NIST Privacy Framework

Internet users are beginning to worry about what is being done with their personal data
and companies are starting to worry about how privacy problems could affect their brands,
their reputations, and their future prosperity. At the same time, governments are starting
to notice and growing increasingly concerned. This has created a privacy crisis.

Use NIST's Privacy Framework to address this crisis. Use it to solve your
organization's privacy problems and improve its privacy performance.

Also see NIST Cybersecurity Framework (in Plain English).

ID. Identify data privacy universe

ID.IM Identify scope of privacy program

• Understand your organization’s data processing environment.

• Understand your organization’s process owners and operators.

• Understand your organization’s personal data sources and uses.

• Understand your organization’s data processing activities.

ID.IM-1 Identify data processing activities

• Establish an inventory of your data processing activities.

ID.IM-2 Identify process owners and operators

• Establish an inventory of data processing owners and operators.

ID.IM-3 Identify providers of personal data

• Establish an inventory of people who provide personal data to your organization.

ID.IM-4 Identify data processing actions

• Establish an inventory of data processing actions that your organization performs.

ID.IM-5 Identify the purpose of each action

• Establish the purpose of each data processing action performed.

• Establish the purpose of each data action performed by each data processing system.

• Establish the purpose of each data action performed by each data processing product.

• Establish the purpose of each data action performed by each data processing service.

ID.IM-6 Identify the elements of each action

• Establish an inventory of data elements within each data action.

• Establish an inventory of data elements within data actions performed by each system.

• Establish an inventory of data elements within data actions performed by each product.

• Establish an inventory of data elements within data actions performed by each service.

ID.IM-7 Identify data processing environment

• Establish where data processing is being carried out.

ID.IM-8 Identify data processing flows and roles

• Establish data maps for data processing systems.

• Establish data maps for data processing products.

• Establish data maps for data processing services.

ID.BE Identify your business environment

• Clarify your organization's business environment.

• Use this knowledge to clarify business requirements.

ID.BE-1 Identify data processing ecosystem

• Identify your organization's role in the data processing ecosystem.

• Communicate your organization's role in the data processing ecosystem.

ID.BE-2 Identify your organization’s priorities

• Establish business priorities for your organization.

• Communicate your organization's business priorities.

ID.BE-3 Identify organization’s requirements

• Identify data processing functions that support your organization's priorities.

ID.RA Identify privacy risks and responses

• Carry out data privacy risk assessments for your organization.

• Identify and understand the privacy risks individuals could encounter.

• Identify and understand the impacts potential privacy problems could have.

• Consider high priority privacy risks and develop a suitable set of responses.

ID.RA-1 Identify your data privacy context

• Consider each data processing system and identify all related contextual factors.

• Consider each data processing product and identify all related contextual factors.

• Consider each data processing service and identify all related contextual factors.

ID.RA-2 Identify privacy risks by finding bias

• Identify data inputs and outputs for each data processing function.

• Identify bias by evaluating data processing inputs and outputs.

ID.RA-3 Identify problematic data actions

• Identify potential problematic data actions that data processing systems carry out.

• Identify potential problematic data actions that data processing products carry out.

• Identify potential problematic data actions that data processing services carry out.

ID.RA-4 Identify and prioritize privacy risks

• Consider problematic data actions and assess likelihoods and potential impacts.

• Assess the likelihood that potential problematic data actions will actually occur.

• Assess the impact that problematic data actions could have if they actually occur.

• Use knowledge about problematic data action likelihoods and impacts to determine risk.

ID.RA-5 Identify and prioritize responses

• Consider your organization's high priority privacy risks.

• Identify responses to address high priority privacy risks.

• Prioritize responses to address your high priority risks.

• Implement your organization's privacy risk responses.

ID.DE Identify risk management processes

• Plan how you intend to manage privacy risks within your data processing ecosystem.

• Develop processes to manage privacy risks within your data processing ecosystem.

ID.DE-1 Identify ways of managing privacy risks

• Establish policies to manage privacy risks within your data processing ecosystem.

• Establish processes to manage privacy risks within your data processing ecosystem.

• Establish procedures to manage privacy risks within your data processing ecosystem.

ID.DE-2 Identify data processing ecosystem parties

• Inventory the parties that make up your organization’s data processing ecosystem.

