By Kathryn Daily, CISSP, CAP, RDRP
Back in September 2018, NIST announced their plans to develop a data privacy framework based off their cybersecurity framework that has been extremely successful in both government and private sector. NIST has worked with industry through webinars and workshops and incorporated both public and private sector feedback for the data privacy framework.
Many are questioning why a second framework is necessary. Bob Siegel, of Privacy Ref, Inc, provides a fantastic simile for the relationship between security and privacy. “Just as the drapes on a window may be considered a security safeguard that also protects privacy, an information security program provides the controls to protect personal information. Security controls limit access to personal information and protect against its unauthorized use and acquisition. It is impossible to implement a successful privacy program without the support of a security program. Just as the bars on a window help prevent intruders from entering into your home while allowing people to look inside, a security program can implement controls without regard for privacy.”
As with CSF, the privacy framework will be voluntary and intended to be leveraged in addition to the CSF. Also like the CSF, the privacy framework will be developed without granular controls and focused on outcomes rather than getting organizations stuck in the definition of terms.
The new framework is still in development, but we know a little about what will be included. It will be risk-based, outcome based, voluntary and non-prescriptive. It will be adaptable to many different organizations, technologies, lifecycle phases, sectors and uses. It will provide a common and accessible language.