Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The NIST Privacy Framework Version 1.0 consists of three primary parts: The Core, Profiles and Tiers. Because it generally does not use industry-, regulatory- or technology-specific terminology (meaning the terms used are not unique to an industry, standard
or law that only a specific audience would understand), any organization of any size and in any type of sector can use the NIST Privacy Framework to more effectively build or update their privacy management program.
The document is designed to help organizations meet NIST’s goals for privacy management, including:
The Privacy Framework was structured similarly to the NIST Cybersecurity Framework to make it easier for organizations to use them both. Just like the Cybersecurity Framework, the Privacy Framework has three parts: 1) the Core, 2) Profiles and 3) Tiers.
The Core is designed to enable a dialog – from the executive level to the implementation/operations level – about important privacy activities and desired outcomes. While the Core provides a wide range of activities and numerous privacy outcomes
for organizations to identify as necessary for their organization to meet, it is not meant to be a comprehensive listing. Instead, it is meant to be a starting point from which more outcomes can be added over time.
Activities and outcomes are grouped within five Functions, described at a very high level as follows:
Each Function represents a different kind of foundational privacy activity, at the highest level. Of course, organizations will need to do very specific types of activities to support each Function. Therefore, each of these Functions is further broken
down into Categories, which cover the types of activities that are applicable for the Function. In turn, most of the Categories are then broken into Subcategories to provide a set of granular results that represent the desired types of privacy outcomes
for each Category.
However, all the descriptions provided here are very high-level. Organizations should read the full NIST Privacy Framework V1.0 to get more details and a better understanding of the goals and uses for each of the Core Functions, Categories and Subcategories.
Profiles enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks. Profiles comprise specifically chosen Functions, Categories and Subcategories. They will vary in scope,
and from one organization to the next, because of the inherent differences in their processing environments.
Profiles can be very useful in describing the current state of an organization’s privacy practices, as well as the desired target state of specific privacy activities. Organizations can create a Current Profile to represent the privacy outcomes
currently in place, and then a Target Profile can be used to indicate the results of organizational activities necessary to reach the organization’s privacy risk management goals.
Organizations can use the differences between the Current Profile and the Target Profile to determine the gaps in their processing environment that need to be addressed to meet privacy risk management goals. Actions to fill the gaps establish the privacy
risk management improvement plan and can also be used to budget for necessary resources and funding to meet those goals.
NIST established a page to post example hypothetical and real-life Profiles, but they are at a very early stage and as of this writing, no examples were posted. Organizations should check the page regularly to see new Profiles as they are added and better
understand the wide range of possible types of Profiles that can be used.
Implementation Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk. There are four Tiers:
Each tier has four elements: Privacy Risk Management Process, Integrated Privacy Risk Management Program, Data Processing Ecosystem Relationships, and Workforce. All can be assessed independently from one another. Full descriptions are found within Appendix
E of the Privacy Framework.
It is important to understand that Tiers are not maturity levels. Tiers are used to support organizational decision-making about how to manage privacy risk by considering the nature of the privacy risks created by an organization’s systems, products
and services, and the sufficiency of the processes and resources an organization has in place to manage such risks.
Organizations determine the Tiers they have as goals based on their Target Profiles, current risk management practices and how much privacy risk mitigation activities have been integrated within the enterprise risk management program, along with the data
processing ecosystem relationships (vendors, contracted entities, and other types of third parties).
Tiers can be used to communicate how resources need to be allocated within the target Tiers, as well as show the resources necessary for higher Tiers, to support decision-making for moving up to the next-level Tier if management determines that is necessary
to manage privacy risks and meet applicable data protection legal requirements more effectively.
NIST engaged with stakeholders from throughout the world to build the NIST Privacy Framework Version 1.0. It considers the Privacy Framework to be a living document and plans to continue updating it over time. It also plans to add more resources throughout
the coming months and encourages organizations to monitor its site for new information.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.