Glossary
NIST Privacy Framework
Created By: ​Jay James, Teaching Assistant

1. 8 FIPPS –​ Includes: Collection Limitation Principle, Data Quality Principle, Purpose

Specification Principle, Use Limitation Principle, Security Safeguards Principle,
Openness Principle, Individual Participation Principle Accountability Principle
2. Availability (CIA Triad) –​ representing that data cannot be unavailable
3. Assessment Approach –​ The mechanism by which identified risks are prioritized
4. Awareness and Training Category –​ The organization’s workforce and third parties
engaged in data processing are provided privacy awareness education and are trained
to perform their privacy-related duties and responsibilities consistent with related
policies, processes, procedures, and agreements and organizational privacy values
5. Business Environment Category –​ the organization’s mission, objectives,
stakeholders, and activities are understood and prioritized; this information is used to
inform privacy roles, responsibilities, and risk management decisions.
6. Communicate –​ develop and implement appropriate activities to enable organizations
and individuals to have a reliable understanding and engage in dialogue about how data
are processed and associated privacy risks
7. Communication Policies, Processes, and Procedures Category –​ policies,
processes, and procedures are maintained and used to increase transparency of the
organization’s data practices and associated privacy risks
8. Confidentiality (CIA Triad) –​ representing that unauthorized access is prevented
9. Control –​ Develop and implement appropriate activities to enable organizations or
individuals to manage data with sufficient granularity to manage privacy risks
10. Current Profile –​ documents an organization's current privacy outcomes (the ‘as is’
state)
11. Cybersecurity Risks –​ risk associated with cybersecurity incidents arising from loss of
confidentiality, integrity, or availability

 
Brought to you by:  Develop your team with the ​fastest growing catalog​ in the 
cybersecurity industry. Enterprise-grade workforce development 
management, advanced training features and detailed skill gap and 
 
competency analytics. 
1​  
  
 
 

12. Data lifecycle -​ lifecycle that includes the steps: data creation, storage management,
data use and role-based security, shared data, archive data, and permanently destroy
data.
13. Data Processing Awareness Category –​ Individuals and organizations have reliable
knowledge about data processing practices and associated privacy risks, and defective
mechanisms are used and maintained to increase predictability consistent with the
organization’s risk strategy to protect individuals’ privacy
14. Data Processing Ecosystem –​ the complex and interconnected relationships among
entities involved in creating or deploying systems, products, or services or any
components that process data
15. Data Processing Ecosystem Risk Management Category –​ The organization’s
priorities, constraints, risk tolerance, and assumptions are established and used to
support risk decisions associated with managing privacy risk and third parties within the
data processing ecosystem. The organization has established an implemented the
processes to identify, assess, and manage privacy risks within the data processing
ecosystem
16. Data Processing Management Category –​ data are managed consistent with the
organization’s risk strategy to protect individuals’ privacy, increase manageability, and
enable the implementation of privacy principles
17. Data Processing Policies, Processes, and Procedures Category –​ Policies,
processes, and procedures are maintained and used to manage data processing
consistent with the organization’s risk strategy to protect individual’s privacy
18. Data Protection Policies, Processes, and Procedures Category –​ security and
privacy policies, processes, and procedures are maintain and used to manage the
protection of data
19. Data Security Category –​ data are managed consistent with the organization’s risk
strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and
availability
20. Disassociability –​ a privacy engineering objective which enables the processing of data
or events without association to individuals or devices beyond the operational
requirements of the system.
21. Disassociated Processing Category –​ Data processing solutions increase
disassociability consistent with the organization’s risk strategy to protect individuals’
privacy and enable implementation of privacy principles.

 
Brought to you by:  Develop your team with the ​fastest growing catalog​ in the 
cybersecurity industry. Enterprise-grade workforce development 
management, advanced training features and detailed skill gap and 
 
competency analytics. 
2​  
  
 
 

22. Failsafe (2) –​ a design feature or practice that in the event of a specific type of failure,
inherently responds in a way that will cause no or minimal harm to other equipment, ot
the environment or to people
23. Fair Information Practice Principles –​ a set of principles and practices that describe
how an information-based society may approach information handling, storage,
management, and flows with a view toward maintaining, fairness, privacy, and security in
a rapidly evolving global technology environment
24. Generally Accepted Privacy Principles (GAPP) -​ framework intended to assist
Chartered Accountants and Certified Public Accountants in creating an effective privacy
program for managing and preventing privacy risks.
25. Go (Ready, Set, Go Method) –​ “Go” forward with implementing the action plan
26. Govern –​ Develop and implement the organizational governance structure to enable an
ongoing understanding of the organization’s risk management priorities that are informed
by privacy risk.
27. Governance Policies, Processes, and Procedures Category –​ The policies,
processes, and procedures to manage and monitor the organization’s regulatory, legal,
risk, environmental, and operational requirements are understood and inform the
management of privacy risk.
28. Hot Swap –​ the replacement or addition of components to a computer system without
stopping, shutting down, or rebooting system
29. Identify-P (ID-P) –​ Develop the organizational understanding to manage privacy risk for
individuals arising from data processing
30. Identity Management Authentication and Access Control Category –​ access to data
and devices is limited to authorized individuals, processes, and devices and is managed
consistent with the assessed risk of unauthorized access
31. Implementation Tiers –​ support communication about whether an organization has
sufficient processes and resources in place to manage privacy risk and achieve its
Target Profile
32. Implementation Tiers –​ Tiers including partial, risk informed, repeatable, and adaptive.
The for elements of the tiers include a privacy risk management process, integrated
privacy risk management program, data processing ecosystem relationships, and
workforce
33. Industry Specific Profiles –​ organizations in a certain industry sector or with similar
roles in the data processing ecosystem may coordinate to develop common profiles
34. Integrity (CIA Triad) –​ representing that data cannot be modified
 
