NIST Cybersecurity Framework

Use NIST's Privacy Framework to manage your organizationís privacy risks.
For more detail, please see Privacy Framework Translated into Plain English.

ID. Identify data privacy universe

ID.IM Identify scope of privacy program

ID.IM-1 Identify data processing activities

ID.IM-2 Identify process owners and operators

ID.IM-3 Identify providers of personal data

ID.IM-4 Identify data processing actions

ID.IM-5 Identify the purpose of each action

ID.IM-6 Identify the elements of each action

ID.IM-7 Identify data processing environment

ID.IM-8 Identify data processing flows and roles

ID.BE Identify your business environment

ID.BE-1 Identify data processing ecosystem

ID.BE-2 Identify your organizationís priorities

ID.BE-3 Identify organizationís requirements

ID.RA Identify privacy risks and responses

ID.RA-1 Identify your data privacy context

ID.RA-2 Identify privacy risks by finding bias

ID.RA-3 Identify problematic data actions

ID.RA-4 Identify and prioritize privacy risks

ID.RA-5 Identify and prioritize responses

ID.DE Identify risk management processes

ID.DE-1 Identify ways of managing privacy risks

ID.DE-2 Identify data processing ecosystem parties

ID.DE-3 Identify objectives for your ecosystem parties

ID.DE-4 Identify how to manage ecosystem privacy risks

ID.DE-5 Identify how well data processing parties perform

GV. Establish governance structure

GV.PO Establish privacy governance methods

GV.PO-1 Establish your privacy values and policies

GV.PO-2 Establish processes to instill privacy values

GV.PO-3 Establish privacy roles and responsibilities

GV.PO-4 Establish privacy management ecosystem

GV.PO-5 Establish external privacy requirements

GV.PO-6 Establish privacy management practices

GV.RM Establish privacy management strategy

GV.RM-1 Establish your risk management processes

GV.RM-2 Establish your organizationís risk tolerance

GV.RM-3 Establish your tolerance for ecosystem risks

GV.AT Establish privacy skills and competence

GV.AT-1 Establish awareness programs for your workforce

GV.AT-2 Establish awareness programs for your executives

GV.AT-3 Establish awareness programs for privacy people

GV.AT-4 Establish awareness programs for third parties

GV.MT Establish privacy monitoring program

GV.MT-1 Establish data privacy evaluation program

GV.MT-2 Establish data privacy review program

GV.MT-3 Establish data privacy assessment program

GV.MT-4 Establish data privacy communications program

GV.MT-5 Establish data privacy response control program

GV.MT-6 Establish data privacy change management program

GV.MT-7 Establish data privacy complaint resolution program

CT. Control how risks are managed

CT.PO Control how data privacy is protected

CT.PO-1 Control how data processing is authorized

CT.PO-2 Control how data processing is managed

CT.PO-3 Control how data processing is enabled

CT.PO-4 Control how data processing is changed

CT.DM Control how data privacy is handled

CT.DM-1 Control your organizationís data reviews

CT.DM-2 Control your organizationís data disclosures

CT.DM-3 Control your organizationís data alterations

CT.DM-4 Control your organizationís data deletions

CT.DM-5 Control your organizationís data destruction

CT.DM-6 Control your organizationís data transmission

CT.DM-7 Control your organizationís data permissions

CT.DM-8 Control your organizationís data audit logs

CT.DM-9 Control your organizationís data assessments

CT.DM-10 Control your organizationís data preferences

CT.DP Control how data privacy is achieved

CT.DP-1 Control how easy it is to observe personal data

CT.DP-2 Control how easy it is to identify specific people

CT.DP-3 Control how easy it is to infer personal details

CT.DP-4 Control how easy it is to hoard personal data

CT.DP-5 Control how easy it is to see personal identifiers

CM. Develop communication program

CM.PO Develop communications capability

CM.PO-1 Develop your privacy communication controls

CM.PO-2 Develop your privacy communication functions

CM.AW Develop communication techniques

CM.AW-1 Develop ways of sharing information about privacy

CM.AW-2 Develop ways of obtaining feedback about privacy

CM.AW-3 Develop ways of ensuring data processing visibility

CM.AW-4 Develop ways of monitoring data sharing activities

CM.AW-5 Develop ways of communicating with data ecosystem

CM.AW-6 Develop ways of determining provenance and lineage

CM.AW-7 Develop ways of notifying people about privacy breaches

CM.AW-8 Develop ways of managing the impact of privacy problems

PR. Implement processing protections

PR.PO Implement data protection policies

PR.PO-1 Implement baseline configurations for information technologies

PR.PO-2 Implement configuration management for information technologies

PR.PO-3 Implement appropriate information backup processes and procedures

PR.PO-4 Implement policies and regulations to protect your information assets

PR.PO-5 Implement methods to identify protection improvement opportunities

PR.PO-6 Implement ways of sharing information about protection technologies

PR.PO-7 Implement incident response, continuity, recovery, and restoration plans

PR.PO-8 Implement incident response, continuity, recovery, and restoration tests

PR.PO-9 Implement privacy procedures and ask human resources to include them

PR.PO-10 Implement a management plan to address your privacy vulnerabilities

PR.AC Implement access control measures

PR.AC-1 Implement measures to control identities of authorized entities

PR.AC-2 Implement measures to control access to your data and devices

PR.AC-3 Implement measures to control remote access to data and devices

PR.AC-4 Implement measures to control access permissions and authorizations

PR.AC-5 Implement measures to control and protect the integrity of networks

PR.AC-6 Implement measures to control identity authentication methods

PR.DS Implement data security mechanisms

PR.DS-1 Implement methods and techniques to control data-at-rest

PR.DS-2 Implement methods and techniques to control data-in-transit

PR.DS-3 Implement methods and techniques to control data movements

PR.DS-4 Implement methods and techniques to control data availability

PR.DS-2 Implement methods and techniques to control data disclosure

PR.DS-5 Implement methods and techniques to control data integrity

PR.DS-6 Implement methods and techniques to control data habitat

PR.DS-7 Implement methods and techniques to control data devices

PR.MA Implement maintenance procedures

PR.MA-1 Implement methods to control maintenance and repair

PR.MA-2 Implement methods to control remote maintenance work

PR.PT Implement protective technologies

PR.PT-1 Implement measures to control removable media

PR.PT-2 Implement measures to strengthen configurations

PR.PT-3 Implement measures to safeguard network systems

PR.PT-4 Implement measures to ensure operational resilience

 If you'd like to see how we've translated each of the above sections into
Plain English, please check out our more detailed Privacy Framework.

MORE NIST PRIVACY PAGES

Introduction to Privacy Framework

Overview of NIST Privacy Framework

Privacy Framework in Plain English

How to Create a Privacy Program

Privacy Implementation Tiers

Privacy Conformance Audit

Privacy Performance Audit

Detailed Privacy Audit Tool

Updated on March 18, 2021. First published on March 18, 2021.

Home Page

Our Library

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited              help@praxiom.com             780-461-4514


Legal Restrictions on the Use of this Page
Thank you for visiting this web page. You are, of course, welcome to view our material as often
as you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2021 by Praxiom Research Group Ltd. All Rights Reserved.

Praxiom Research Group Limited