The National Institute of Standards and Technology (NIST) already has a well-respected cybersecurity framework. The organization is adding a privacy framework to its tool set. Announced last September, the NIST privacy framework project is set for completion this October. How is it faring at the halfway point?
Speaking at RSA Conference last week, the Institute's senior privacy policy advisor Naomi Lefkovitz and chief of the Applied Cybersecurity Division Kevin Stein, provided an update, complete with slides.
NIST's work was informed by a consultation process around the privacy framework. The results, published last month, gave the Institute some useful direction. The respondents, most of whom came from the IT sector, wanted the framework to help them comply with legal responsibilities including Europe's GDPR along with sector-specific US privacy laws.
Respondents didn't want a one-size-fits-all approach or a checklist. They wanted an outcome-based, technology-agnostic and non-prescriptive document that will tie into broader risk-management practices.
NIST is indeed positioning privacy as part of a broader risk management challenge that also encompasses security. One thing came through clearly in the RSA talk and in a working framework outline also published last month was that protecting privacy isn’t just about securing personally identifiable information against hackers. It’s also about managing the processing of that data as part of a business’s broader activity.
Approaching privacy from this perspective makes it important to look at both privacy and security across the entire information life cycle from the moment the data is created until it is disposed of.
The framework will follow the structure of the Institute's existing cybersecurity framework, which has three components: a core, profiles, and tiers.
There are five functions within the core: identify, protect, control, inform, and respond. The Institute is folding into these other elements that industry asked for, including the information lifecycle, privacy principles, and the NIST privacy engineering objectives.
The profile is an organization's chance to tailor what's in the core to its own objectives. NIST says in its outline: “When developing a Profile, an organization may select or tailor the functions, categories, and subcategories of the Privacy Framework to its specific organizational needs."
Finally, the implementation tiers (partial, risk informed, repeatable, and adaptive) are not supposed to be maturity levels. Instead, they support decisions about how to manage privacy risk by mapping activities to risk levels. When privacy risks become more complex, companies should consider moving to higher tiers, the outline says.
NIST will be putting more meat on the bones in the next few months via a series of workshops and document releases. Ultimately, though, the framework’s success will be down to business adoption. This is a voluntary initiative, much like the cybersecurity framework, and it is up to organizations to invest in the underlying practices to support it – or to regulators to mandate it. Hopefully making it non-prescriptive and malleable to organizational needs will help to increase its adoption.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
