Did you know that the famous NIST Cyber Security Framework has a sibling? That’s right. We’re talking about the NIST Privacy Framework, an in-depth piece of guidance, spanning over 40 pages, that aims to help organizations establish and maintain a robust data privacy program.
While we recommend that business leaders, compliance and security folk read the entire guidance in full, we also appreciate that time is of the essence. So, below, we’ll take you through everything there is to know about the Privacy Framework and give you tips on how to get started with implementation.
What is the NIST privacy framework?
The NIST Privacy Framework is a tool to help organizations identify, manage and mitigate privacy risks to data such as PII and PHI. It features a set of granular controls that companies can implement to improve their organization’s approach to privacy assurance.
It’s worth noting, here, that the Privacy Framework has a symbiotic relationship with the NIST Security Framework. Where applicable, NIST has reused controls from the Security Framework in the Privacy Framework. So, if you’ve already implemented the CSF within your organization, some of the Privacy Framework’s language will likely look familiar to you.
The framework consists of three pillars: the core, profiles and implementation tiers.
The Core refers to a list of granular privacy protection actions and outcomes that help companies to manage privacy risks. The core comprises five Functions, which are then further mapped into Categories and then Subcategories.
Profiles can be seen as a subset of the core. They refer to specific Functions, Categories, and Subcategories from the Core that an organization has chosen to use to mitigate privacy risks. Profiles are often used to define where a company is ‘right now’ in terms of privacy and where it would like to be – as illustrated in the image below.
Implementation Tiers work as a reference point for organizations to understand how their approach to privacy compares to most organizations and industry standards.
What are the five functions of the NIST privacy framework?
The Core of the framework features five distinct functions. These are:
- IDENTIFY-P: Develop the organizational understanding to manage privacy risks for individuals arising from data processing.
- GOVERN-P: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
- CONTROL-P: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
- COMMUNICATE-P: Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
- PROTECT-P: Develop and implement appropriate data processing safeguards.
As you can see, the first four Functions are focused on how to correctly handle personal data to reduce privacy risk. The last function, on the other hand, is all about data protection and security.
The five function areas flow into 29 Categories, which then flow into 100 Subcategories.
Why did NIST introduce the framework?
Data privacy is an increasingly significant issue at both the national and international levels. State legislatures are fast introducing data privacy laws to protect citizens’ data. Data protection and privacy are inherently complex, technical subjects and many organizations find it challenging to demystify their requirements and protect customer and employee data adequately.
NIST’s Privacy Framework aims to be somewhat of a remedy to this, offering a standardized approach to help companies comply with various privacy frameworks and better mitigate data privacy risks.
How does the privacy framework compare to the cybersecurity framework?
NIST’s CSF was born in 2014 as a way to help companies meet the security standards of regulations like HIPAA, PCI-DSS and GBLA. The Privacy Framework is a complementary document to the CSF. While one focuses on cybersecurity, the other focuses on privacy.
Putting the NIST privacy framework in the context of your organization
While the NIST Privacy Framework is not mandatory, companies that proactively adopt its principles stand to gain benefits such as improved customer loyalty, enhanced transparency and compliance with critical regulations.
Moreover, the Privacy Framework is written with the general business person in mind – so anyone in your organization should be able to read it and gain insights from it.
One sticking point we find that companies often face with the framework is applying it to cloud environments. In fact, the top cloud security concerns are data loss and leakage (69%), data privacy (66%), followed by accidental exposure of credentials (44%).
To holistically implement the NIST Privacy Framework, you need to think about extending data privacy and protection beyond your network and into your SaaS environments – places like Slack, Teams and Google Workspace. After all, that’s where your employees are working most of the time – and where most of your sensitive data probably is!
The NIST privacy framework in the cloud: get started with Polymer
Polymer DLP’s self-learning engine can help you implement each of the five functions within the NIST Privacy Framework so you achieve total data protection and privacy in your SaaS applications.
Identification of sensitive data at speed and scale: Our solution becomes the cornerstone of your data governance strategy. Using data classification, Through data classification, it identifies and categorizes your data according to perceived value – including unstructured data that traditional DLP misses.
From there, our engine detects PII, PHI and trade secrets, preventing them from being unlawfully shared, transported or accessed by unauthorized parties. Moreover, because next-generation DLP works in-app, it doesn’t hinder employee productivity or disrupt the workflow. This means that employees can continue to collaborate as normal.
Automated privacy enforcement in cloud applications: Our cloud-based DEP solution becomes your virtual, AI-led compliance officer in the cloud. For HIPAA, GDPR and state privacy regulations, we automatically enforce contextual DLP policies that capture, redact and protect PPI and PHI as it travels through Slack and other SaaS applications.
This means that no one ever accesses sensitive data unless they’re authorized to, which keeps your data safe from privacy violations.
Enhanced compliance awareness with in-app nudges: As your employees work day to day, compliance isn’t always going to be front of mind for them, unless you use our automated feedback loops. At Polymer, we use in-app nudges that show employees how their actions could result in data security or compliance violations. We make use of end of day reports and alerts within popular apps like Slack and Teams, which show employees the risks they have created and why their behavior was unsafe.
By making users feel directly accountable for compliance and security, we help companies to build a culture of trust and privacy. After all, compliance cannot just fall on a few individuals in one team. It’s up to every member of the organization to be conscious of following regulations.
Ready to get started? Contact us today to learn more about how we can help you enhance data privacy and security in the cloud.