NIST PRIVACY

FRAMEWORK –
HIGHLIGHTS FROM VERSION 1.0
Joyce Chua
Purpose of this Deck – Understand NIST
Privacy Framework easily

COVER DOES NOT COVER

NIST PRIVACY FRAMEWORK (VOLUNTARY) – FRAMEWORK FOR IMPROVING CRITICAL
COMMON BUT ADAPTABLE APPROACH TO MANAGE INFRASTRUCTURE CYBERSECURITY (CYBERSECURITY
PRIVACY RISKS FRAMEWORK) – SHOULD BE USED TOGETHER
 Scope

Core •Executive level

•Prioritization of
outcome and
activities (Current
Profiles Profiles vs. Target
Profiles)
•Self Assessment

•HOW-TO
manage risks
Implementation •Integrate with
Tiers Enterprise Risk
Management
(ERM) Portfolio
 Privacy Risk Management
◦ Consider privacy events through a complete lifecycle
from data collection through disposal
◦ Identify likelihood of any given problem arising from
data processing (problematic data action)=> Then
assess the probable impact

• Bring privacy risk into parity with

other risks through ERM
• Drive more informed
decision-making on resource
allocation to strengthen ◦ See Appendix D for Privacy Risk Management
privacy program Practices
Privacy Risk Assessment (PRA)
◦ PRA: sub-process for identifying and
evaluating specific privacy risks
◦ Proportionality – risks + appropriate
responses
◦ Response approaches
◦ Important as privacy is a condition to
safeguard multiple values
◦ Distinguish between privacy and
compliance risk => ethical decision-
making

Response approaches
Core
◦ Provides an increasingly granular set of activities and outcomes
to enable a dialogue on managing privacy risks
◦ Core elements work together:
◦ Functions organize foundational (highest level) privacy activities =>
continuously form/enhance an operational culture that addresses
the dynamic nature of privacy risk
◦ Identity-P – develop organizational understanding on Privacy Risk
Management
◦ Govern-P – develop and implement organization governance structure to
enable ongoing understanding on risk tolerance
◦ Control-P – develop and implement appropriate activities to enable data
management with granularity
◦ Communicate-P – develop and implement appropriate activities to
enable reliable understanding and engagement about data processing
◦ Protect-P – develop and implement appropriate data processing
safeguards
◦ Categories subdivide a function into groups of privacy outcomes
closely tied to programmatic needs and particular activities
◦ Subcategories divide category into specific outcomes of technical
and/or management activities and provide a set of results
Core – Appendix A Extracts
◦ A table of functions, categories and ◦ Roles
subcategories is presented ◦ Ecosystem
◦ Risk-based approach ◦ Organizational
◦ Select the subcategories consistent with its ◦ Scalability
risk strategy to protect individual privacy as ◦ Certain aspects of outcomes are
noted in Category Statements ambiguous to allow different use cases to
◦ Use Profiles to select and prioritize, express determine what is appropriate
partial achievement of an outcome
◦ Consider multiple outcomes to manage ◦ Resource Repository
privacy risk ◦ Standalone resources to prioritize and
achieve outcomes
◦ Implementation
◦ Tabular format is NOT Intended to suggest ◦ Cybersecurity Framework Alignments
a specific implementation order or degree ◦ 5 Functions
of importance ◦ Certain functions, categories or
subcategories may be identical
Core – Appendix A Tables’ Snapshots

