Last time I discussed why you should consider using the NIST Privacy framework as both a foundation and methodology for managing data protection and privacy risk management.
In this article, I’d like to explain how it works in practice.
Here we bring together facts and information from disparate and sometimes rather technical documents. When I began my research into the NIST Privacy framework, I saw it described as both “easily digestible” and containing “business-friendly language”. I was therefore somewhat worried that the last few months of mostly indoor living had turned my brain to mush.
This is not how I would describe this framework document.
I even copied and pasted just the Executive Summary into a rather fun website called Readable to check its ‘Flesch Reading Ease’. Higher scores indicate better readability, and one should aim in one’s writing for a score above 60, which is classed as ‘Good’.
The score for the Executive Summary of the NIST Privacy Framework:
And you know what? I feel better now.
So, after much more research, here’s (what I hope is) a readable explanation:
In a similar way to their Cybersecurity Framework, the NIST Privacy Framework is made up of three foundational components:
Core is very much an information gathering stage.
It asks that you consider data processing and privacy from the minutiae of technical data flow all the way up to the business strategy and values. It includes:
Core consists of 5 ‘functions’ which are broad topics. Each contains categories and subcategories which are increasingly granular points consideration. They are not technical in themselves and are not supposed to be ‘tasks’ as such. The consideration of them may have a technical solution, or the creation of documentation or processes. You may create your own sub-subcategories and tasks, or you may decide that they are not relevant to your situation.
The functions (which end in ‘-P’ to signify Privacy, obviously) are:
Within those 5 functions there are 13 categories and 99 subcategories. Let’s look at a couple of the less wordy examples as it will make things much clearer:
Protect-P(PR-P): Develop and implement appropriate data processing safeguards.
Inventory and Mapping (ID.IM-P): Data processing by systems, products, or services is understood and informs the management of privacy risk.
You can see that it does get granular to a point, then hands it to you to interpret for your own situation.
On completing the Core section, you move onto Profiles.
With the information you have from the Core exercise, you can see your organizations current privacy stance, or profile. You can use the same Core framework to define a future, desired profile based on a set of defined outcomes.
You can prioritize the work required by using a privacy risk management approach which is also discussed briefly in Appendix D of the framework document.
You can also create profiles that you would expect 3rd party providers to adhere to. Why not insist that they take privacy as seriously as you?
Finally we have the Implementation Tiers
These define the degree to which your organization prioritizes both now and in the future the outcomes defined in the Profiles.
They go from Partial (Tier 1) to Adaptive (Tier 4).
Partial means there is limited understanding of risk and risk management, which is managed in an ad hoc manner.
Adaptive means there is cross organizational approach and understanding of risk, with continuous improvement built in.
The other two are steps in between.
The idea is that if you’re on Tier 1, you’ll probably want to move to Tier 2 – Risk informed. However your risk management, budget and willingness to progress will dictate how or if you move through the other tiers. It might even be that for different parts of your desired Profile you are at different tiers and that’s fine as a way of prioritizing your progression.
With all three elements in place you know where you are, where you want to be and how you are going to prioritize getting there. The very nature of this framework demands top-down organizational buy-in from the start, because the approach must align with and even redefine the business strategy and values.
That’s sometimes the hard sell to those at C-Level. Being able to hang future compliance off it makes it very inviting; so does being able to boast about it to clients and customers who trust you with their data.
Get moving quickly with NIST Privacy by calling the experts at TBG security. They can help with all aspects of implementing the framework, and with their CISO on demand service, getting the voice at strategy level need not be the problem.