Professional Documents
Culture Documents
FRAMEWORK –
HIGHLIGHTS FROM VERSION 1.0
Joyce Chua
Purpose of this Deck – Understand NIST
Privacy Framework easily
•Prioritization of
outcome and
activities (Current
Profiles Profiles vs. Target
Profiles)
•Self Assessment
•HOW-TO
manage risks
Implementation •Integrate with
Tiers Enterprise Risk
Management
(ERM) Portfolio
Privacy Risk Management
◦ Consider privacy events through a complete lifecycle
from data collection through disposal
◦ Identify likelihood of any given problem arising from
data processing (problematic data action)=> Then
assess the probable impact
Response approaches
Core
◦ Provides an increasingly granular set of activities and outcomes
to enable a dialogue on managing privacy risks
◦ Core elements work together:
◦ Functions organize foundational (highest level) privacy activities =>
continuously form/enhance an operational culture that addresses
the dynamic nature of privacy risk
◦ Identity-P – develop organizational understanding on Privacy Risk
Management
◦ Govern-P – develop and implement organization governance structure to
enable ongoing understanding on risk tolerance
◦ Control-P – develop and implement appropriate activities to enable data
management with granularity
◦ Communicate-P – develop and implement appropriate activities to
enable reliable understanding and engagement about data processing
◦ Protect-P – develop and implement appropriate data processing
safeguards
◦ Categories subdivide a function into groups of privacy outcomes
closely tied to programmatic needs and particular activities
◦ Subcategories divide category into specific outcomes of technical
and/or management activities and provide a set of results
Core – Appendix A Extracts
◦ A table of functions, categories and ◦ Roles
subcategories is presented ◦ Ecosystem
◦ Risk-based approach ◦ Organizational
◦ Select the subcategories consistent with its ◦ Scalability
risk strategy to protect individual privacy as ◦ Certain aspects of outcomes are
noted in Category Statements ambiguous to allow different use cases to
◦ Use Profiles to select and prioritize, express determine what is appropriate
partial achievement of an outcome
◦ Consider multiple outcomes to manage ◦ Resource Repository
privacy risk ◦ Standalone resources to prioritize and
achieve outcomes
◦ Implementation
◦ Tabular format is NOT Intended to suggest ◦ Cybersecurity Framework Alignments
a specific implementation order or degree ◦ 5 Functions
of importance ◦ Certain functions, categories or
subcategories may be identical
Core – Appendix A Tables’ Snapshots
◦ Selection of specific functions, categories, and
subcategories from the Core by organization to
Profiles prioritize based on privacy risk management
◦ Tailor to organization’s specific needs and unique
risks
◦ Describe current state and desired target state
◦ identify the gaps and develop action plans and
gauge resources to address the gaps (Cost-effective
and prioritized manner)
◦ Communicate risk within and between
organizations
◦ No specified order of development of profiles
◦ Can develop target profile first then current OR
◦ Can identify current activities then consider to adjust
for Target Profile
Note that NIST Privacy framework does ◦ May choose to develop multiple profiles for
not prescribe Profile Templates to allow different activities and outcomes
for flexible implementation
Implementation Tiers
◦ Manage privacy risk ◦ See Appendix E on the definitions of
the 4 Tiers
◦ Based on target profiles and how
achievement may be supported/ ◦ Can use Tiers to communicate
hampered by the current processes/ internally about necessary resource
situations allocations to move to higher tier
◦ 4 Tiers – Organization can consider to ◦ Can use to understand the scale of
move from lower levels to higher level resources and processes of other
(progression) based on its assessment organizations in the data processing
◦ 1 – Partial ecosystems
◦ 2 – Risk Informed Successful implementation of the NIST privacy
◦ 3 – Repeatable framework is based on achieving the outcome
◦ 4 – Adaptive described in the Target Profiles NOT Tier
Determination
How to use this framework?
◦ As a Risk Management ◦ Decision on how to apply it => implementing organization
Tool ◦ E.g. Already have robust privacy risk management processes =>
use Core’s 5 functions to analyze and articular any gaps
◦ Help to answer the
◦ E.g. Seek to establish a privacy program => use Categories and
question “what are Subcategories as a reference
the impacts to
◦ E.g. compare profiles or tiers to align privacy risk management
individuals as we priorities across different roles in the data processing system
develop our systems,
products and
Discourage the notion of “Compliance with the
services?”
Privacy Framework
◦ Use this framework => Risk-based NOT Compliance-based
flexibly
How to use – Mapping to Informative
References
◦ Information References – mapping to ◦ Use of existing and emerging standards
subcategories to provide enables economies of scale and drive
implementation support developments of systems, products and
services that meet
◦ Crosswalks can help organization to
◦ Identified market needs
determine which activities or outcomes
to prioritize to facilitate compliance ◦ Privacy needs of individuals
•Indicate which Category and Subcategory outcomes are being achieved from the
remaining functions
•Partially achieved outcomes -> note it
•Complete its Target Profile focusing on the assessment of categories and subcategories
•Develop its own additional functions, categories and subcategories to account for the
unique risks
Set •Can develop multiple profiles to support its different business lines/ processes
•Compare the current and target profiles to determine the gaps
•Create a prioritized action plan to address the gaps (integrate action plans if
Cybersecurity Framework is used) to achieve the target profiles and can inform the
selection of appropriate Tier
•Make informed decisions, enable cost effective and targeted improvements by using the
profiles
Go •Prioritizes which actions to take and adjust the privacy practices to achieve Target Profiles
How to Use – Applying to SDLC
◦ Can align Target Profile with SDLC
◦ Plan – Prioritize privacy outcome can be
transformed into system privacy
capabilities and requirements
◦ Design – validate the privacy
capabilities and requirements match the
Target Profile
◦ Deploy – Target Profile can be used to
assess to verify the privacy capabilities
and requirements implemented
◦ Align SDLC and data lifecycle to
better manage privacy risks and
privacy controls to meet privacy
requirements
How to Use
within Data Processing System Informing Buying Decisions