Getting Ready for the NIST Privacy FrameworkNIST's Naomi Lefkovitz Offers Insights on How to Use the Framework
By year's end, the National Institute of Standards and Technology should be ready to publish the first version of its Privacy Framework, a tool to help organizations identify, assess, manage and communicate about privacy risk, says NIST's Naomi Lefkovitz.
The privacy framework is modeled after the widely adopted, 5-year-old NIST Cybersecurity Framework, a voluntary set of guidance aimed to help mitigate cyber risk. In developing the privacy framework, NIST turned to stakeholders to help shape the document. More than 50 organizations and a dozen of individuals offered NIST suggestions on how to improve the privacy framework.
"When you're developing a voluntary tool, you really need to get buy-in from the stakeholders who are going to be the ultimate users of the tool," Lefkovitz, who's leading the development of the privacy framework, says in an interview with Information Security Media Group. "If it is not providing value to them, then what reason do they ever have to use it?"
At the core of the privacy framework is a set of privacy protection activities and outcomes. The framework consists of five functions aimed to help organization in and out of the U.S. federal government to identify, govern, control, protect and communicate about privacy. The core is further divided into key categories and subcategories, which are discrete outcomes for each function.
In the interview (see audio link below photo), Lefkovitz:
- Emphasizes that implementing the privacy framework is an enterprisewide effort, furnishing a guide on how executives, managers and employees can communicate and collaborate on how best to safeguard digital privacy. "As you make your way down through the categories and subcategories, some of those categories would be areas that the policy shop, or their legal or compliance shops, will focus on. ... IT or engineers would focus on [other areas]. Cumulatively, the framework provides a means for a dialogue or collaboration across many parts of the organization."
- Contrasts the cybersecurity framework with the privacy framework. "Privacy is more than just cybersecurity. It's true good cybersecurity can help protect privacy, but privacy risk extends beyond simply an overlap with the cybersecurity risk."
- Explains that the privacy framework isn't designed to be treated as a checklist. "This is not a prescriptive document. Rather, [the framework is designed to] help organizations speak about what are the key activities that I need to prioritize to help me manage privacy risk."