On September 9, NIST released the Preliminary Draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. Building on the widely adopted Cybersecurity Framework, the companion Privacy Framework will help organizations address the privacy risks and legal obligations associated with designing and deploying products and services. The Cybersecurity Framework has been critical in establishing a common lexicon for cybersecurity in government and industry as well and hopefully the final Privacy Framework can achieve this same goal.
As the convergence of privacy and security grows in response to public concern over the multitude of unauthorized data access incidents, NIST has been careful to honor the current cybersecurity guidance while adding privacy best practices to address the increasing need for data protection. NIST recognizes that cybersecurity risks arise from unauthorized activity while privacy risks are a byproduct of authorized data processing and that both play a role in a holistic data security strategy.
As the above Venn diagram illustrates, the application of the proposed Privacy Framework aims to address privacy risks associated with both data processing and privacy breaches. The Core functions of the Privacy Framework—Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P, where the -P refers to privacy-focused activities—are designed to offer organizations flexibility when addressing privacy risks:
- Identify-P, Govern-P, Control-P and Communicate-P can be used to manage privacy risks that arise directly from data processing;
- Organizations can use Protect-P along with Detect, Respond and Recover from the Cybersecurity Framework to manage privacy risks arising from privacy breaches;
- Depending on the organization and the maturity of the security and privacy programs, organizations can also use all of the Cybersecurity Framework Functions alongside Identify-P, Govern-P, Control-P and Communicate-P to address risks that are both privacy and security related.
What does this mean for you?
NIST recognizes the importance of collaboration between privacy and security teams, and encourages organizations to view the proposed, voluntary framework with flexibility and apply it based on the maturity of the organization’s current privacy program. While some may use the framework as guidance for a new privacy program, others will see it as a means of identifying gaps in a current program. Ultimately the framework should serve as a guide for balancing innovative uses of data while minimizing negative consequences for employees, customers and partners. Also, if you or your organization have comments or suggested improvements please submit them to NIST by October 24, 2019.
How Can Virtru Help?
From the beginning, Virtru’s mission has been to protect privacy by securing data and helping organizations securely share data to achieve mission success. Modern data protection requires data-centric protection that persists with the data, including access controls and policy management. As a FedRAMP authorized solution provider, Virtru can help you achieve data-centric protection and compliance goals, all while enabling an ecosystem that ensures secure data sharing and collaboration.