• Use your privacy risk assessment process to assess and to prioritize these parties.

ID.DE-3 Identify objectives for your ecosystem parties

• Formulate data privacy objectives for your organization’s data privacy program.

• Develop privacy contracts to ensure that your data privacy objectives will be met.

ID.DE-4 Identify how to manage ecosystem privacy risks

• Manage the data privacy risks that permeate your data processing ecosystem.

ID.DE-5 Identify how well data processing parties perform

• Evaluate the privacy performance of parties that make up data processing ecosystem.

GV. Establish governance structure

GV.PO Establish privacy governance methods

• Identify and understand the governance structures used to meet requirements.

• Identify and understand the policies your organization uses to meet requirements.

• Identify and understand the processes your organization uses to meet requirements.

• Identify and understand the procedures your organization uses to meet requirements.

• Use knowledge of governance structures to manage your privacy risks and priorities.

GV.PO-1 Establish your privacy values and policies

• Develop your organization’s privacy values and policies.

• Communicate your organization’s privacy values and policies.

GV.PO-2 Establish processes to instill privacy values

• Develop processes to instill privacy values within your organization.

• Implement processes to instill privacy values within your organization.

GV.PO-3 Establish privacy roles and responsibilities

• Develop privacy roles and responsibilities for your organization’s workforce.

• Implement privacy roles and responsibilities for your organization’s workforce.

GV.PO-4 Establish privacy management ecosystem

• Coordinate and align privacy roles and responsibilities with third-party stakeholders.

GV.PO-5 Establish external privacy requirements

• Identify your organization’s external privacy requirements.

• Use this knowledge to manage external privacy requirements.

GV.PO-6 Establish privacy management practices

• Establish management methods to address your organization’s privacy risks.

GV.RM Establish privacy management strategy

• Consider your organization’s priorities, constraints, and assumptions.

• Use this information to establish your privacy risk management strategy.

• Use your strategy to guide all operational risk management decisions.

GV.RM-1 Establish your risk management processes

• Establish your organization’s risk management processes.

• Share these processes with your organization’s stakeholders.

• Gain the support and participation of these stakeholders.

GV.RM-2 Establish your organization's risk tolerance

• Consider how much data privacy risk your organization can tolerate.

• Consider your privacy values as you consider how much risk you can tolerate.

GV.RM-3 Establish your tolerance for ecosystem risks

• Consider your data processing ecosystem and the role you play in this ecosystem.

• Use this information to determine how much privacy risk your organization can tolerate.

GV.AT Establish privacy skills and competence

• Consider your organization’s approach to privacy risk management.

• Establish privacy risk training and awareness programs for your organization.

• Establish training and awareness programs that discuss your privacy values.

• Establish training and awareness programs that discuss your privacy policies.

• Establish training and awareness programs that discuss your privacy processes.

• Establish training and awareness programs that discuss your privacy procedures.

GV.AT-1 Establish awareness programs for your workforce

• Establish privacy training and awareness programs for data processing workers.

GV.AT-2 Establish awareness programs for your executives

• Establish privacy training and awareness programs for senior executives.

GV.AT-3 Establish awareness programs for privacy people

• Establish privacy training and awareness programs for your privacy personnel.

GV.AT-4 Establish awareness programs for third parties

• Establish privacy training and awareness programs for third parties.

GV.MT Establish privacy monitoring program

• Establish privacy monitoring policies, processes, and procedures.

• Establish privacy review policies, processes, and procedures.

• Establish privacy evaluation policies, processes, and procedures.

• Establish privacy assessment policies, processes, and procedures.

• Establish privacy communication policies, processes, and procedures.

• Establish privacy improvement policies, processes, and procedures.

GV.MT-1 Establish data privacy evaluation program

• Establish a data privacy evaluation program for your organization.

• Use this program to re-evaluate your data privacy risk on an ongoing regular basis.

• Use this program re-evaluate your data privacy risk whenever key changes occur.

GV.MT-2 Establish data privacy review program

• Establish a data privacy review program for your organization.

• Review your data privacy values whenever major changes occur.

• Review your data privacy policies whenever major changes occur.

• Review your data privacy training services whenever major changes occur.

