The NIST Privacy Framework: How Does It Compare to the Cybersecurity Framework?

 

The New NIST Privacy Framework How Does It Compare to the Cybersecurity Framework

Mindfully designing and using technology with privacy in mind is a challenge in our highly connected world. To companies, data is worth more than gold – but if data collection and usage aren’t meticulously and responsibly managed, personal privacy suffers. Establishing data privacy is not a set-it-and-forget-it process – compliance regulations change, and new ones are published every year. Nor is there a one-size-fits-all solution for data privacy. While robust cybersecurity tactics can help manage privacy risk by securing sensitive data, they don’t conclusively prevent threats that may arise when companies process and use personal data.

Privacy, not just cybersecurity

So how can organizations stay expertly manage data privacy in a world where it’s more important than ever before? Fortunately, frameworks exist that enable businesses to simplify their efforts. The National Institute of Standards and Technology (NIST) released its voluntary Cybersecurity Framework (CSF) in 2014 to help companies align their cybersecurity efforts with many regulations. The CSF enables businesses to meet high standards of security and excellence without having to overhaul their information security processes for every new regulation like SOX, HIPAA, PCI-DSS, or GLBA. But because cybersecurity doesn’t cover all that privacy necessitates, NIST has also created a Privacy Framework to address the privacy challenge.

Purpose of the NIST Privacy Framework

The objective of the new framework is to help organizations clarify the privacy risk management process by identifying desired outcomes and prioritizing steps for achieving those goals. By fulfilling requirements and future-proofing against legislation changes, it makes compliance easier. Furthermore, the NIST Privacy Framework supports ethical decision-making to foster customer trust by increasing the beneficial uses of data and decreasing the potential consequences for privacy. For example, banks may collect and use data to enhance their loan processes by making it easier for customers to apply, but mishandling that data may create problems for the individuals to whom the information belongs.

The framework addresses concerns like these and helps fill the gaps between cybersecurity and privacy. Version 1.0 of NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management enables communication channels among customers, regulators, assessors, and employees, which fosters a culture of privacy.

Expanding on cybersecurity efforts to include privacy

Many organizations – whether in financial services, healthcare, education, government, or otherwise – utilize NIST’s Cybersecurity Framework to protect business information, especially in cloud applications like Salesforce. However, the CSF doesn’t fully address the concerns for individual privacy – that of the customers to whom the personal data belongs. The Privacy Framework fills this gap and encourages organizations to heed the privacy movement and embrace proactive privacy practices. Fortunately, for the security and risk professionals responsible for implementing frameworks, the Privacy Framework was designed with its cybersecurity counterpart in mind and is even structured to facilitate the combined use of both frameworks. Together, they enable organizations to successfully mitigate risk, manage individuals’ privacy, and promote transparency.

The relationship between the NIST Cybersecurity Framework and the Privacy Framework

When developing the CSF, NIST took efforts to make the process open, transparent, and collaborative. They reused this successful approach when creating the Privacy Framework. To promote collaboration between privacy and security teams, the two frameworks are aligned so they’re easier to use together – a natural course of action given the overlap between privacy and security.

Like the CSF, the NIST Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. To distinguish the two frameworks and respect the different approaches companies take towards privacy and security, NIST emphasizes the flexibility of the frameworks to meet an organization’s specific needs while still promoting collaboration. The Privacy Framework has five functions for managing privacy:

  • Identify-P: Develop an understanding of privacy risk management to address risks that occur during the processing of individuals’ data.
  • Govern-P: Create a governance structure to manage risk priorities.
  • Control-P: Implement activities that allow organizations to manage data on a granular level while preventing privacy risks.
  • Communicate-P: Increase communication and transparency between organizations and individuals regarding data processing methods and related privacy risks.
  • Protect-P: Establish safeguards for data processing to avoid potential cybersecurity-related events that threaten the security or privacy of individuals’ data.

Together, these functions help reduce privacy-related risks generated from collecting, processing, managing, or storing data. The Protect-P function focuses on risks related to cybersecurity events, making it the most closely linked with the CSF. The Detect, Respond, and Recover functions from the Cybersecurity Framework can enhance the management of risk in Protect-P and align security and privacy tactics.

The NIST Privacy Framework in your organization: Get started

Altogether, the NIST Privacy Framework can help organizations address a critical question, “How are we taking into account the impact on individuals’ privacy as we develop our systems, products, and services?” Whether your organization already uses the Cybersecurity Framework or is new to NIST, begin aligning with the Privacy Framework by using Ready, Set, and Go:

  • Ready: Get ready for implementation using Identify-P and Govern-P.
  • Set: Set a plan of action to move from the “Current Profile” to the “Target Profile.”
  • Go: Go forth and implement your plan for managing privacy risk.