<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

In September 2018, connecting to the official website of the National Institute of Standards and Technology (NIST) would show it had announced its plan to develop a framework to manage privacy risks using the same process as their incredibly successful cybersecurity framework (CSF) for managing data and cybersecurity risk.

Since the preliminary draft of the NIST Privacy Framework was released, NIST has hosted multiple workshops and webinars soliciting comments on the preliminary draft from both the private and public sectors in the same fashion as the NIST Cybersecurity Framework. During this development phase, we’ve kept an ear to the ground for what to expect.

Why A Separate Framework 

For most, even members of the security industry, privacy and security are seen as the same thing. It makes sense: secure organizations identify and store data and that information stays in the hands of the organization that the end-user gave it to - close, but not quite. Bob Seigel gives the perfect simile for the interaction between security and privacy:

Just as the drapes on a window may be considered a security safeguard that also protects privacy, an information security program provides the controls to protect personal information. Security controls limit access to personal information and protect against its unauthorized use and acquisition. It is impossible to implement a successful privacy program without the support of a security program.

Just as the bars on a window help prevent intruders from entering into your home while allowing people to look inside, a security program can implement controls without regard for privacy. For example, a security program could require credentials to access a network without restricting access to personal information. You would have security but no privacy, as anyone with valid credentials can see all of the personal information your organization possesses.

With the rise of the data processing and attention economies, businesses now rely heavily on sharing sensitive information about their customers and prospects to deliver the tailored experiences that consumers have come to expect. However, whether that data is encrypted and transmitted securely and with the customer’s knowledge can be unknown, utilizing the Nist Privacy Framework can help incentivize your cyb security program towards protecting those individuals. At the NIST Cyber Risk Management Conference, Naomi Lefkovitz, a privacy engineering program head at NIST described their approach - “We look at it as a Venn diagram.”

As Bob said, a cybersecurity program can be secure without respect to users’ privacy but not typically vice versa. Here we can see the case for a standalone framework start to take shape. The protection activities employed to secure data can be done without regard for user privacy, but privacy often cannot exist without some level of data protection and security.

“A foundation, not a prescription.” 

As with the CSF, the new privacy framework is intended to be a voluntary tool. NIST’s approach to publishing voluntary frameworks has empowered adopters to approach integrating these best practices into their programs in the most efficient way possible for them rather than a pre-canned compliance approach, law or regulation.

One of the interesting aspects of the CSF was the omittance of granular controls as part of the framework. We anticipate that the privacy framework will be similar in the sense that organizations manage privacy risk arising today in a way that is largely nebulous in the definition of terms and subjective in the degree to which organizations approach privacy. From what we have seen and heard, the privacy framework will bear semblance to its security counterpart in the sense that it will be outcomes-based rather than focused on pigeon-holing organizations into the definition of terms. Furthermore, given the approach that NIST is taking with the development of the framework, to get bogged down in the definition of terms would drastically slow the development.

Better Together 

Taking Lefkovitz’ Venn diagram image further, think of security like a square and privacy like a rectangle: a square is a rectangle, but a rectangle isn’t always a square, meaning that a security program can exist without regard for privacy but a privacy program cannot exist without regard for security. From what we have seen to date, the NIST Privacy Framework will deliver the most value when coupled with the CSF and the NIST Risk Management Framework (RMF). Already we can see how the CSF and RMF interact together in platforms like CyberStrong that benchmark against the CSF and integrate RMF risk assessments into control assessments using artificial intelligence. This combinatory approach to these frameworks exponentially improves the value that they bring to those that adopt.

To learn more about the Golden Trio of NIST frameworks, watch CyberSaint’s Chief Product Officer, Padraic O’Reilly, dive deep into the CSF, RMF and version 1.0 of the Privacy Framework. If you have any questions about how CyberStrong presents regulation in common language, NIST, the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), ISO,  any other data protection frameworks or regulations, give us a call at 1 800 NIST CSF or click, here, to learn more.

You may also like

3 Ways Financial Institutions are ...
on January 14, 2021

Financial services firms have often been at the forefront of security since the inception of the first Chief Information Security Officer in the 1980s. Why? For the same reason ...

3 Steps for Secure Digital ...
on January 12, 2021

It comes as no surprise to readers that the COVID-19 pandemic vastly catalyzed digital business. From the rapid, necessary adoption of remote work to the precipitous rise in ...

Augmenting Legacy GRCs During ...
on January 7, 2021

From Silos to a Category to Modern-Day From the early days of internal audit and external audit, governance, and policy management silos and into the era of enterprise governance, ...

Alison Furneaux
Embrace Cyber Risk Transformation ...
on January 5, 2021

Widespread Digitalization Puts Increasing Demands on Risk and Compliance Programs The scope of risks to be managed is increasing. Especially over the past year amid the COVID-19 ...

Alison Furneaux
Practice vs Process Maturity: ...
on December 18, 2020

Information security maturity has never been more important. In the wake of the COVID-19 pandemic, the catalyzation of digital transformation and the ripple effects on businesses ...

Top 5 Cyber Events 2020
on December 15, 2020

2020 brought a lot of unforeseen circumstances with it. A lot has happened between the rampant risk in cyber attacks across the digital landscape to the COVID-19 pandemic ...