NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise .
123PRELIMINARY DRAFTNIST PRIVACY FRAMEWORK: A TOOL FORIMPROVING PRIVACY THROUGH ENTERPRISERISK MANAGEMENTSeptember 6, 2019
NIST Privacy Framework Preliminary DraftSeptember 6, 20194Note to Reviewers567This preliminary draft is provided to promote the development of the NIST Privacy Framework: A Toolfor Improving Privacy through Enterprise Risk Management (Privacy Framework). The National Instituteof Standards and Technology (NIST) will use comments on this draft to develop version 1.0.89N.B. Throughout this document, references are made to a repository and a process for acceptingexternal informative references. NIST will make this process and repository available with version 1.0.1011NIST welcomes feedback on this preliminary draft. In particular, NIST requests that reviewers considerthe following questions:121. Does this preliminary draft:13a. adequately define outcomes that:14i.cover existing practices;15ii.strengthen individuals’ privacy protection;16iii.enable effective organizational use;17iv.support enterprise mission/business objectives; and18v.facilitate compliance with applicable laws or regulations;19b. appropriately integrate privacy risk into organizational risk;20c. provide guidance about privacy risk management practices at the right level of specificity;21d. adequately define the relationship between privacy and cybersecurity risk;222324e. provide the capability for those in different organizational roles such as senior executivesand boards of directors, legal, compliance, security, and information technology oroperations to understand privacy risks and mitigations at the appropriate level of detail;2526f.27g. enable cost-effective implementation?28provide sufficient guidance and resources to aid organizations of all sizes to build andmaintain a privacy risk management program while maintaining flexibility; and2. Will this preliminary draft, as presented:2930a. be inclusive of, and not disruptive to, effective privacy practices in use today, includingwidely used voluntary consensus standards that are not yet final;313233b. enable organizations to use the Privacy Framework in conjunction with the Framework forImproving Critical Infrastructure Cybersecurity to collaboratively address privacy andcybersecurity risks; and3435c. enable organizations to adapt to privacy risks arising from emerging technologies such asthe Internet of Things and artificial intelligence?1
NIST Privacy Framework Preliminary DraftSeptember 6, 201936Table of Contents37Note to Reviewers .138Executive Summary .339Acknowledgements cy Framework Introduction .4Overview of the Privacy Framework . 5Privacy Risk Management . 61.2.1Cybersecurity and Privacy Risk Management . 61.2.2Relationship Between Privacy Risk Management and Risk Assessment . 7Document Overview . 8Privacy Framework Basics .9Core . 9Profiles. 10Implementation Tiers . 11How to Use the Privacy Framework . 12Mapping to Informative References . 12Strengthening Accountability. 13Establishing or Improving a Privacy Program . 14Applying to the System Development Life Cycle . 15Using within the Data Processing Ecosystem . 16Informing Buying Decisions . 1757Appendix A: Privacy Framework Core . 1858Appendix B: Glossary . 2959Appendix C: Acronyms . 3260Appendix D: Privacy Risk Management Practices . 3361Appendix E: Implementation Tiers Definitions . 3862Appendix F: Roadmap . 4163Appendix G: References. 4264List of Figures6566676869707172Figure 1: Core, Profiles, and Implementation Tiers. 5Figure 2: Cybersecurity and Privacy Risk Relationship . 6Figure 3: Relationship Between Privacy Risk and Organizational Risk . 7Figure 4: Privacy Framework Core Structure . 9Figure 5: Profile Development Process . 11Figure 6: Notional Collaboration and Communication Flows Within an Organization . 13Figure 7: Data Processing Ecosystem Relationships . 16Figure 8: Using Functions to Manage Privacy Risk . 1973List of Tables74757677Table 1: Privacy Framework Function and Category Unique Identifiers . 20Table 2: Privacy Framework Core . 21Table 3: Privacy Engineering and Security Objectives . 352