GV.MT-3 Establish data privacy assessment program

• Establish a data privacy compliance assessment program for your organization.

• Establish policies to control how compliance assessments are carried out.

• Establish processes to control how compliance assessments are carried out.

• Establish procedures to control how compliance assessments are carried out.

GV.MT-4 Establish data privacy communications program

• Establish a data privacy communications program for your organization.

• Establish policies to control how data privacy communications are carried out.

• Establish processes to control how data privacy communications are carried out.

• Establish procedures to control how data privacy communications are carried out.

GV.MT-5 Establish data privacy response control program

• Establish a data privacy response control program for your organization.

• Establish policies to control how problematic data actions are managed.

• Establish processes to control how problematic data actions are managed.

• Establish procedures to control how problematic data actions are managed.

GV.MT-6 Establish data privacy change management program

• Establish a data privacy change management program for your organization.

• Establish policies to control how to apply lessons learned from risky data actions.

• Establish processes to control how to apply lessons learned from risky data actions.

• Establish procedures to control how to apply lessons learned from risky data actions.

GV.MT-7 Establish data privacy complaint resolution program

• Establish a data privacy complaint resolution program for your organization.

• Establish policies to control how privacy complaints and questions are managed.

• Establish processes to control how privacy complaints and questions are managed.

• Establish procedures to control how privacy complaints and questions are managed.

CT. Control how risks are managed

CT.PO Control how data privacy is protected

• Develop a data processing program to control how privacy is protected.

• Use it to show that management is committed to protecting privacy.

CT.PO-1 Control how data processing is authorized

• Protect privacy by controlling how corporate data processing is authorized.

• Establish privacy policies to control corporate data processing authorizations.

• Establish privacy processes to control corporate data processing authorizations.

• Establish privacy procedures to control corporate data processing authorizations.

CT.PO-2 Control how data processing is managed

• Protect privacy by controlling how data processing is managed.

• Establish privacy policies to control how data processing is managed.

• Establish privacy processes to control how data processing is managed.

• Establish privacy procedures to control how data processing is managed.

CT.PO-3 Control how data processing is enabled

• Protect privacy by controlling how personal data processing preferences are enabled.

• Establish privacy policies to control how preferences and requests are enabled.

• Establish privacy processes to control how preferences and requests are enabled.

• Establish privacy procedures to control how preferences and requests are enabled.

CT.PO-4 Control how data processing is changed

• Protect privacy by controlling your organization’s data processing life cycles.

• Protect privacy by controlling how data is managed during its life cycle.

• Protect privacy by controlling how systems are managed during their life cycle.

CT.DM Control how data privacy is handled

• Control how your data processing activities are carried out.

• Protect personal privacy by controlling how data is processed.

• Protect personal privacy by complying with your privacy values.

• Protect personal privacy by complying with your risk policies.

• Protect personal privacy by complying with your risk strategy.

• Protect personal privacy by implementing your privacy principles.

CT.DM-1 Control your organization's data reviews

• Protect personal privacy by controlling how data elements are reviewed.

• Protect privacy by controlling how data elements are accessed for review.

CT.DM-2 Control your organization's data disclosures

• Protect personal privacy by controlling how data elements are disclosed and transmitted.

• Protect privacy by controlling how data is accessed for disclosure and transmission.

CT.DM-3 Control your organization's data alterations

• Protect personal privacy by controlling how data elements are altered.

• Protect privacy by controlling how data elements are accessed for alteration.

CT.DM-4 Control your organization's data deletions

• Protect personal privacy by controlling how data elements are deleted.

• Protect privacy by controlling how data elements are accessed for deletion.

CT.DM-5 Control your organization's data destruction

• Protect personal privacy by controlling how data elements are destroyed.

• Protect privacy by controlling how data elements are accessed for destruction.

CT.DM-6 Control your organization's data transmission

Protect personal privacy by controlling how data are transmitted.

• Protect privacy by ensuring that data transmissions use standardized formats.

CT.DM-7 Control your organization's data permissions

• Protect privacy by controlling the transmission of processing permissions.

CT.DM-8 Control your organization's data audit logs

• Protect personal privacy by controlling how audit logs are implemented.

• Protect personal privacy by controlling how audit log records are reviewed.

