Designed to align with its cybersecurity framework, NIST released a working draft of its framework for managing privacy risks within the enterprise to address unique privacy risks of the digital age.
NIST is seeking stakeholder feedback on the recently released preliminary draft of its framework for improving privacy through enterprise risk management.
Drafted from public conversations, the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is designed to help organizations maximize positive data use, while simultaneously minimizing the privacy risk to individuals.
The privacy framework was built in response from industry leaders who requested NIST better align its privacy framework with its cybersecurity guidelines. Officials said the frameworks are meant to be used together.
“While data can enhance airport security, develop social connections, or serve myriad other positive purposes, inadequate data management can result in a range of problems for individuals,” NIST authors wrote. “In turn, these problems can affect an organization’s reputation and bottom line.”
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
“We see privacy as something that safeguards human values, like dignity and autonomy,” Naomi Lefkovitz, a NIST senior privacy policy adviser and framework leader, said in a statement. “It’s a challenging topic, though, because we have so many individual and societal conceptions of what privacy means.”
As there are multiple ways to build privacy into enterprise functions, the proposed guidelines outline several protection methods from which organizations can choose to best suit their environments and ensure they meet the privacy needs of individuals who use their services.
The proposed privacy framework centers around three areas: the core, profiles, and implementation tiers. Organizations will find a set of privacy protection activities in the core section, designed to start a dialogue within the organization around desired outcomes.
Meanwhile, the profiles section is meant to help organizations determine what core activities an organization should follow to most effectively reach those goals. Lastly, the implementation tiers can help organizations optimize resources dedicated to privacy risk management.
“One company might have more risks, for example, and might need to have a chief privacy officer, while another might not,” NIST authors wrote.
The framework can also help to fulfill compliance obligations, while future-proofing products and services to keep pace with changes in technology and policies. It can also help facilitate communication about privacy practices with regulators, assessors, and customers, while helping organizations “manage privacy risk through a prioritized, flexible, outcome-based, and cost-effective approach compatible with existing legal and regulatory regimes.”
However, the guide is not designed to be used as a checklist of action items. Much like other privacy and security leaders have noted in the past, frameworks are designed to help organizations build strong security programs using the common denominator to reduce risk, as well as provide basic guidelines for privacy requirements.
“A checklist-based approach might make you overinvest in less effective privacy solutions for your situation or underinvest in the ones that would give you the most privacy benefit,” Lefkovitz said in a statement. “The framework is designed to help your organization recognize and then address its own potentially unique situation.”
“Privacy risk management practices are not yet well understood,” she added. “This document is just a beginning. In collaboration with our stakeholders, we will build more guidance around it.”
According to NIST, the hope is that organizations will leverage the guide to build customer trust through the support of ethical decision-making in product or service design that will reduce privacy risks.NIST recently posted its request for comment on the Federal Register, and interested stakeholders can submit feedback until October 24.
The Consumer Technology Association recently released its own voluntary privacy guidance meant to address challenges and methods to ensuring the privacy of health and wellness apps.
Date: September 18, 2019
Source: Health IT Security
