The NIST Privacy Framework Version 1.0 consists of three primary parts: The Core, Profiles and Tiers. Because it generally does not use industry-, regulatory- or technology-specific terminology (meaning the terms used are not unique to an industry, standard
or law that only a specific audience would understand), any organization of any size and in any type of sector can use the NIST Privacy Framework to more effectively build or update their privacy management program.
The document is designed to help organizations meet NIST’s goals for privacy management, including:
The Privacy Framework was structured similarly to the NIST Cybersecurity Framework to make it easier for organizations to use them both. Just like the Cybersecurity Framework, the Privacy Framework has three parts: 1) the Core, 2) Profiles and 3) Tiers.
The Core is designed to enable a dialog – from the executive level to the implementation/operations level – about important privacy activities and desired outcomes. While the Core provides a wide range of activities and numerous privacy outcomes
for organizations to identify as necessary for their organization to meet, it is not meant to be a comprehensive listing. Instead, it is meant to be a starting point from which more outcomes can be added over time.
Activities and outcomes are grouped within five Functions, described at a very high level as follows:
Identify-P: This Function (abbreviated as ID-P) includes descriptions of many of the actions that may be necessary to develop organizational understanding for how to manage privacy risk when handling information and understanding individuals’ direct
and indirect privacy interests.
Govern-P: This Function (abbreviated as GV-P) includes descriptions of many of the actions that may be necessary to develop and implement an organizational privacy governance program to stay aware of risks and determine how to mitigate them.
Control-P: This Function (abbreviated as CT-P) includes descriptions of many of the actions that may be necessary to enable organizations and individuals to handle data with enough granularity to effectively manage and control privacy risks throughout
the full data lifecycle.
Communicate-P: This Function (abbreviated as CM-P) includes descriptions of many of the actions that may be necessary to support organizations and individuals to enable a consistent and accurate understanding of privacy risks, to enable them to engage
in communications about the ways in which data is processed that may involve privacy risks, and to clearly describe the mitigating actions taken to reduce the risks.
Protect-P: This Function (abbreviated as PR-P) includes descriptions of many of the actions that may be necessary to effectively safeguard data and to prevent cybersecurity-related privacy events. This is the Function where the most overlaps between privacy
and cybersecurity risk management are found.
Each Function represents a different kind of foundational privacy activity, at the highest level. Of course, organizations will need to do very specific types of activities to support each Function. Therefore, each of these Functions is further broken
down into Categories, which cover the types of activities that are applicable for the Function. In turn, most of the Categories are then broken into Subcategories to provide a set of granular results that represent the desired types of privacy outcomes
for each Category.
However, all the descriptions provided here are very high-level. Organizations should read the full NIST Privacy Framework V1.0 to get more details and a better understanding of the goals and uses for each of the Core Functions, Categories and Subcategories.
Profiles enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks. Profiles comprise specifically chosen Functions, Categories and Subcategories. They will vary in scope,
and from one organization to the next, because of the inherent differences in their processing environments.
Profiles can be very useful in describing the current state of an organization’s privacy practices, as well as the desired target state of specific privacy activities. Organizations can create a Current Profile to represent the privacy outcomes
currently in place, and then a Target Profile can be used to indicate the results of organizational activities necessary to reach the organization’s privacy risk management goals.
Organizations can use the differences between the Current Profile and the Target Profile to determine the gaps in their processing environment that need to be addressed to meet privacy risk management goals. Actions to fill the gaps establish the privacy
risk management improvement plan and can also be used to budget for necessary resources and funding to meet those goals.
NIST established a page to post example hypothetical and real-life Profiles, but they are at a very early stage and as of this writing, no examples were posted. Organizations should check the page regularly to see new Profiles as they are added and better
understand the wide range of possible types of Profiles that can be used.
Implementation Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk. There are four Tiers:
Each tier has four elements: Privacy Risk Management Process, Integrated Privacy Risk Management Program, Data Processing Ecosystem Relationships, and Workforce. All can be assessed independently from one another. Full descriptions are found within Appendix
E of the Privacy Framework.
It is important to understand that Tiers are not maturity levels. Tiers are used to support organizational decision-making about how to manage privacy risk by considering the nature of the privacy risks created by an organization’s systems, products
and services, and the sufficiency of the processes and resources an organization has in place to manage such risks.
Organizations determine the Tiers they have as goals based on their Target Profiles, current risk management practices and how much privacy risk mitigation activities have been integrated within the enterprise risk management program, along with the data
processing ecosystem relationships (vendors, contracted entities, and other types of third parties).
Tiers can be used to communicate how resources need to be allocated within the target Tiers, as well as show the resources necessary for higher Tiers, to support decision-making for moving up to the next-level Tier if management determines that is necessary
to manage privacy risks and meet applicable data protection legal requirements more effectively.
NIST engaged with stakeholders from throughout the world to build the NIST Privacy Framework Version 1.0. It considers the Privacy Framework to be a living document and plans to continue updating it over time. It also plans to add more resources throughout
the coming months and encourages organizations to monitor its site for new information.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
June 10, 2021
By IANS Faculty
Identify the key features to look for in a SOAR solution and the top use cases for information security teams to consider.
June 8, 2021
Identify key steps security teams should take, and pain points to watch, when returning to the office working environment.
June 3, 2021
Explaining information security to the board of directors and aligning enterprise information security activities with board-level input can be challenging.