<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Privacy Framework

What The NIST Privacy Framework Draft Means For Privacy and Cybersecurity

down-arrow

On Wednesday, May 1, the National Institute of Standards and Technology (NIST) released their latest draft version of the much anticipated NIST Privacy Framework. Following the same model that the NIST Cybersecurity Framework (CSF), NIST has been actively workshopping the lessons learned and framework with specialists in both the public and private sectors and the public draft is also a hallmark of the collaborative, crowdsourced approach that NIST takes to developing their frameworks.

Data privacy has emerged as a top concern for consumers everywhere, brought to light with the European General Data Privacy Regulation (GDPR) and transplanted to the United States in the forms of the California Consumer Privacy Act (CCPA) and similar state-specific data privacy and protection requirements. The NIST Privacy Framework has been anticipated to play a similar role to the CSF as a voluntary gold-standard that public and private information systems, including federal agencies, can use in varying degrees of implementation. Further, the value proposition of a gold-standard privacy framework, as the CSF is to information security, is that it helps regulatory bodies develop requirements based on that framework.

Similarities Between The CSF and Privacy Framework

In my webinar examining the interplay between NIST’s three main frameworks: the CSF, the NIST Risk Management Framework (RMF), and the Privacy Framework, I discussed how important it would be for the new Privacy Framework to connect to the CSF. As we’ve explored before here, data privacy and data security are inextricably connected - while security can exist without regard for privacy, data privacy cannot exist without regard for security. As she discussed at the NIST Cyber Risk Management Conference in November, Naomi Lefkovitz, privacy engineering program head at NIST, spoke about how NIST looks at security and privacy as a Venn diagram and that idea was embodied in the working draft. I was heartened to see that the Privacy Framework did in fact interplay with the CSF quite well.

The CSF relies on five core functions - identify, detect, protect, respond, and recover - as the foundation for the framework. The Privacy Framework takes a similar approach using five functions as well. Two of the privacy functions are net new but related--Control and Inform--and three are taken directly from the CSF:

Alongside these key indicators, the working draft explicitly says that the CSF can be leveraged to support the new Privacy Framework. From working as a consultant and building the CyberStrong platform, I can see specifically that the CSF can ingest the two new functions: control and inform.

The Rise of Privacy Risk Assessments?

A very interesting point I found in the working draft was the reference to a privacy risk assessment. In fact, it was a hallmark of the working draft. It is a very interesting point - understanding the potential conflicts around privacy through a risk assessment. Examining Naomi’s Venn diagram analogy further, a privacy risk assessment seems to be about striking a balance between protection and the use of personally identifying information (PII). In the case of conducting risk assessments, both for managing cybersecurity risk as well as privacy risk, it becomes all the more paramount to ensure harmony between cybersecurity and privacy frameworks to extend the life cycle of your organization.

Key Points For the Privacy Framework Moving Forward

For me, the issue of creating and strengthening a privacy framework is key, but going forward the real issue will be around harmonizing multiple standards and activities, and getting the whole organization on board with that. The greatest challenge that our users (and the industry as a whole) is facing is the patchwork of regulations both regarding security and privacy. From a foundational perspective, the outcome-based approach of the NIST CSF has been the primary factor for many regulations being built using the framework. In the case of the Privacy Framework, it is almost a race against the clock. The industry needs a similar foundational framework that practitioners can adopt for privacy.

Going even further, I’m very excited for the system developments that we’re working on within the CyberStrong platform for advanced crosswalking that goes beyond the UCF for both privacy and cybersecurity frameworks. As more and more regulations emerge, the ability to adopt a standard like the CSF or SP 800-53 and then benchmark against industry-specific requirements like HIPAA or PCI will become all the more important. Similarly, the NIST Privacy Framework can be that same foundation for privacy, security, and risk management. Using CyberStrong will allow you to project into more specific frameworks like GDPR and CCPA. In all, I applaud the exciting work that NIST put into the draft and am excited to see the Privacy Framework evolve.

You may also like

Conducting Your First Risk ...
on January 30, 2023

As digital adoption across industries increases, companies are facing increasing cybersecurity risks. Regardless of their size, cyber-attacks are a persistent threat that must be ...

Your Guide to Cloud Security ...
on January 26, 2023

Cloud computing refers to the delivery of multiple services via the internet (also known as the “cloud”), including software, databases, servers, storage, intelligence, and ...

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on January 27, 2023

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...