NIST Privacy Framework Preliminary DraftSeptember 6, 201978Executive Summary79808182838485For more than two decades, the Internet and associated information technologies have drivenunprecedented innovation, economic value, and improvement in social services. Many of these benefitsare fueled by data about individuals that flow through a complex ecosystem—so complex thatindividuals may not be able to understand the potential consequences for their privacy as they interactwith systems, products, and services. At the same time, organizations may not realize the full extent ofthese consequences for individuals, for society, or for their enterprises, which can affect theirreputations, their bottom line, and their future prospects for growth.86878889909192The National Institute of Standards and Technology (NIST), working in collaboration with private andpublic stakeholders, has developed this voluntary NIST Privacy Framework: A Tool for Improving Privacythrough Enterprise Risk Management (Privacy Framework). The Privacy Framework can drive betterprivacy engineering and help organizations protect individuals’ privacy by: Building customer trust by supporting ethical decision-making in product and service design ordeployment that optimizes beneficial uses of data while minimizing adverse consequences forindividuals’ privacy and society as a whole;9394 Fulfilling current compliance obligations, as well as future-proofing products and services tomeet these obligations in a changing technological and policy environment; and95 Facilitating communication about privacy practices with customers, assessors, and regulators.96979899100101102103Deriving benefits from data while simultaneously managing risks to individuals’ privacy is not well-suitedto one-size-fits-all solutions. Like building a house, where homeowners get to choose room layouts butneed to trust that the foundation is well-engineered, privacy protection should allow for individualchoices, as long as effective privacy risk mitigations are already engineered into products and services.The Privacy Framework—through a risk- and outcome-based approach—is flexible enough to addressdiverse privacy needs, enable more innovative and effective solutions that can lead to better outcomesfor individuals and enterprises, and stay current with technology trends, including artificial intelligenceand the Internet of Things.104105106107108The Privacy Framework follows the structure of the Framework for Improving Critical InfrastructureCybersecurity (Cybersecurity Framework) [1] to facilitate the use of both frameworks together. Like theCybersecurity Framework, the Privacy Framework is composed of three parts: the Core, Profiles, andImplementation Tiers. Each component reinforces privacy risk management through the connectionbetween business and mission drivers and privacy protection activities.109110 The Core enables a dialogue—from the executive level to the implementation/operationslevel—about important privacy protection activities and desired outcomes.111112 Profiles enable the prioritization of the outcomes and activities that best meet organizationalprivacy values, mission/business needs, and risks.113114 Implementation Tiers support decision-making and communication about the sufficiency oforganizational processes and resources to manage privacy risk.115116In summary, the Privacy Framework is intended to help organizations build better privacy foundationsby bringing privacy risk into parity with their broader enterprise risk portfolio.117Acknowledgements118Acknowledgements will be included in version 1.0.3
NIST Privacy Framework Preliminary Draft119120121122123124125126127128September 6, 20191.0 Privacy Framework IntroductionFor more than two decades, the Internet and associated information technologies have drivenunprecedented innovation, economic value, and access to social services. Many of these benefits arefueled by data about individuals that flow through a complex ecosystem—so complex that individualsmay not be able to understand the potential consequences for their privacy as they interact withsystems, products, and services. Organizations may not fully realize the consequences either. Failure tomanage privacy risks can have direct adverse consequences for people at both the individual andsocietal level, with follow-on effects on organizations’ reputation, bottom line, and future prospects forgrowth. Finding ways to continue to derive benefits from data while simultaneously protectingindividuals’ privacy is challenging, and not well-suited to one-size-fits-all solutions.129130131132133134135136Privacy is challenging because not only is it an all-encompassing concept that helps to safeguardimportant values such as human autonomy and dignity, but also the means for achieving it can vary. Forexample, privacy can be achieved through seclusion, limiting observation, or individuals’ control offacets of their identities (e.g., body, data, reputation).1 Moreover, human autonomy and dignity are notfixed, quantifiable constructs; they are filtered through cultural diversity and individual differences. Thisbroad and shifting nature of privacy makes it difficult to communicate clearly about privacy risks withinand between organizations and with individuals. What has been missing is a common language andpractical tool that is flexible enough to address diverse privacy needs.137138139The National Institute of Standards and Technology (NIST) has developed this voluntary