The NIST Privacy Framework: How to Mitigate Risk and Align Security Efforts
To celebrate Data Privacy Day, privacy professionals Katie Boeckl (Privacy Risk Strategist at NIST) and Mike Mason (VP of Financial Services and Emerging Markets at Imprivata FairWarning) spoke about the NIST Privacy Framework and how to align data privacy with security tactics for compliance simplicity. The framework was released in January 2020 with the purpose of making it easier for organizations to improve individuals’ privacy through enterprise risk management efforts.
Privacy challenges for organizations
Regardless of industry or business purpose, organizations today collect a plethora of data – names, addresses, phone numbers, social security numbers, and so much more. Healthcare facilities gather PHI, banks collect financial information, tech companies collect location data with consumer patterns, schools amass student test scores, the list goes on. With all this data gathering comes added challenges for organizations, especially with regulations like CCPA and GDPR. When asked, “What challenges are you facing at your organization today?” most respondents said tracking data, followed closely by protecting customer information. The top challenges include:
- Tracking what data is being collected and used
- Protecting private, confidential information
- Balancing the need to share information for business purposes without sharing too much
- Protecting data once it’s loaded into SaaS applications
- Knowing what data to collect
- Obtaining clear, lawful consent for storing and using information
Fortunately, many of these problems can be solved by aligning with NIST frameworks and streamlining your security and privacy tactics. So how can you use NIST frameworks in the most impactful way to do meaningful business and mitigate privacy risk? And how do the Privacy and Cybersecurity Frameworks fit together? First, it’s essential to understand NIST’s mission.
What is NIST?
Founded in 1901, NIST is a bureau within the Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology to enhance economic security and improve quality of life. A non-regulatory agency, NIST does not enforce regulations, but instead focuses on supporting organizations by creating voluntary standards and guidance to help companies build trustworthy products and services. Trustworthiness is often thought of in terms of safety, reliability, and security, but NIST has begun thinking about other attributes that are necessary for trustworthiness, such as privacy.
To NIST, privacy and cybersecurity matter because they increase the trustworthiness of products and services, which is key for maintaining U.S. competitiveness. The agency works with a wide variety of regulated organizations so that they understand the pain points compliance teams encounter, and actively work to mitigate challenges and risks at the same time.
Why use NIST frameworks?
As privacy becomes the new normal – evidenced by legislation such as CCPA and GDPR – NIST has worked to solve compliance challenges for privacy and cybersecurity professionals by recognizing that they face a patchwork of different regulations. And because they’re a non-regulatory agency, NIST’s compliance tools are voluntary. Many organizations already use the Cybersecurity Framework that NIST released in 2014, but with the new Privacy Framework, others are currently researching the benefits of using frameworks.
Why use NIST frameworks? Primarily because they address privacy and security challenges that organizations across industries face in their efforts to protect data. They also build trust, help reduce risk, facilitate communication, and support fulfilling compliance obligations. But in addition to that, the frameworks are:
The frameworks help organizations meet compliance obligations by providing building blocks, essential outcomes, and activities in both the cybersecurity and privacy spaces. These elements can then demonstrate compliance with laws or regulations like FINRA and HIPAA. To make frameworks accessible to both privacy and security professionals, NIST uses general, accessible terms that are agnostic to any specific law or regulation. This way, risk teams can plug in whichever one applies to their organization.
One of the most significant reasons the Privacy Framework mimics the Cybersecurity Framework’s structure is to help facilitate communication. NIST wanted the Privacy Framework to be accessible not only to privacy professionals but to others as well – lawyers, IT and security, business professionals, and more. The language is built to make sense to anyone in an organization, allowing privacy to expand beyond just privacy professionals.
The relationship between cybersecurity and privacy risk
To effectively manage cybersecurity and privacy risks while bridging the gap between departments, it’s critical to understand the relationship between cybersecurity and privacy along with how they overlap.
Various sources of risk relate back to both cybersecurity and privacy. Cybersecurity risks are generally accepted to arise from loss of data confidentiality, integrity, or availability. Within these risks, however, lies a clear overlap with privacy – concern about data breaches, among other threats. But the challenge is illuminating privacy risks that extend beyond data breaches or cybersecurity-related incidents. Privacy risks are associated with events that arise from the complete data life cycle, including collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal.
