author photo
By Bruce Sussman
Mon | May 13, 2019 | 7:52 AM PDT

NIST recently unveiled its proposed Privacy Framework.

This is a discussion draft, and NIST wants your feedback as part of the process.

Is the NIST Privacy Framework, as proposed, enough to help organizations develop a robust privacy program?

Will the Privacy Framework work in tandem with the NIST Cybersecurity Framework?

[RELATED: 5 Things to Know as NIST Cybersecurity Framework Turns 5]

Why NIST is proposing privacy guidelines

The executive summary of the proposed NIST Privacy Framework gets to the heart of why something new is needed:

Approaches to Privacy are challenging because it is an all-encompassing concept. It is a condition or state that safeguards important values such as human autonomy and dignity, yet the means for achieving it vary.

This broad and shifting nature of privacy makes it difficult to communicate clearly about privacy risks within and between organizations and with individuals. What has been missing is a shared lexicon and practical structure that is flexible enough to address diverse privacy needs.

These things, NIST says, have led to a lack of trust that could grow and harm business innovation and individual privacy unless there is a new approach.

How NIST proposal approaches privacy

"We want this to be a tool, which any organization can use, to achieve privacy objectives," says recognized security expert Rebecca Herold.

Herold is on the NIST committee that put the Privacy Framework together and is a keynote at SecureWorld Kansas City.

The new approach being proposed should help organizations do the following:

  •  Understand how their systems, products, and services affect individuals;
  • Clarify how organizations can integrate privacy practices into their processes that result in mitigating these impacts and protecting individuals’ privacy. 

NIST also says it has developed the proposed Privacy Framework for any organization around the world, regardless of sector, focus, or size.

Key points of the NIST Privacy Framework

At a high level, NIST wants feedback on the key objectives it lists in the framework and if things are missing. The three key objectives are to help organizations with:

  1. The Core, which is a set of privacy protection activities and desired outcomes that allows for 122 communicating prioritized privacy protection activities and outcomes across the organization;
  2. A Profile, which represents the privacy outcomes an organization aims to achieve and how it will be achieved;
  3. Implementation Tiers, which provide context on how an organization views privacy risk and whether it has adequate processes and resources in place to manage that risk.
The overlap of privacy and security

The NIST proposal also examines the link between cybersecurity, data security, and privacy.

NIST-security-privacy-linkSpecifically, NIST is looking for feedback on the relationship this graphic depicts, and whether the new Privacy Framework will work well in conjunction with the NIST Cybersecurity Framework.

This is why input from those working in IT security, risk, and privacy is so crucial. You have the chance to shape this document.

How to give NIST your feedback

There are two steps to providing your feedback to NIST.

  1. First, read the proposed NIST Privacy Framework draft.
  2. Make notes of anything missing or needing a tweak, then email them to NIST here:

SecureWorld sees this as a way to enable more robust digital collaboration, which will lead to fantastic discussions at conferences across North America.

And a future where there is greater trust between organizations and individuals.

Tags: Privacy, NIST,