CT.DM-9 Control your organization's data assessments

• Protect privacy by controlling how technology is used to manage data processing.

• Protect privacy by controlling how data processing activities are assessed.

CT.DM-10 Control your organization's data preferences

• Protect privacy by controlling how stakeholder privacy preferences are managed.

• Protect privacy by controlling how preferences are included in design objectives.

• Protect privacy by controlling how design outputs are evaluated against preferences.

CT.DP Control how data privacy is achieved

• Control how data processing solutions comply with your risk strategy.

• Control how data processing solutions comply with your risk policies.

• Control how data processing solutions comply with your privacy values.

• Control how data processing solutions comply with your privacy principles.

CT.DP-1 Control how easy it is to observe personal data

• Protect privacy by limiting observability and linkability of data.

• Protect personal privacy by using privacy preserving cryptography.

• Protect personal privacy by using local devices to carry out data actions.

CT.DP-2 Control how easy it is to identify specific people

• Protect privacy by limiting how easy it is to identify individual people.

• Protect personal privacy by using de-identification techniques to conceal identity.

• Protect personal privacy by using tokenization privacy techniques to conceal identity.

CT.DP-3 Control how easy it is to infer personal details

• Protect privacy by limiting how easy it is to infer details about traits and activities.

• Limit how easy it is to make personal inferences by decentralizing data processing.

• Limit how easy it is to make personal inferences by using distributed architectures.

CT.DP-4 Control how easy it is to hoard personal data

• Protect privacy by controlling how easy it is to collect personal data elements.

• Protect privacy by controlling how easy it is to disclose personal data elements.

CT.DP-5 Control how easy it is to see personal identifiers

• Protect privacy by ensuring that personal identifiers comply with risk strategy.

• Protect privacy by ensuring that personal identifiers comply with risk policies.

• Protect privacy by ensuring that personal identifiers comply with privacy values.

• Protect privacy by ensuring that personal identifiers comply with privacy principles.

CM. Develop communication program

CM.PO. Develop communication capability

• Develop a privacy communications program for your organization.

• Use your program to show that management is committed to transparency.

• Implement your organization’s privacy communications program.

• Use your program to share information about your data processing activities.

• Use your program to share information about your organization’s privacy risks.

• Use your program to share information about your data processing ecosystem.

CM.PO-1 Develop your privacy communication controls

• Develop transparency policies to control your organization’s privacy communications.

• Develop transparency processes to control your organization’s privacy communications.

• Develop transparency procedures to control your organization’s privacy communications.

CM.PO-2 Develop your privacy communication functions

• Develop communication roles to control your privacy communications.ed.

• Allocate communication responsibilities to guide privacy communications.

CM.AW Develop communication techniques

• Determine how you’re going to share information about data privacy.

• Determine how you’re going to obtain feedback about data privacy.

• Determine how you’re going to ensure data processing visibility.

• Determine how you’re going to monitor data sharing activities.

• Determine how you’re going to communicate with data ecosystem.

• Determine how you’re going to determine data provenance and lineage.

• Determine how you’re going to notify people about data privacy breaches.

• Determine how you’re going to manage the impact privacy problems could have.

CM.AW-1 Develop ways of sharing information about privacy

• Establish mechanisms for sharing information about data processing.

• Share information about your organization’s data processing activities.

• Share information about your organization’s data processing purposes.

• Share information about your organization’s data processing practices.

• Share information about your organization’s data processing privacy.

CM.AW-2 Develop ways of obtaining feedback about privacy

• Establish mechanisms for obtaining feedback from individuals.

• Consider using surveys to obtain information from individuals.

• Consider using focus groups to obtain information from individuals.

CM.AW-3 Develop ways of ensuring data processing visibility

• Enable ways of ensuring the visibility of your data processing activities.

• Establish ways of ensuring that data processing activities can be easily monitored.

CM.AW-4 Develop ways of monitoring data sharing activities

• Establish a record of all data sharing and disclosure activities.

• Establish ways of monitoring data sharing and disclosure activities.

CM.AW-5 Develop ways of communicating with data ecosystem

• Establish ways of communicating with your data processing ecosystem.

• Establish ways of communicating about data corrections and deletions.