What does that mean? An example is smart meters, which are electronic devices that measure household electricity consumption, most often on an hourly basis. The meters record energy usage and report the information back to the energy supplier for monitoring and billing purposes. Some communities rejected the use of smart meters – not because they were concerned about data security, but because they were worried the granular, detailed information about how they were moving throughout their homes was being collected and what kind of profiles could be created about them, or what could be gleaned about their personal, private life.
Smart meters are designed to provide the community with a benefit – more efficient use of electricity. But as a result of the systems running the way they were intended, they gave rise to privacy risks, and individuals felt surveilled. This is a glimpse into the full scope of privacy risk, which helps identify where threats originate, allowing for better collaboration on their overlap and the differences between privacy and cybersecurity.
Bridging the gap between security and privacy
For privacy professionals to bridge the gap between them and cybersecurity teams while obtaining executive buy-in for privacy, look to the benefits that the Privacy Framework provides to the enterprise as a whole. Where cybersecurity and privacy risks overlap are cybersecurity-related privacy events. As an enterprise risk management tool, the Privacy Framework can compensate for the fact that cybersecurity risk management is a developed discipline while privacy is still emerging. The common language about risk helps encourage conversations about privacy in an organization that focuses on cybersecurity, clarifying for stakeholders how privacy risks relate back to the enterprise.
Privacy risk and organizational risk
Privacy risks are problems that anyone can experience. In data processing, the problem would arise first, such as a database breach or the compromise of a customers’ personal information. Next, the individual – whether single persons or groups in society – experiences the direct impact, which could be any range of problems that could be encountered as a result of data processing such as embarrassment, discrimination, or economic loss.
How does this impact the organization? It’s important to note that the resulting impact can be experienced through customer abandonment, noncompliance costs, or harm to external reputation or internal culture. The relationship between customer and company is significant in helping privacy professionals to communicate to executive leadership or other parts of the business. To emphasize the importance of privacy risk and justify why resources are needed to better protect individuals’ privacy, address how the relationship affects the business’ bottom line because the impact isn’t exclusively external to an organization.
In a nutshell, this is why privacy matters, especially in terms of mitigating the risks between individuals’ privacy and the organization as a whole.
Key privacy risk management practices
Frameworks are part of a holistic risk management strategy. Following key practices to help manage privacy risks is essential because privacy risk management isn’t as well-known and understood as cybersecurity risk management. In fact, the NIST Cybersecurity Framework spends more time on privacy risk management than it does cybersecurity risk management. The additional direction helps organizations that don’t have as mature a privacy program or as high of an understanding as others.
NIST provides a set of activities that offer key support for managing privacy risk, which includes:
- Organizing preparatory resources. This may fall to security teams to see what kind of system architecture diagrams are already available to help with data inventory and mapping exercises.
- Determining privacy capabilities. Assessing current privacy activities reveals where to improve and expand. Knowing what data an organization has, what they’re doing with it, and who is accessing it are all fundamental practices.
- Defining privacy requirements. Identify what regulations are mandatory and what expectations regulators have for meeting certain privacy standards.
- Conducting privacy risk assessments. NIST created a privacy risk assessment methodology called the PRAM as part of their privacy engineering program for any company to download and use.
- Creating privacy requirements traceability. Mapping guides and crosswalks connect the dots between how an activity traces to a regulatory requirement, demonstrating fulfillment and compliance.
- Monitoring changing privacy risks. User activity monitoring for an organization’s applications like Salesforce, Office 365, and EHRs track how users interact with data – viewing, downloading, editing, exporting, deleting, etc. You can quickly see exactly which user did what, when, from where, and how often.
NIST Privacy Framework structure
When creating the Privacy Framework, NIST consulted stakeholders who resoundingly agreed that they wanted it to align with the Cybersecurity Framework. Therefore, to facilitate ease of use, NIST modeled the structure of the Privacy Framework after the Cybersecurity Framework, including the same main components – the core, profiles, and implementation tiers. Each part reinforces privacy risk management through the connection between mission drivers and privacy protection activities.
The core provides an increasingly granular set of activities and outcomes that enable an organizational dialogue about managing privacy risk. The core contains a menu of key privacy outcomes and activities that an organization might want to consider when carrying out its privacy program.
