Digital ID

NIST releases version 1.0 of the Privacy Framework

The NIST released version 1.0 of Privacy Framework, it is a tool designed to help organizations to manage privacy risks.

The National Institute of Standards and Technology (NIST) has published the release version 1.0 of its privacy framework. The Framework is a voluntary tool that can be used by organizations to manage risks in compliance with privacy legislation, including the European GDPR.

The NIST Privacy Framework is designed to help organizations manage privacy risks, with specific focuses on:

  • Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
  • Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment;
  • Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.

The framework provides building blocks that help organizations in achieving privacy goals.

The Framework is composed of three main parts, the Core, Profiles, and Implementation Tiers.

The Core enables communications within organizations about privacy protection activities and desired goals. Profiles allow organizations to prioritize the outcomes and activities according to privacy values, the business mission, and risks.

Implementation tiers help organizations to optimize the resources that are necessary to manage the risk.

Organizations, one analyzed the potential impact of privacy risks, may choose to prioritize according to their strategy. The response to privacy risk includes:

  • Mitigating the risk (e.g., organizations may be able to apply technical and/or policy measures to the systems, products, or services that minimize the risk to an acceptable degree);
  • Transferring or sharing the risk (e.g., contracts are a means of sharing or transferring risk to other organizations, privacy notices and consent mechanisms are a means of sharing risk with individuals);
  • Avoiding the risk (e.g., organizations may determine that the risks outweigh the benefits, and forego or terminate the data processing);
  • Accepting the risk (e.g., organizations may determine that problems for individuals are minimal or unlikely to occur, therefore the benefits outweigh the risks, and it is not necessary to invest resources in mitigation).

The framework should also organizations to keep up with technology advancements and new uses for data.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” said Naomi Lefkovitz, NIST privacy policy adviser who led the development of the framework. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

The Privacy Framework is considered complementary with the NIST Cybersecurity Framework, using both it is possible to have a good understanding of the different origins of cybersecurity and privacy risks and allow to determine the most effective solutions to address the risks.

Additional details are included in the document titled “NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – privacy, NIST)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

DORA Compliance Strategy for Business Leaders

In January 2025, European financial and insurance institutions, their business partners and providers, must comply…

16 hours ago

CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel, Microsoft Windows, Progress Telerik Report…

23 hours ago

City of Cleveland still working to fully restore systems impacted by a cyber attack

Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services.…

1 day ago

Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda…

1 day ago

Google fixed an actively exploited zero-day in the Pixel Firmware

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively…

2 days ago

Multiple flaws in Fortinet FortiOS fixed

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution…

2 days ago

This website uses cookies.