InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
After defining the NIST Privacy Framework in another piece, we now turn our focus to the specific use cases. In this piece we outline three common ways the NIST Privacy Framework can be used by organizations across industries along with some addition
ways in which security teams can leverage the NIST Privacy Framework.
Organizations across all industries can leverage the NIST Privacy Framework in the following ways:
It’s important to remember, the Privacy Framework is a set of voluntary tools, these are not legal requirements, although they support legal requirements. The NIST Privacy Framework can be used to build a privacy program from scratch, from the smallest of organizations to the largest, in any sector and in any location.
The NIST Privacy Framework provides the building blocks to support this effort using terminology that is not specific to certain laws and regulations or sectors, which means any organization can truly use the framework without having to use terminology
that seems to imply concepts only applicable in certain industries.
Many organizations have already established a privacy program. However, they may still struggle with addressing all their applicable privacy requirements and may be missing insights into all their privacy risks. The NIST Privacy Framework can be used
to compare the components of these organizations’ privacy management programs with the components of the Privacy Framework to identify where gaps may exist and where improvements may be made.
Even though the Privacy Framework does not name specific laws or regulations, it is still a great tool for organizations to use to determine the kinds of policies, procedures, training, actions, and other capabilities they need to meet a specific legal
obligation or to meet the requirements of different laws and regulations. Organizations can either use specific Subcategories, or depending on their legal requirements, they may need to combine several Subcategories together.
For example, multiple regulations require organizations to respond to individuals’ requests for access to their associated data. Using the Privacy Framework, an organization may decide to start addressing those requirements by using the following
Subcategories (shown as labeled within the Privacy Framework):
CT.PO-P2 (in the Control Function): Policies, processes and procedures for enabling data review, transfer, sharing or disclosure, alteration and deletion are established and in place (e.g., to maintain data quality, manage data retention).
CT.DM-P1 (in the Control Function): Data elements can be accessed for review.
PR.AC-P1 (in the Protect Function): Identities and credentials are issued, managed, verified, revoked and audited for authorized individuals, processes and devices.
These can serve as a starting point for creating the associated policies for data access, as well as the necessary technical capabilities for data review and identity management to support the necessary identity verification.
For further examples of how the Privacy Framework can support legal compliance, see the NIST Hypothetical Use Cases. They demonstrate how Subcategories can be combined to manage privacy risk or address legal obligations.
ON-DEMAND WEBINAR: Adapting to Ever-Shifting Privacy Laws
We’ve detailed just a few of the many ways in which organizations can use the NIST Privacy Framework to support privacy program management. Some examples of additional ways might include, but are not limited to:
As with any guidance, the new framework will need to be updated over time to reflect changes in laws, society, technology, business practices and other considerations. However, this first version provides a wide array of tools that will be beneficial
for organizations to use now as they create or update their privacy management program.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.