NIST PrivacyFramework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework) tohelp organizations manage privacy risks by:140141 Taking privacy into account as they design and deploy systems, products, and services thataffect individuals;142143 Integrating privacy practices into their business processes that result in effective solutions tomitigate any adverse impacts; and144 Communicating about these practices.145146The Privacy Framework is intended to be widely usable by organizations of all sizes and agnostic to anyparticular technology, sector, law, or jurisdiction.147148 Different parts of an organization’s workforce, including executives, legal, and informationtechnology (IT) may take responsibility for different outcomes and activities.149 It encourages cross-organization collaboration to develop Profiles and achieve outcomes.150151152 The Privacy Framework is usable by any organization or entity regardless of its role in the dataprocessing ecosystem—the complex and interconnected relationships among entities involvedin creating or deploying systems, products, or services.There are many publications that provide an in-depth treatment on the background of privacy or differentaspects of the concept. For two examples, see Daniel Solove, Understanding Privacy, Harvard University Press,2010; and Evan Selinger and Woodrow Hartzog, “Obscurity and Privacy,” Routledge Companion to Philosophy ofTechnology, 2014, at https://ssrn.com/abstract 2439866.14
NIST Privacy Framework Preliminary Draft153154155156157158159160161162163164September 6, 2019Overview of the Privacy FrameworkAs shown in Figure 1, thePrivacy Framework is composedof three parts: the Core,Profiles, and ImplementationTiers. Each componentreinforces privacy riskmanagement through theconnection betweenbusiness/mission drivers andprivacy protection activities. Asfurther explained in section 2:The Core provides an increasingly granularset of activities and outcomes that enablean organizational dialogue aboutmanaging privacy riskCURRENTTARGETProfiles are a selection ofspecific Functions,Categories, andSubcategories from theCore that the organizationhas prioritized to help itmanage privacy 80 The Core is a set ofprivacy protectionactivities and outcomesImplementation Tiers help an organizationthat allows forcommunicate about whether it has sufficientcommunicatingprocesses and resources in place to manageprivacy risk and achieve its Target Profileprioritized privacyprotection activitiesFigure 1: Core, Profiles, and Implementation Tiersand outcomes across theorganization from the executive level to the implementation/operations level. There are fiveFunctions: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P. The first four can beused to manage privacy risks arising from data processing, while Protect-P can helporganizations manage privacy risks associated with privacy breaches.2 Protect-P is not the onlyway to manage privacy risks associated with privacy breaches. For example, organizations mayuse the Cybersecurity Framework Functions in conjunction with the Privacy Framework tocollectively address privacy and cybersecurity risks. The Core is further divided into keyCategories and Subcategories—which are discrete outcomes—for each Function.181182183184185186187188 A Profile represents the organization’s current privacy activities or desired outcomes. Todevelop a Profile, an organization can review all of the Functions, Categories, and Subcategoriesto determine which are most important to focus on based on business/mission drivers, types ofdata processing, and individuals’ privacy needs. The organization can create or add Functions,Categories, and Subcategories as needed. Profiles can be used to identify opportunities forimproving privacy posture by comparing a “Current” Profile (the “as is” state) with a “Target”Profile (the “to be” state). Profiles can be used to conduct self-assessments and to communicatewithin an organization or between organizations about how privacy risks are being managed.189190191192193 Implementation Tiers (“Tiers”) provide a point of reference on how an organization viewsprivacy risk and whether it has sufficient processes and resources in place to manage that risk.Tiers reflect a progression from informal, reactive responses to approaches that are agile andrisk informed. When selecting Tiers, an organization should consider its Target Profile and howthis relates to current risk management practices; its data processing systems, products, orThe “-P” at the end of each Function name indicates that it is from the Privacy Framework in order to avoidconfusion with Cybersecurity Framework Functions.25
