Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
After defining the NIST Privacy Framework in another piece, we now turn our focus to the specific use cases. In this piece we outline three common ways the NIST Privacy Framework can be used by organizations across industries along with some addition
ways in which security teams can leverage the NIST Privacy Framework.
Organizations across all industries can leverage the NIST Privacy Framework in the following ways:
It’s important to remember, the Privacy Framework is a set of voluntary tools, these are not legal requirements, although they support legal requirements. The NIST Privacy Framework can be used to build a privacy program from scratch, from the smallest of organizations to the largest, in any sector and in any location.
The NIST Privacy Framework provides the building blocks to support this effort using terminology that is not specific to certain laws and regulations or sectors, which means any organization can truly use the framework without having to use terminology
that seems to imply concepts only applicable in certain industries.
Many organizations have already established a privacy program. However, they may still struggle with addressing all their applicable privacy requirements and may be missing insights into all their privacy risks. The NIST Privacy Framework can be used
to compare the components of these organizations’ privacy management programs with the components of the Privacy Framework to identify where gaps may exist and where improvements may be made.
Even though the Privacy Framework does not name specific laws or regulations, it is still a great tool for organizations to use to determine the kinds of policies, procedures, training, actions, and other capabilities they need to meet a specific legal
obligation or to meet the requirements of different laws and regulations. Organizations can either use specific Subcategories, or depending on their legal requirements, they may need to combine several Subcategories together.
For example, multiple regulations require organizations to respond to individuals’ requests for access to their associated data. Using the Privacy Framework, an organization may decide to start addressing those requirements by using the following
Subcategories (shown as labeled within the Privacy Framework):
CT.PO-P2 (in the Control Function): Policies, processes and procedures for enabling data review, transfer, sharing or disclosure, alteration and deletion are established and in place (e.g., to maintain data quality, manage data retention).
CT.DM-P1 (in the Control Function): Data elements can be accessed for review.
PR.AC-P1 (in the Protect Function): Identities and credentials are issued, managed, verified, revoked and audited for authorized individuals, processes and devices.
These can serve as a starting point for creating the associated policies for data access, as well as the necessary technical capabilities for data review and identity management to support the necessary identity verification.
For further examples of how the Privacy Framework can support legal compliance, see the NIST Hypothetical Use Cases. They demonstrate how Subcategories can be combined to manage privacy risk or address legal obligations.
We’ve detailed just a few of the many ways in which organizations can use the NIST Privacy Framework to support privacy program management. Some examples of additional ways might include, but are not limited to:
As with any guidance, the new framework will need to be updated over time to reflect changes in laws, society, technology, business practices and other considerations. However, this first version provides a wide array of tools that will be beneficial
for organizations to use now as they create or update their privacy management program.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.