This publication is available free of charge from:
https://doi.org/10.6028/NIST.CSWP.01162020
Version 1.0
NIST PRIVACY FRAMEWO RK: A TOOL FOR
IMPROVING PRIVACY TH ROUGH ENTERPRISE
RISK MANAGEMENT, VERSION 1.0
January 16, 2020
The contents of this document do not have the force and effect of
law and are not meant to bind the public in any way.
NIST Privacy Framework January 16, 2020
i
Executive Summary
For more than two decades, the Internet and associated information technologies have driven
unprecedented innovation, economic value, and improvement in social services. Many of these benefits
are fuele d by data about individuals that flow through a complex ecosystem. As a result, individuals may
not be able to understand the potential consequences for their privacy as they interact with systems,
products, and services. At the same time, organizations may not realize the full extent of these
consequences for individuals, for society, or for the ir enterprises, which can affect their brand s, their
bottom lines , and their future prospects for growth.
Following a transparent, consensus -based process including both private and public stakeholders to
produce this voluntary tool , the National Institute of Standards and Technology (NIST) is publish ing this
Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy
Framework) , to enable better privacy engineering practices that support privacy by design concepts and
help organizations protect individuals’ privacy . The Privacy Framework can support organizations in :
• Building customers’ trust by supporting ethical decision -making in product and service design or
deployment that optimizes beneficial uses of data while minimizing adverse consequences for
individuals’ privacy and society as a whole;1
• Fulfilling current compliance obligation s, as well as future -proofing products and services to
meet these obligations in a changing technological and policy environment; and
• Facilitating communication about privacy practices with individuals , business partners,
assessors, and regulators.
Derivin g benefits from data while simultaneously managing risks to individuals’ privacy is not well -suited
to one -size -fits-all solutions. Like building a house, where homeowners make layout and design choices
while relying on a well-engineered foundation , privacy protection should allow for individual choices, as
long as effective privacy risk mitigations are already engineered into products and services. The Privacy
Framework —through a risk- and outcome-based approach —is flexible enough to addr ess diverse
privacy needs , enable more innovative and effective solutions that can lead to better outcomes for
individuals and organizations , and stay current with technology trends, such as artificial intelligence and
the Internet of Things .
The Privacy F ramework follows the structure of the Framework for Improving Critical Infrastructure
Cybersecurity (Cybersecurity Framework) [1] to facilitate the use of both frameworks together. Like the
Cybersecurity Framework, the Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinf orces privacy risk management through the connection
between business and mission drivers, organizational roles and responsibilities, and privacy protection
activities.
• The Core enables a dialogue —from the executive level to the implementation/operations
level— about important privacy protection activities and desired outcomes.
• Profiles enable the prioritization of the outcomes and activities that best meet organizational
privacy values, mission or business needs, and risks.
1 There is no objective standard for ethical decision -making; it is grounded in the norms, values, and legal
expectations in a given society. NIST Privacy Framework January 16,
NIST.CSWP.01162020-NIST PRIVACY FRAMEWORK
安全标准 >
NIST >
文档预览
中文文档
43 页
50 下载
1000 浏览
0 评论
0 收藏
3.0分
温馨提示:本文档共43页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
本文档由 思安 于 2022-12-05 09:19:17上传分享