NIST Privacy Framework Preliminary Draftservices; legal and regulatory requirements; business/mission objectives; organizational privacyvalues and individuals’ privacy needs; and organizational constraints.194195196197198199200201September 6, 2019Privacy Risk ManagementWhile some organizations have a robust grasp of privacy risk management, a common understanding ofmany aspects of this topic is still not widespread.3 To promote broader understanding, this sectioncovers concepts and considerations that organizations may use to develop, improve, or communicateabout privacy risk management. Appendix D provides additional guidance on key privacy riskmanagement .2.1 Cybersecurity and Privacy Risk Management215216217The NIST approach to privacy risk is to consider potential problems individuals could experience arisingfrom system, product, or service operations with data, whether in digital or non-digital form, through acomplete life cycle from data collection through disposal. The Privacy Framework describes these data218operations in the singular as a data action and collectively as dataData Action219processing. The problems individuals can experience as a result ofA system/product/service220data processing can be expressed in various ways, but NIST describesdata life cycle operation,them as ranging from dignity-type effects such as embarrassment orincluding, but not limited221222stigmas to more tangible harms such as discrimination, economicto collection, retention,223loss, or physical harm.4 Problems can arise as unintendedlogging, generation,consequences from data processing that organizations conduct totransformation, use, 224disclosure, sharing, 225meet their mission or business objectives. An example is the concernstransmission, and disposal.226that certain communities had about the installation of “smart227meters” as part of the Smart Grid, a nationwide technological effortData Processing 228to increase energy efficiency.5 The ability of these meters to collect,The collective set of data229record, and distribute highly granular information about householdactions.230electrical use could provide insight into people’s behavior inside theirSince its release in 2014, theCybersecurity Framework has helpedorganizations to communicate andmanage cybersecurity risk. [1] Whilemanaging cybersecurity riskcontributes to managing privacy risk, itis not sufficient, as privacy risks canalso arise outside the scope ofcybersecurity risks. Figure 2 illustrateshow NIST considers the overlap anddifferences between cybersecurityand privacy risks.CybersecurityRisksassociated with lossof confidentiality,integrity, oravailabilityPrivacyRisksprivacybreachassociated withunintendedconsequences ofdata processingFigure 2: Cybersecurity and Privacy Risk RelationshipSee Summary Analysis of the Responses to the NIST Privacy Framework Request for Information [2] at p. 7.NIST has created an illustrative problem set for use in privacy risk assessment. See NIST Privacy Risk AssessmentMethodology [3]. Other organizations may have created problem sets as well, or may refer to them as adverseconsequences or harms.5 See, for example, NIST Internal Report (IR) 7628 Revision 1 Volume 1, Guidelines for Smart Grid Cybersecurity:Volume 1 – Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements at [4] p. 26.346
NIST Privacy Framework Preliminary DraftSeptember 6, 2019231232homes.6 The meters were operating as intended, but the data processing could lead to unintendedconsequences that people might feel surveilled.233234235236237However, these problems also can arise from privacy breaches where there is a loss of confidentiality,integrity, or availability at some point in the data processing, such as data theft by external attackers orthe unauthorized access or use of data by employees who exceed their authorized privileges. Figure 2shows privacy breach as the overlap between a loss of confidentiality, integrity, or availability andunintended consequences of data processing for mission or business objectives.238239240241242243244245246247Once an organization can identify the likelihood of any given problem arising from the data processing,which the Privacy Framework refers to as a problematic data action, it can assess the impact should theproblematic data action occur. This impact assessment is where privacy risk and organizational riskintersect. Individuals, whether singly or in groups (including at a societal level) experience the directimpact of problems. As a result of the problems individuals experience, an organization may experienceimpacts such as noncompliance costs, customer abandonment of products and services, or harm to itsexternal brand reputation or internal culture. These organizational impacts can be drivers for informeddecision-making about resource allocation to strengthen privacy programs and to help organizationsbring privacy risk into parity with other risks they are managing at the enterprise level. Figure 