Align Your Operation With the NIST Privacy Framework

It pays to be prepared.

In February 2014, the National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework, providing a detailed, voluntary structure against which an organization’s cybersecurity program can be measured.

NIST Privacy Framework

Following its success and wide adoption, the NIST Privacy Framework was released in January 2020. Similar to its cybersecurity counterpart, the Privacy Framework assists organizations to reliably assess the robustness of their privacy program. It consists of three primary components: 

  • the Core, which lays out the privacy considerations involved in creating a successful privacy program
  • the Current and Target Profiles, which reflect the current state of an organization’s privacy program and the privacy program it seeks to establish, respectively
  • the Implementation Tiers, which measures the comprehensiveness of an organization’s privacy program.

The Core of The Framework

The Core of the Privacy Framework can best be analogized to a muffin pan. Just as a muffin pan determines the basic shape of whatever is poured into it, the Core provides the basic structure necessary to develop a thorough and effective privacy program. What you choose to pour into the muffin pan — whether you make cupcakes or cornbread, the particular recipe you follow, or how big of a batch you prepare — is up to you. In much the same way, how completely and how closely you adhere to the Core’s structure, and in what ways, is entirely up to you and your organization’s specific needs and objectives. No matter what you choose, we’re here to assist you.

Using the industry standard NIST Privacy Framework, we can help you

Bring a Modern Privacy Program to Life

Whether your organization is just starting the process of building a privacy program or you’re looking to energize and modernize your existing program, we can guide you.

Privacy values are the driver of any successful privacy program, and no one size fits all. Relying on established privacy norms, we will help you identify the values you would like your organization’s privacy program to reflect — the result of this process will constitute your Target Profile. Next, we’ll work up your Current Profile, which reflects an assessment of your organization’s privacy program as it stands right now.

After we’ve drawn up both Profiles, we’ll take your Target Profile and walk it through the Privacy Framework Core, identifying what specific actions need to be taken to resolve the gap between your Current and Target Profiles. Then we’ll make a plan to bridge that gap.

Determine Your Current Privacy Program's Maturity Level

Your organization’s privacy program may appear to have all the components it needs, but how well is it actually performing? The answer comes down to its maturity level – essentially, the degree to which its privacy practices are clearly articulated and managed.

When measuring a privacy program’s maturity, two models are particularly well-regarded: the 2011 AICPA/CICA’s Generally Accepted Privacy Principles (GAPP) and the 2019 MITRE, both of which include five levels of maturity and are based on the 1986 Capability Maturity Model (CMM). Rather than measuring privacy maturity, the CMM measures maturity in the software development context. The CMM’s success and wide acceptance inspired the GAPP and MITRE, which apply its same basic model to privacy maturity assessments. 

Relying primarily on MITRE, we can assess your organization’s privacy maturity against the NIST Privacy Framework to give you a clearer idea as to not only how well your organization is doing but also how to fix what isn’t optimal.

Learn Everything You Need to Know Through Our Curated Training Courses & General Consulting

Interested in learning how to align your privacy program to the NIST Privacy Framework? Be sure to sign up for our two-day intensive course, starting this Fall 2022! For a list of other courses we offer throughout the year, check out our training website. (pbd.training link) You can also contact us to request a one on one explanation of basic concepts to your organization.

Schedule a Consultation

Privacy should always be a guarantee… together we can make it so! Your contact information will only be used to discuss potential services with you.