CONTEXT OF NIST PRIVACY FRAMEWORK
The internet is a complex ecosystem that
uses both personal and business data
to deliver a wide variety of benefits. While we all enjoy
these benefits, many of them
come at a hidden cost: personal privacy is slowly slipping
away. Over time, people
have slowly and mostly unwittingly allowed large
organizations to gather and to
exploit this data and organizations have been happy to
accumulate as much of
it as possible, often without fully understanding the
consequence of doing so.
This has resulted in a privacy
crisis. People are beginning to worry about what is
being done with their personal data and companies are
starting to worry about how
privacy problems could affect their brands, their profits,
and their future prosperity.
They’re also starting to think about how they’re going to
continue delivering their
products and services while at the same time respecting the
personal privacy of
millions of people. At the same time, regulators and
are starting to pay attention and growing increasingly
PURPOSE OF NIST PRIVACY FRAMEWORK
The purpose of NIST’s Framework is to
show organizations how to manage their
privacy risks. If your organization processes personal data,
this Framework is for
you. Use it to establish a comprehensive data privacy
program and then use this
program to solve your data privacy problems and to manage
your data privacy
risks. Use it to:
• Reduce your legal
and financial exposure.
• Establish privacy risk management
• Meet the expectations of interested
• Facilitate conversations about privacy
• Earn the trust and confidence of your
• Protect your reputation and enhance your
• Encourage personnel to identify and
treat privacy risks.
• Improve your ability to identify privacy
issues and concerns.
• Make personnel aware of privacy concerns
• Comply with current and emerging privacy
rules and regulations.
• Increase your ability to identify data
processing privacy problems.
• Help personnel to develop privacy
procedures and set privacy goals.
• Provide a common
language that personnel can use to manage privacy.
• Promote the design of products,
services, and systems that respect privacy.
• Support the development of ethical
privacy policies, processes, and procedures.
OVERVIEW OF PRIVACY FRAMEWORK CORE
The “Core” of NIST's Framework consists
of the following five functions which
operate concurrently and continuously: Identify, Govern,
and Protect. Each function is further broken down
into activities, which, in turn,
are broken down into tasks. When these activities
and tasks are actually being
performed they are referred to as outcomes.
However, if you study the original
Privacy Framework, you’ll notice that NIST
instead uses the terms functions, categories,
and subcategories. We, instead,
prefer to use the terms functions, activities,
and tasks because these concepts
are more intuitive and easier to understand and because
that’s what the NIST
Framework actually talks about.
The Core of NIST's Framework is used to
develop an organization’s Current and
Target Profiles. Profiles are created by studying NIST’s
Framework Core and then
selecting activities and tasks. Current Profiles are
developed by selecting activities
and tasks that describe the organization’s current privacy
status: its “as is” state.
Target Profiles are developed by selecting activities
and tasks that describe the
organization’s preferred status: its “to be” state. By
and Target Profiles, an organization can identify privacy
OF PRIVACY IMPLEMENTATION TIERS
NIST has also defined four Framework
Implementation Tiers. These Tiers classify organizations
according to how well privacy risk management practices have
been implemented. They range from Tier 1 to Tier 4.
Tier 1 organizations use relatively
primitive methods to manage risk while Tier 4
organizations use more advanced methods to manage risk. Tier
have ineffective methods, Tier 2 have informal methods, Tier
3 have structured
methods, and Tier 4 have adaptive methods.
This Tier information is used to define
an organization’s Current Tier and its Target
Tier. Current Tiers are defined by selecting privacy risk
management practices that
describe the organization’s current status: its “as is”
state. Target Tiers are defined
by selecting privacy risk management practices that describe
preferred status: its “to be” state. These Tier definitions
are then used to
identify privacy risk management implementation gaps.
For more information, see our Detailed