Profiles are a selection of specific functions, categories, and subcategories from the core that an organization prioritizes to help manage privacy risk. Profiles get to the heart of the risk-based nature of the Privacy Framework, where you examine all outcomes the core has to offer and select the ones that are most important based on a privacy risk assessment and organizational risk tolerance.
By creating a target profile, you can establish goals for the future and compare it to your current profile, which accounts for activities you’re already doing. Then, you can use the gap analysis between the two profiles to create a prioritized action plan for how to reach your goals.
Implementation tiers help an organization communicate whether it has sufficient processes and resources to manage privacy risk and achieve its target profile. Implementation tiers are useful in communicating the processes and resources for managing privacy risk and demonstrating the importance of privacy to executives and other decision-makers.
Privacy Framework core functions
The Privacy Frameworks’ core functions are Identify, Govern, Control, Communicate, and Protect. They are all notated as “-P” for “privacy,” because Identify and Protect are both functions that also appear in the Cybersecurity Framework. The “-P” version utilizes a privacy lens to help manage privacy risks in addition to cybersecurity risks.
- Identify-P: Develop the organizational understanding to manage privacy risk for individuals arising from data processing. Identify is where you’ll find foundational, risk-management practices like risk assessment, data inventory and mapping, and more.
- Govern-P: Develop and implement the organizational governance structure to enable an ongoing understanding of the company risk management priorities informed by privacy risk. Govern originated from the privacy community who wanted to see governance and accountability activities front and center. The Govern function contains activities like ongoing monitoring of changing privacy risks and updating the data elements you are collecting to address increased privacy risk.
- Control-P: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. Control is home to more technical data management related activities like deidentification techniques or database configuration to address legal requirements.
- Communicate-P: Develop and implement appropriate activities to enable organizations and individuals to reliably understand data processing methods and associated privacy risks. Communicate is intended to be a two-way street. It’s not just an organization providing notice to individuals about data processing activities – it’s also mechanisms for individuals to communicate back with the organization to request corrections to the data, say the information is incorrect about that individual, or to give feedback about those data processing activities that the organization is conducting.
- Protect-P: Develop and implement appropriate data processing safeguards. Protect has the biggest overlap with the Cybersecurity Framework and is closely rooted in the Cybersecurity Framework’s content. But because protecting data is such a foundational activity for privacy professionals as well, there are key cybersecurity-related activities in the Privacy Framework.
Cybersecurity and Privacy Framework alignment
When developing the Privacy Framework, NIST dedicated a significant amount of time on the Protect function, debating how much cybersecurity content should be brought over to the new framework. While there is some repetition among the cybersecurity activities found in the Cybersecurity Framework, the duplication has more to do with how mature a privacy program is or how much an organization’s privacy team is already collaborating with security. So NIST created the Privacy Framework with flexibility in mind, knowing many companies would be using it with the Cybersecurity Framework.
The Cybersecurity Framework addresses risks using the following functions:
In comparison, the Privacy Framework addresses risks using the following functions:
The following functions from both frameworks can be combined in different ways to manage cybersecurity-related privacy events:
If a privacy program is already collaborating closely with cybersecurity colleagues, that team might already be using the Cybersecurity Framework to address cybersecurity-related privacy risks. In that case, to address the other data processing risks, they might only need to use Identify-P, Govern-P, Control-P, and Communicate-P to fill in the gaps for a complete program that addresses all risks.
But if the privacy program is siloed and not closely collaborating with cybersecurity, pulling in overlapping functions like Protect-P as well as the incident-related functions in the Cybersecurity Framework – Detect, Respond, and Recover – might be necessary. The frameworks are flexible, so it’s possible to add and subtract functions based on organizational risk, program maturity, and collaboration.
Making NIST frameworks work for your data privacy and security needs
Every organization is different, but the agnostic nature of the NIST frameworks allows them to be used in any industry, regardless of the specific regulations you must comply with. As best practices for building robust data security and privacy programs, the NIST Cybersecurity and Privacy Frameworks can help reduce siloes across departments, enhance privacy and security by streamlining efforts, and save time spent on compliance, which can take months to years of work. With regulations like CCPA and GDPR popping up more frequently across the globe – and no signs that they’ll slow down – aligning with a framework is an effective way to meet the compliance, privacy, and security needs while protecting sensitive data and reinforcing trust.