CM.AW-6 Develop ways of determining provenance and lineage

• Establish detailed data processing histories for each single data element.

• Establish ways of monitoring data processing histories for each data element.

• Establish ways of determining the specific lineage of each data element.

• Establish ways of determining the provenance of each data element.

CM.AW-7 Develop ways of notifying people about privacy breaches

• Establish ways of notifying individuals about data privacy issues.

• Establish ways of notifying organizations about data privacy issues.

CM.AW-8 Develop ways of managing the impact of privacy problems

• Establish mitigation mechanisms that individuals can use to address adverse impacts.

PR. Implement processing protections

PR.PO. Implement data protection policies

• Develop a security program to manage and control how data is protected.

• Use your program to show that management is committed to data security.

• Develop a privacy program to manage and control how privacy is protected.

• Use your program to show that management is committed to data privacy.

PR.PO-1 Implement baseline configurations for information technologies

• Establish a baseline configuration for your information technologies.

• Incorporate data security principles into your information technologies.

• Incorporate data privacy principles into your information technologies.

PR.PO-2 Implement configuration management for information technologies

• Establish configuration change control processes for information technologies.

• Test and validate information technology changes before you approve them.

PR.PO-3 Implement appropriate information backup processes and procedures

• Establish information backup processes and procedures for your organization.

• Make regular backup copies in accordance with your processes and procedures.

PR.PO-4 Implement policies and regulations to protect your information assets

• Identify policies that affect how physical environments are used to protect IT assets.

• Identify regulations that affect how physical environments are used to protect IT assets.

PR.PO-5 Implement methods to identify protection improvement opportunities

• Identify processes used to protect your organization’s information technologies.

• Improve processes used to protect your organization’s information technologies.

PR.PO-6 Implement ways of sharing information about protection technologies

• Share information about the effectiveness of privacy and security protection technologies.

• Specify what types of privacy and security information may be shared with others.

• Specify how privacy and security information should be approved for publication.

• Specify who may receive information about your privacy and security information.

PR.PO-7 Implement incident response, continuity, recovery, and restoration plans

• Implement incident response and business continuity plans and procedures.

• Implement incident recovery and business restoration plans and procedures.

PR.PO-8 Implement incident response, continuity, recovery, and restoration tests

• Test your incident response and business continuity plans and procedures.

• Test your incident recovery and business restoration plans and procedures.

PR.PO-9 Implement privacy procedures and ask human resources to include them

• Build privacy procedures into your organization's personnel recruitment practices.

• Build privacy procedures into your organization's personnel management practices.

• Build privacy procedures into your organization's personnel termination practices.

PR.PO-10 Implement a management plan to address your privacy vulnerabilities

• Develop a privacy vulnerability management plan for your organization.

• Implement your organization's privacy vulnerability management plan.

PR.AC Implement access control measures

• Limit access to your organization’s data and devices.

• Allow only authorized devices to have access to data and devices.

• Allow only authorized processes to have access to data and devices.

• Allow only authorized individuals to have access to data and devices.

PR.AC-1 Implement measures to control identities of authorized entities

• Control identities and credentials for authorized individuals.

• Control identities and credentials for authorized devices.

• Control identities and credentials for authorized processes.

PR.AC-2 Implement measures to control access to your data and devices

• Control access to your organization’s data and devices.

• Allow only authorized individuals to access these data and devices.

• Use entry controls to allow only authorized people to have access.

PR.AC-3 Implement measures to control remote access to data and devices

• Establish remote access control policies and procedures for your organization.

• Establish remote access restriction, connection, and configuration requirements.

• Establish appropriate usage restrictions and requirements for mobile devices.

PR.AC-4 Implement measures to control access permissions and authorizations

• Control how access permissions and authorizations are managed.

• Incorporate “separation of duties” and “least privilege” principles.

PR.AC-5 Implement measures to control and protect the integrity of networks

• Protect and control the integrity of your organization's networks.

• Consider using network segregation to control network access and integrity.

• Consider using network segmentation to control network access and integrity.

PR.AC-6 Implement measures to control identity authentication methods

• Control how specific identities are proofed, bound, and asserted.

• Control authentication commensurate with the risk of the transaction.