3illustrates this relationship between privacy risk and organizational risk.Problemarises from dataprocessingIndividualexperiences direct impact(e.g., embarrassment,discrimination, economicloss)Organizationresulting impact(e.g., customer abandonment,noncompliance costs, harm toreputation or internal culture)Figure 3: Relationship Between Privacy Risk and Organizational Risk2482492502512522532542552562571.2.2 Relationship Between Privacy Risk Management and Risk AssessmentPrivacy risk management is a cross-organizational set of processes that helps organizations tounderstand how their systems, products, and services may create problems for individuals and how todevelop effective solutions to manage such risks. Privacy risk assessment is a sub-process for identifying,evaluating, prioritizing, and responding to specific privacy risks. In general, privacy risk assessmentsshould produce the information that can help organizations to weigh the benefits of the data processingagainst the risks and to determine the appropriate response (see Appendix D for more guidance on theoperational aspects of privacy risk assessment). Organizations may choose to respond to privacy risk indifferent ways, depending on the potential impact to individuals and resulting impacts to organizations.Approaches include: 258259Mitigating the risk (e.g., organizations may be able to apply technical and/or policy measures tothe systems, products, or services that minimize the risk to an acceptable degree);See NIST IR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems at [5] p. 2. Foradditional types of privacy risks associated with unintended consequences of data processing, see Appendix E ofNIST IR 8062.67
NIST Privacy Framework Preliminary DraftSeptember 6, 2019260261262 Transferring or sharing the risk (e.g., contracts are a means of sharing or transferring risk toother organizations, privacy notices and consent mechanisms are a means of sharing risk withindividuals);263264 Avoiding the risk (e.g., organizations may determine that the risks outweigh the benefits, andforego or terminate the data processing); or265266267 Accepting the risk (e.g., organizations may determine that problems for individuals are minimalor unlikely to occur, therefore the benefits outweigh the risks, and it is not necessary to investresources in mitigation).268269270271272273274275276277Privacy risk assessments are particularly important because, as noted above, privacy is a condition thatsafeguards multiple values. The methods for safeguarding these values may differ, and moreover, maybe in tension with each other. For instance, if the organization is trying to achieve privacy by limitingobservation, this may lead to implementing measures such as distributed data architectures or privacyenhancing cryptographic techniques that hide data even from the organization. If the organization isalso trying to enable individual control, the measures could conflict. For example, if an individualrequests access to data, the organization may not be able to produce the data if the data has beendistributed or encrypted in ways the organization cannot access. Privacy risk assessments can help anorganization understand in a given context the values to protect, the methods to employ, and the wayto balance implementation of different types of measures.278279280281282283284Lastly, privacy risk assessments help organizations distinguish between privacy risk and compliance risk.Identifying if data processing could create problems for individuals, even when an organization may befully compliant with applicable laws or regulations, can help with ethical decision-making in system,product, and service design or deployment. This facilitates optimizing beneficial uses of data whileminimizing adverse consequences for individuals’ privacy and society as a whole, as well as avoidinglosses of trust that damage organizations’ reputations, slow adoption, or cause abandonment ofproducts and services.285286Document OverviewThe remainder of this document contains the following sections and appendices:287288 Section 2 describes the Privacy Framework components: the Core, Profiles, and ImplementationTiers.289 Section 3 presents examples of how the Privacy Framework can be used.290291 Appendix A presents the Privacy Framework Core in a tabular format: Functions, Categories, andSubcategories.292 Appendix B contains a glossary of selected terms.293 Appendix C lists acronyms used in this document.294 Appendix D considers key practices that contribute to successful privacy risk management.295 Appendix E defines the Implementation Tiers.296297298 Appendix F provides a placeholder for a companion roadmap covering NIST’s next steps andidentifying key areas where the relevant practices are not well enough understood to enableorganizations to achieve a privacy outcome.299 Appendix G lists the references for this document.8
