How to get started with the NIST Privacy Framework
The final version of the NIST Privacy Framework is out. Privacy wonks, rejoice!
The TL;DR? This new effort from NIST is a comprehensive framework that anyone can use to build a true privacy risk program, not just a compliance program. This means you can use the Privacy Framework to take a holistic approach to privacy instead of playing whack-a-mole with various controls in different regimes.
It’s a big deal because the Privacy Framework represents the democratization of privacy in the same way that the NIST Cyber Security Framework (CSF) brought security risk management to the masses. It demystifies a complex subject and allows smaller, less technical organizations to transact on privacy in a meaningful way.
If you didn’t catch my previous post about the NIST Privacy Framework, you might want to peek at that too — here it is.
W00h00 (AKA why this framework matters)
I am legitimately excited about the Privacy Framework for a couple of reasons.
1. It’s great to have a regulatory agnostic framework to help drive privacy risk programs. The NIST CSF has been an incredibly useful framework to help people assess where they are and where they want to be from a cyber security standpoint. We use it here at Expel to measure our own progress, and we even have a tool you can use to assess your own org. Lots of our customers use it too, and they’ve told us that the tool is easy to use and effective. The Privacy Framework promises to have the same type of utility but in the privacy domain.
2. Today, we’re at a very different point on the maturity curve when it comes to privacy versus cyber security. I served as a facilitator for NIST during the creation of the CSF and the sessions I was involved with were filled with people who had ideas based on frameworks they’d created or used, their existing cyber security program and years of cyber experience. I also had the privilege of facilitating sessions at one of the NIST Privacy Framework workshops earlier this year … but the experience was much different. While there were definitely practitioners in the room who had ideas to share from their existing programs, there were many more who were just starting their privacy risk journey and were looking for guidance on how to proceed. I think that’s a general reflection of the industry right now: everyone knows they need to care about privacy but they’re not sure how to care and what kind of guardrails or assessments they should put in place.
3. Finally, the Privacy Framework is very similar in structure to the CSF. So if you’ve used the CSF in any way — whether you’ve used our Expel NIST CSF self-scoring tool or something else — the PF will look familiar. Any muscle memory you’ve built up using the CSF will come in handy as you start to use the PF. And the directions for using this new scoring tool are pretty similar.
Introducing the Expel Privacy Self-Scoring Tool
Here’s a sneak peek at our brand new privacy self-scoring tool, which is based on the new NIST Privacy Framework. We’ve modeled it after our existing NIST CSF self-scoring tool. Given the similarity between the CSF and the PF, if you’ve used our CSF tool, this one will feel very familiar.
If you’re wanting to address privacy risk in your own org but aren’t sure where to start, then this tool is for you. It’ll help you assess where you are today from a privacy standpoint and where you want to be.
Here’s how it works:
Open the self-scoring tool and score yourself for each subcategory on a scale from 0 to 5, using integers only.
Score your org according to the following scale:
Don’t overthink it. Download it when you have a chance and take a few hours to fill it out. It should take two to four hours the first time you go through it.
We want your feedback
We’re working on more content that’ll help you use the Privacy Framework, but for now we wanted to get the tool out for you to start using now that NIST’s newest framework is finalized.
If you download it and give it a try, please send us your thoughts so that we can improve the tool for the community.