NIST Introduces New Privacy Framework at the RSA Conference

The National Institute of Standards and Technology (NIST) revealed that it had plans to assist companies in addressing data privacy with the creation and development of a new privacy framework.

The Institute made the announcement at the ongoing RSA Conference 2019, stressing that it was already a work in progress.

NIST’s Senior Privacy Advisor, Naomi Lefkovitz and Chief of Applied Cybersecurity Division, Kevin Stine took to the conference stage to discuss the technical details surrounding the Privacy Framework, noting that data privacy was a vital aspect to a comprehensive enterprise risk management plan. 

The Privacy Framework is currently developed to be non-prescriptive, risk-based/outcome-based for it to be easily adopted by all.

Unlike the GDPR that focuses on how data privacy should be achieved, the Privacy Framework will feature desired outcomes and favorable measures to go about getting it achieved.

They noted that privacy was one dimension of risk and should be involved in broader enterprise risk management activity in an organization.

Lefkovitz and Stine listed the functions of NIST’s Privacy Framework under the following headings: Identify, Protect, Control, Inform and Respond.

Under Identify, they stated that business should recognize legal requirements and conduct an internal assessment, with emphasis placed on understanding where the data is via data mapping.

On Protect, they noted that while there was an overlap with data security, NIST was planning on expanding data protection to include information lifecycle and dissociability – the basic concept of distancing data from whomever it was linked to. The framework would make use of cryptographic techniques to achieve this.

On the Control front, the framework will not only ensure users gain control over their information but provide the capabilities that will give users the control in the first place.

On Inform and Respond, the framework will focus on data notification and consumer notices in the event of an incident. It would also focus on inappropriate processing which may not trigger a notification but will still be dealt with.

While the framework is scheduled to be finalized by October, NIST is soliciting feedback before the due date. The institute will be organizing a live webinar on March 14 with a workshop billed to happen in May.