Brought to you by:  Develop your team with the ​fastest growing catalog​ in the 
cybersecurity industry. Enterprise-grade workforce development 
management, advanced training features and detailed skill gap and 
 
competency analytics. 
3​  
  
 
 

35. Inventory and Mapping Category -​ data processing by systems, products, or services
is understood and informs the management of privacy risk
36. ISO 27701 -​ international standard on how to manage information security
37. ISO 29100 -​ provides a high-level framework for the protection of personally identifiable
information (PII) within information and communication technology (ICT) systems.
38. Load Balancing –​ the process of distributing network traffic across multiple servers to
ensure no single server bears too much demand
39. Maintenance Category ​– System maintenance and repairs are performed consistent
with policies, processes, and procedures
40. Monitoring and Review –​ The policies, processes, and procedures for ongoing review
of the organization’s privacy posture are understood and inform the management of
privacy risk
41. NIST PRAM Worksheet #1 –​worksheet that frames organizational objectives and
privacy governance
42. NIST Privacy Framework (1) -​ voluntary tool developed in collaboration with
stakeholders intended to help organizations identify and manage privacy risk to build
innovative products and services while protecting individuals’ privacy
43. Principle of Least Functionality –​ configure systems to provide only essential
capabilities, restrict certain “functions, protocols, ports and services”, and limit
component functionality to a single function
44. Principle of Least Privilege –​ Allowing only authorized accesses for users which are
necessary to accomplish assigned tasks in accordance with organizational missions and
business functions
45. Prioritizing Risks –​ given the applicable limits of an organization’s resources,
organizations prioritize the risks to facilitate communication about how to respond.
46. Privacy Framework Core –​ provides an increasingly granular set of activities and
outcomes that enable an organizational dialogue about managing privacy risk. (5
functions, 18 Categories, and 100 subcategories)
47. Privacy Framework Profiles –​ are a selection of specific functions, categories and
subcategories from the core that an organization has prioritized to help it manage
privacy risk
48. Privacy Policy (Components) –​ includes the components on what data is collected and
how, how the data is used, how the data is stored and protected, company contact
information, use of cookies, and opt-out policy clause

 
Brought to you by:  Develop your team with the ​fastest growing catalog​ in the 
cybersecurity industry. Enterprise-grade workforce development 
management, advanced training features and detailed skill gap and 
 
competency analytics. 
4​  
  
 
 

49. Privacy Risk Management –​ a cross-organizational set of professes that helps

organizations to understand how their systems, products, and services may create
problems for individuals and how to develop effective solutions to manage such risk
50. Privacy Risks –​ risk associated with privacy events arising from data processing
51. Protect –​ Develop and implement appropriate data processing safeguards
52. Protective Technology Category –​ Technical security solutions are managed to ensure
the security and resilience of systems/products/services and associated data, consistent
with related policies, processes, procedures, and agreements.
53. Ready (Ready, Set, Go Method)​ – Use the Identify-P and Govern-P functions to get
“Ready”
54. Ready, Set, Go Method​ – a simplified method for establishing or improving a Privacy
Program
55. Responding to Risks –​ response approaches include mitigation, transfer/sharing,
avoidance, or acceptance.
56. Risk Assessment Category –​ the organization understands the privacy risks to
individuals and how such privacy risks may create follow-on impacts on organizational
operations, including mission, functions, other risk management priorities (e.g.,
compliance, financial), reputation, workforce, and culture
57. Risk Management Strategy Category​ – the organization’s priorities, constraints, risk
tolerances, and assumptions are established and used to support operational risk
decisions
58. Risk Model –​ the model including problematic data action, likelihood, and impact
59. Risk Tolerance –​ measures the level of risk or the degree of uncertainty that is
acceptable
60. Secure Controls Framework Privacy Mgmt. Principles -​ a selection of sixteen (16) of
the most common frameworks and create a "best in class" approach to managing
privacy expectations.
61. Separation of Duties –​ addresses the potential for abuse of authorized privileges and
helps to reduce the risk of malevolent activity without collusion by dividing mission
functions and information system support functions among different roles
62. Set (Ready, Set, Go Method) –​ “set” an action plan based on the difference between
“current” and “Target “Profiles
63. Target Profile –​ lists the outcomes needed to achieve the desired privacy risk
management goals (the ‘to be’ state)

 
Brought to you by:  Develop your team with the ​fastest growing catalog​ in the 
cybersecurity industry. Enterprise-grade workforce development 
management, advanced training features and detailed skill gap and 
 
competency analytics. 
5​  
  
 
 

References
1. https://www.nist.gov/privacy-framework
2. https://www.envirotech-online.com/news/gas-detection/8/net/is-your-sensor-fail-safe/461
25

 
Brought to you by:  Develop your team with the ​fastest growing catalog​ in the 
cybersecurity industry. Enterprise-grade workforce development 
management, advanced training features and detailed skill gap and 
 
competency analytics. 
6​