Profiles
Note that NIST Privacy framework does
not prescribe Profile Templates to allow
for flexible implementation
◦ Selection of specific functions, categories, and
subcategories from the Core by organization to
prioritize based on privacy risk management
◦ Tailor to organization’s specific needs and unique
risks
◦ Describe current state and desired target state
◦ identify the gaps and develop action plans and
gauge resources to address the gaps (Cost-effective
and prioritized manner)
◦ Communicate risk within and between
organizations
◦ No specified order of development of profiles
◦ Can develop target profile first then current OR
◦ Can identify current activities then consider to adjust
for Target Profile
◦ May choose to develop multiple profiles for
different activities and outcomes
Implementation Tiers
◦ Manage privacy risk ◦ See Appendix E on the definitions of
the 4 Tiers
◦ Based on target profiles and how
achievement may be supported/ ◦ Can use Tiers to communicate
hampered by the current processes/ internally about necessary resource
situations allocations to move to higher tier
◦ 4 Tiers – Organization can consider to ◦ Can use to understand the scale of
move from lower levels to higher level resources and processes of other
(progression) based on its assessment organizations in the data processing
◦ 1 – Partial ecosystems
◦ 2 – Risk Informed Successful implementation of the NIST privacy
◦ 3 – Repeatable framework is based on achieving the outcome
◦ 4 – Adaptive described in the Target Profiles NOT Tier
Determination
How to use this framework?
◦ As a Risk Management ◦ Decision on how to apply it => implementing organization
Tool ◦ E.g. Already have robust privacy risk management processes =>
use Core’s 5 functions to analyze and articular any gaps
◦ Help to answer the
◦ E.g. Seek to establish a privacy program => use Categories and
question “what are Subcategories as a reference
the impacts to
◦ E.g. compare profiles or tiers to align privacy risk management
individuals as we priorities across different roles in the data processing system
develop our systems,
products and
Discourage the notion of “Compliance with the
services?”
Privacy Framework
◦ Use this framework => Risk-based NOT Compliance-based
flexibly
How to use – Mapping to Informative
References
◦ Information References – mapping to
subcategories to provide
implementation support
◦ Crosswalks can help organization to
determine which activities or outcomes
to prioritize to facilitate compliance
◦ NIST Privacy framework is technology
neutral but support technological
innovation
◦ Rely on consensus-based standards,
guidelines and practices => scalability
achieved
◦ Use of existing and emerging standards
enables economies of scale and drive
developments of systems, products and
services that meet
◦ Identified market needs
◦ Privacy needs of individuals
◦ Gaps in mapping can identity where
additional/ revised standards, guidelines
and practices can help to address
emerging needs
◦ Existing references -
https://www.nist.gov/privacy-
framework/resource-repository/browse
How to Use – Strengthening
Accountability
◦ Accountability => Key Privacy Principle
◦ Privacy Risk Management = a mean of
supporting accountability at all organization
levels
◦ Senior Executives to Manager Level to
Implementing/ Operations level
◦ Use NIST Privacy Framework as a tool to
support/ achieve accountability
◦ Picture shows how the elements of the Privacy
Framework can be incorporated to facilitate the
process
How to use – Establishing/ Improving a
Privacy Program
• Use simple model of “Ready, set, go” phases
• Can establish or improve a privacy program by using the
informative references
• Can go through phases nonsequentially as required
•Review the categories and subcategories
Ready •Develop its current Profile and Target Profiles
•Identify the activities and outcomes as foundation

•Indicate which Category and Subcategory outcomes are being achieved from the
remaining functions
•Partially achieved outcomes -> note it
•Complete its Target Profile focusing on the assessment of categories and subcategories
•Develop its own additional functions, categories and subcategories to account for the
unique risks
Set •Can develop multiple profiles to support its different business lines/ processes
•Compare the current and target profiles to determine the gaps
•Create a prioritized action plan to address the gaps (integrate action plans if
Cybersecurity Framework is used) to achieve the target profiles and can inform the
selection of appropriate Tier
•Make informed decisions, enable cost effective and targeted improvements by using the
profiles

Go •Prioritizes which actions to take and adjust the privacy practices to achieve Target Profiles
How to Use – Applying to SDLC
◦ Can align Target Profile with SDLC
◦ Plan – Prioritize privacy outcome can be
transformed into system privacy
capabilities and requirements
◦ Design – validate the privacy
capabilities and requirements match the
Target Profile
◦ Deploy – Target Profile can be used to
assess to verify the privacy capabilities
and requirements implemented
◦ Align SDLC and data lifecycle to
better manage privacy risks and
privacy controls to meet privacy
requirements
How to Use
within Data Processing System Informing Buying Decisions

◦ Current/ Target profile can be used to

◦ generate a prioritized list of privacy
requirements
◦ Inform decisions about buying services/
products
◦ Can evaluate the partners’ systems,
products and services against the
outcomes related to its privacy goals
◦ Make best buying decision among
multiple suppliers
◦ Address residual risk via mitigation measures
or management actions
Key Takeaways
◦ Cybersecurity framework is highly
recommended to use concurrently
◦ Privacy framework can never be
implemented standalone
◦ Privacy Risk Management should be part
of ERM
◦ Consists of
◦ Core – 5 functions
◦ Profiles – Current and Target Profiles
◦ Tiers - 4 distinct Tiers
◦ Successful implementation of the NIST
privacy framework is based on
achieving the outcome described in the
Target Profiles NOT Tier Determination
◦ Application of the Privacy Framework is
dependent of the implementing
organization
◦ Mapping to Informative references – use
repository of external informative
references
◦ Strengthening Accountability -
◦ Establishing/ Improving Privacy Program
(“Ready, Set, Go”)
◦ Applying to SDLC (with alignment of Data
Life Cycle)
◦ Within the Data Processing Ecosystem
◦ Informing Buying Decisions