Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



NIST Releases Framework for Privacy Risk Management

The National Institute of Standards and Technology (NIST) last week announced version 1.0 of its Privacy Framework, a tool designed to help organizations manage privacy risks.

The National Institute of Standards and Technology (NIST) last week announced version 1.0 of its Privacy Framework, a tool designed to help organizations manage privacy risks.

NIST published a preliminary draft of the Privacy Framework in September 2019, when it requested public feedback. The agency had initially hoped to release version 1.0 by the end of 2019, but it was officially announced only on January 16.

The NIST Privacy Framework is designed to help organizations of all sizes and in all sectors manage privacy risks by focusing on three main aspects: taking privacy into account when developing a product or service, communicating about privacy practices, and cross-organizational collaboration.

The framework has three main parts: the core, profiles, and implementation tiers. The core provides a granular set of activities and outcomes whose goal is to enable internal communication. Profiles represent functions, categories and subcategories from the core that have been prioritized by an organization. Finally, implementation tiers help organizations optimize the resources needed to achieve their target profile.

NIST has pointed out that the Privacy Framework is not a law or regulation, but a voluntary tool that can be used to manage risks and ensure compliance with existing legislation, such as the GDPR and California’s CCPA.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz, the senior privacy policy adviser at NIST who led the development of the framework. “If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

According to Lefkovitz, the framework should also make it easier for organizations to keep up with technology advancements and new uses for data.

Advertisement. Scroll to continue reading.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” she explained. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

NIST says the Privacy Framework is meant to complement the NIST Cybersecurity Framework, and both will be updated over time.

The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is available in PDF format on NIST’s website.

Related: NIST and Microsoft Partner to Improve Enterprise Patching Strategies

Related: NIST’s Zero Trust Taxonomy Introduces Components, Threats and Migration Routes

Related: NIST Working on Industrial IoT Security Guide for Energy Companies

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.