NIST Privacy Framework: An Enterprise Risk Management Tool

NIST Privacy Framework: An Enterprise Risk Management Tool

By Nancy Rand
Posted in Security
On May 02, 2019

The NIST Privacy Framework discussion draft has been published. This document incorporates the outlines and stakeholder input received to date. 

The Drafting the NIST Privacy Framework: Workshop #2 will be held on May 13-14, 2019, at the Georgia Tech Scheller College of Business in Atlanta, Georgia. Feedback is also welcome via email at (which will not be posted online). explains the documents and process to date.

The Discussion Draft Sections 1.1-1.2.2 discuss the Privacy Framework, Privacy Risk Management and the Relationship between Privacy Risk Management and Risk Assessment.

Section 1.3 is Document Overview and contains a list of the following sections:

Section 2.0 describes the Privacy Framework components: the Core, the Profiles, and the Implementation Tiers.

Section 3.0 presents examples of how the Privacy Framework can be used.

Appendix A: Privacy Framework Core presents the Core: a table of functions, categories, and subcategories that describe specific privacy activities that can support managing privacy risks when systems, products, and services are processing data or interacting with individuals.

Appendix B contains a glossary of selected terms.

Appendix C lists acronyms used in this document.

Appendix D considers key practices that contribute to successful privacy risk management.

Appendix E defines the Implementation Tiers.

Appendix F provides a placeholder for a companion roadmap covering NIST’s next steps and identifying key areas where the relevant practices are not well enough understood to enable organizations to achieve a privacy outcome.

The page is available to learn more about the process. Subscription to the mailing list for this effort is also available through Google groups.

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.