PR.DS Implement data security mechanisms

• Protect the confidentiality, integrity, and availability of your organization’s data.

PR.DS-1 Implement methods and techniques to control data-at-rest

• Protect the confidentiality, integrity, and availability of data-at-rest.

• Protect data-at-rest using methods that are consistent with privacy risk strategy.

PR.DS-2 Implement methods and techniques to control data-in-transit

• Protect the confidentiality, integrity, and availability of your data-in-transit.

• Use transfer policies and procedures to protect and preserve data-in-transit.

• Use trusted communication paths to protect and preserve data-in-transit.

• Use cryptographic technologies to protect and preserve data-in-transit.

PR.DS-3 Implement methods and techniques to control data movements

• Protect data during transfer, removal, and disposition.

• Use methods that are consistent with your privacy risk.

PR.DS-4 Implement methods and techniques to control data availability

• Protect the availability of your data by maintaining adequate capacity.

• Establish redundant features if data availability cannot be guaranteed.

PR.DS-5 Implement methods and techniques to control data disclosure

• Protect the availability of data by preventing unauthorized disclosures and leaks.

• Use leak and disclosure prevention methods that are consistent with risk.

PR.DS-6 Implement methods and techniques to control data integrity

• Protect the integrity of your software, firmware, and information.

• Use integrity protection methods that are consistent with your risk.

PR.DS-7 Implement methods and techniques to control data habitat

• Protect your development, testing, and production environments.

• Use environment protection methods that are consistent with your risk.

PR.DS-8 Implement methods and techniques to control data devices

• Protect the integrity of your organization’s data processing devices.

• Use integrity protection measures that are consistent with your risk.

PR.MA Implement maintenance procedures

• Protect the maintenance and repair of data processing systems and related assets.

• Maintain and repair your organization’s data processing systems and related assets.

PR.MA-1 Implement methods to control maintenance and repair

• Control the maintenance and repair of data processing systems and related assets.

• Control your organization’s system repair and maintenance tools and technologies.

PR.MA-2 Implement methods to control remote maintenance work

• Control remote maintenance and repair of data processing systems and assets.

• Establish your remote maintenance and repair policies, plans, and procedures.

PR.PT Implement protective technologies

• Use protective technologies that implement your organization’s risk strategy.

• Use technologies to protect the security and resilience of data processing assets.

PR.PT-1 Implement measures to control removable media

• Prevent the unauthorized and uncontrolled use of removable media.

• Establish a policy to restrict and control the use of removable media.

PR.PT-2 Implement measures to strengthen configurations

• Configure your systems so that only essential capabilities are provided.

• Apply the “principle of least functionality” when systems are established.

PR.PT-3 Implement measures to safeguard network systems

• Protect your organization’s communications and control networks.

• Establish a policy to protect communications and control networks.

• Establish procedures to implement your network protection policy.

• Establish controls to implement your network protection policy.

PR.PT-4 Implement measures to ensure operational resilience

• Implement mechanisms to meet operational resilience requirements in normal situations.

• Implement mechanisms to meet operational resilience requirements in adverse situations.


This page summarizes NIST's Privacy Framework. It highlights the main points.
It does not present detail.
If you like our approach, please consider purchasing
our Title 62: NIST Privacy Framework Translated into Plain English.
PDF Sample

Title 62 is detailed, accurate, and complete. It uses language that is clear,
precise, and easy to understand. We guarantee it. Title 62 is 111 pages
 long and is provided in both pdf and Microsoft docx file formats.

Title 62 Contents

Place an Order

Check Prices

Product License


MORE PRIVACY PAGES

Introduction to Privacy Framework

Overview of NIST Privacy Framework

Structure of NIST Privacy Framework

How to Establish a Privacy Program

NIST Privacy Implementation Tiers

NIST Privacy Conformance Audit

NIST Privacy Performance Audit

Detailed Privacy Audit Tool

Updated on March 19, 2021. First published on March 19, 2021.

Home Page

Our Library

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited              help@praxiom.com             780-461-4514


Legal Restrictions on the Use of this Page
Thank you for visiting this web page. You are, of course, welcome to view our material as often
as you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2021 by Praxiom Research Group Ltd. All Rights Reserved.

Praxiom Research Group Limited