NIST Privacy Framework Preliminary Draft300301302303304305September 6, 20192.0 Privacy Framework BasicsThe Privacy Framework provides a common language for understanding, managing, and communicatingprivacy risk with internal and external stakeholders. It can be used to help identify and prioritize actionsfor reducing privacy risk, and it is a tool for aligning policy, business, and technological approaches tomanaging that risk. Different types of entities—including sector-specific organizations—can use thePrivacy Framework for different purposes, including the creation of common Profiles.Core306307308309310311312The Core provides a set of activities andoutcomes that enable an organizationaldialogue about managing privacy risk. TheCore comprises three elements:Functions, Categories, and Subcategories,depicted in Figure 4.313The Core elements work 20321322323324325 Functions organize foundationalProtect-Pprivacy activities at their highestlevel. They aid an organization inFigure 4: Privacy Framework Core Structureexpressing its management ofprivacy risk by understanding and managing data processing, enabling risk managementdecisions, determining how to interact with individuals, and improving by learning fromprevious activities. There are five Functions: Identify-P, Govern-P, Control-P, Communicate-P,and Protect-P. The first four can be used to manage privacy risks arising from data processing,while Protect-P can help organizations manage privacy risks associated with privacy breaches. 7Protect-P is not the only way to manage privacy risks associated with privacy breaches. Forexample, organizations may use the Cybersecurity Framework Functions in conjunction with thePrivacy Framework to collectively
19 b. appropriately integrate privacy risk into organizational risk; 20 c. provide guidance about privacy risk management practices at the right level of specificity; 21 d. adequately define the relationship between privacy and cybersecurity risk; 22 e. provide the capability for those in different organizational roles such as senior executives
2.1 NIST SP 800-18 4 2.2 NIST SP 800-30 4 2.3 NIST SP 800-34 4 2.4 NIST SP 800-37 4 2.5 NIST SP 800-39 5 2.6 NIST SP 800-53 5 2.7 NIST SP 800-53A 5 2.8 NIST SP 800-55 5 2.9 NIST SP 800-60 5 2.10 NIST SP 800-61 6 2.11 NIST SP 800-70 6 2.12 NIST SP 800-137 6 3 CERT-RMM Crosswalk of NIST 800-Series Special Publications 7
Mar 01, 2018 · ISO 27799-2008 7.11 ISO/IEC 27002:2005 14.1.2 ISO/IEC 27002:2013 17.1.1 MARS-E v2 PM-8 NIST Cybersecurity Framework ID.BE-2 NIST Cybersecurity Framework ID.BE-4 NIST Cybersecurity Framework ID.RA-3 NIST Cybersecurity Framework ID.RA-4 NIST Cybersecurity Framework ID.RA-5 NIST Cybersecurity Framework ID.RM-3 NIST SP 800-53
NIST SP 800-30 – Risk Assessment NIST SP 800-37 – Risk Management Framework NIST SP 800-39 – Risk Management NIST SP 800-53 – Recommended Security Controls NIST SP 800-53A – Security Control Assessment NIST SP 800-59 – National Security Systems NIST SP 800-60 – Security Category Mapping NIST
NIST Risk Management Framework 1. Categorize information system (NIST SP 800-60) 2. Select security controls (NIST SP 800-53) 3. Implement security controls (NIST SP 800-160) 4. Assess security controls (NIST SP 800-53A) 5. Authorize information system (NIST SP 800-37) 6. Monitor security controls (NIST SP 800-137) Source: NIST CSRC, http .
Source: 9th Annual API Cybersecurity Conference & Expo November 11-12, 2014 - Houston, TX. 11 Industry Standards and Committee Initiatives WIB M2784-X-10 API 1164 ISA 99/IEC 62443 NIST SP 800-82 NIST SP 800-12 NIST SP 800-53 NIST SP 800-53A NIST SP 800-39 NIST SP 800-37 NIST SP 800-30 NIST SP 800-34 ISO 27001,2 ISO 27005 ISO 31000
https://nist.gov/rmf NIST RMF Quick Start Guide CATEGORIZE STEP nist.gov/rmf Frequently Asked Questions (FAQs)RISK MANAGEMENT FRAMEWORK RMF NIST NIST Risk Management Framework (RMF) Categorize Step . ecurity categorization standards for information and systems provide a common framework and understanding for expressing security
Apr 08, 2020 · Email sec-cert@nist.gov Background: NIST Special Publication (SP) 800-53 Feb 2005 NIST SP 800-53, Recommended Security Controls for Federal Information Systems, originally published Nov 2001 NIST SP 800-26, Security Self-Assessment Guide for IT Systems, published Dec 2006 NIST SP 800-53, Rev. 1 published July 2008 NIST SP 800-53A, Guide for
piece of paper and draw an outline of your chosen animal or person. 2. sing and dance when they If you would like to make more than one of any animal or person, fold your paper a few times behind the outline. You could also cut out your outline and trace around it. 3. from things they may Think of how to connect your paper animals or people.
