After defining the NIST Privacy Framework in another piece, we now turn our focus to the specific use cases. In this piece we outline three common ways the NIST Privacy Framework can be used by organizations across industries along with some addition
ways in which security teams can leverage the NIST Privacy Framework.
Organizations across all industries can leverage the NIST Privacy Framework in the following ways:
It’s important to remember, the Privacy Framework is a set of tools, all voluntary (these are not legal requirements, although they support legal requirements), which can be used to build a privacy program from scratch. This
applies to the smallest of organizations to the largest, in any sector and in any location.
The NIST Privacy Framework provides the building blocks to support this effort using terminology that is not specific to certain laws and regulations or sectors, which means any organization can truly use the framework without having to use terminology
that seems to imply concepts only applicable in certain industries.
Many organizations have already established a privacy program. However, they may still struggle with addressing all their applicable privacy requirements and may be missing insights into all their privacy risks. The NIST Privacy Framework can be used
to compare the components of these organizations’ privacy management programs with the components of the Privacy Framework to identify where gaps may exist and where improvements may be made.
Even though the Privacy Framework does not name specific laws or regulations, it is still a great tool for organizations to use to determine the kinds of policies, procedures, training, actions, and other capabilities they need to meet a specific legal
obligation or to meet the requirements of different laws and regulations. Organizations can either use specific Subcategories, or depending on their legal requirements, they may need to combine several Subcategories together.
For example, multiple regulations require organizations to respond to individuals’ requests for access to their associated data. Using the Privacy Framework, an organization may decide to start addressing those requirements by using the following
Subcategories (shown as labeled within the Privacy Framework):
CT.PO-P2 (in the Control Function): Policies, processes and procedures for enabling data review, transfer, sharing or disclosure, alteration and deletion are established and in place (e.g., to maintain data quality, manage data retention).
CT.DM-P1 (in the Control Function): Data elements can be accessed for review.
PR.AC-P1 (in the Protect Function): Identities and credentials are issued, managed, verified, revoked and audited for authorized individuals, processes and devices.
These can serve as a starting point for creating the associated policies for data access, as well as the necessary technical capabilities for data review and identity management to support the necessary identity verification.
For further examples of how the Privacy Framework can support legal compliance, see the NIST Hypothetical Use Cases. They demonstrate how Subcategories can be combined to manage privacy risk or address legal obligations.
We’ve detailed just a few of the many ways in which organizations can use the NIST Privacy Framework to support privacy program management. Some examples of additional ways might include, but are not limited to:
As with any guidance, the new framework will need to be updated over time to reflect changes in laws, society, technology, business practices and other considerations. However, this first version provides a wide array of tools that will be beneficial
for organizations to use now as they create or update their privacy management program.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
June 10, 2021
By IANS Faculty
Identify the key features to look for in a SOAR solution and the top use cases for information security teams to consider.
June 8, 2021
Identify key steps security teams should take, and pain points to watch, when returning to the office working environment.
June 3, 2021
Explaining information security to the board of directors and aligning enterprise information security activities with board-level input can be challenging.