Bridging Assessment and Execution

With risk transformation, it can be difficult to bridge the gap between assessment and implementation.

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.