In September 2018, the National Institute of Standards and Technology (NIST) announced their plan to develop a data privacy framework using the same process as their incredibly successful cybersecurity framework (CSF). Since then, NIST has hosted multiple workshops and webinars soliciting both public and private sector feedback in the same fashion as the CSF. During this development phase of a discussion draft, we’ve kept an ear to the ground for what to expect.
Why a separate framework
For most, even members of the security industry, privacy and security are seen as the same thing. It makes sense: secure information systems store data and that information stays in the hands of the organization that the end user gave it to - close but not quite. Bob Seigel gives the perfect simile for the interaction between security and privacy:
Just as the drapes on a window may be considered a security safeguard that also protects privacy, an information security program provides the controls to protect personal information. Security controls limit access to personal information and protect against its unauthorized use and acquisition. It is impossible to implement a successful privacy program without the support of a security program.Just as the bars on a window help prevent intruders from entering into your home while allowing people to look inside, a security program can implement controls without regard for privacy. For example, a security program could require credentials to access a network without restricting access to personal information. You would have security but no privacy, as anyone with valid credentials can see all of the personal information your organization possesses.
At the NIST Cyber Risk Management Conference, Naomi Lefkovitz, privacy engineering program head at NIST described their approach - “We look at it as a Venn diagram.”
As Bob said, a cybersecurity program can be secure without respect to users’ privacy but not typically vice versa. Here we can see the case for a standalone privacy framework start to take shape.
“A foundation, not a prescription”
As with the CSF, the new privacy framework is intended to be voluntary to foster more widespread adoption. NIST’s approach to publishing voluntary frameworks has empowered adopters to approach integrating these best practices into their programs in the most efficient way possible for them rather than a pre-canned checkbox compliance approach that we see with other security standards.
One of the interesting aspects of the CSF was the omittance of granular controls as part of the framework. We anticipate that the privacy framework will be similar in the sense that privacy today is largely nebulous in the definition of terms and subjective in the degree to which organizations approach privacy. From what we have seen and heard, the privacy framework will bear semblance to its security counterpart in that it will be outcomes based rather than focused on pigeon-holing organizations into the definition of terms. This outcomes-based approach will allow adopters to use their own standard risk management activities (risk assessments among them) to determine the optimal controls to achieve the desired level of security and privacy.
Taking Lefkovitz’ Venn diagram image further, think of security like a square and privacy like a rectangle: a square is a rectangle, but a rectangle isn’t always a square. Meaning that a security program can exist without regard for privacy but a privacy program cannot exist without regard for security. From what we have seen to date, the NIST Privacy Framework will deliver the most value when coupled with the CSF and the NIST Risk Management Framework (RMF). When applying the risk management framework as a foundation to the CSF, we can start to see how combining the CSF and the Privacy Framework will help keep privacy and security together. Already we can see how the CSF and RMF interact together in platforms like CyberStrong that benchmark against the CSF and integrate RMF risk assessments into control assessments. This combinatory approach to these frameworks exponentially improves the value that they bring to those that adopt.
To learn more about the Golden Trio of NIST frameworks, watch CyberSaint’s Chief Product Officer, Padraic O’Reilly, dive deep into the CSF, RMF and new Privacy Framework.