NIST Privacy Framework Preliminary Draft Core+A2:F24 |
||||
Function | Category | Subcategory | Mapping to ISO 27701 | |
IDENTIFY-P (ID-P): Develop the organizational understanding to manage privacy risk for individuals arising from data processing. | Inventory and Mapping (ID.IM-P): Data processing by systems, products, or services is understood and informs the management of privacy risk. | ID.IM-P1: Systems/products/services that process data are inventoried. | 7.2.8 – Records related to Processing PII | |
ID.IM-P2: Owners or operators (e.g., the organization or third parties such as service providers, partners, customers, and developers) and their roles with respect to the systems/products/services and components (e.g., internal or external) that process data are inventoried. | 5.2.1 – Understanding the organization and its context 7.2.8 – Records related to Processing PII |
|||
ID.IM-P3: Categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed are inventoried. | 5.2.2 – Needs and expectations of interested parties | |||
ID.IM-P4: Data actions of the systems/products/services are inventoried. | 7.2.8 – Records related to Processing PII | |||
ID.IM-P5: The purposes for the data actions are inventoried. | 7.2.8 – Records related to Processing PII | |||
ID.IM-P6: Data elements within the data actions are inventoried. | 7.2.8 – Records related to Processing PII | |||
ID.IM-P7: The data processing environment is identified (e.g., geographic location, internal, cloud, third parties). | 7.2.8 – Records related to Processing PII | |||
ID.IM-P8: Data processing is mapped, illustrating the data actions and associated data elements for systems/products/services, including components; roles of the component owners/operators; and interactions of individuals or third parties with the systems/products/services. | 7.2.5 – Privacy Impact Assessment (Guidance) | |||
Business Environment (ID.BE-P): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. | ID.BE-P1: The organization’s role in the data processing ecosystem is identified and communicated. | 5.2 – Context of the organization | ||
ID.BE-P2: Priorities for organizational mission, objectives, and activities are established and communicated. | 5.2 – Context of the organization | |||
ID.BE-P3: Systems/products/services that support organizational priorities are identified and key requirements communicated. | 5.2 – Context of the organization | |||
Risk Assessment (ID.RA-P): The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g. compliance, financial), reputation, workforce, and culture. | ID.RA-P1: Contextual factors related to the systems/products/services and the data actions are identified (e.g., individuals’ demographics and privacy interests or perceptions, data sensitivity, visibility of data processing to individuals and third parties). | 5.4.1.2 – Information Security Risk Assessment | ||
ID.RA-P2: Data analytic inputs and outputs are identified and evaluated for bias. | ||||
ID.RA-P3: Potential problematic data actions and associated problems are identified. | 5.4.1.2 – Information Security Risk Assessment | |||
ID.RA-P4: Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk. | 5.4.1.2 – Information Security Risk Assessment | |||
ID.RA-P5: Risk responses are identified, prioritized, and implemented. | 5.4.1.3 – Information security Risk Treatment | |||
Data Processing Ecosystem Risk Management (ID.DE-P): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem. | ID.DE-P1: Data processing ecosystem risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders. | 5.2 – Context of the organization | ||
ID.DE-P2: Data processing ecosystem parties (e.g., service providers, customers, partners, product manufacturers, application developers) are identified, prioritized, and assessed using a privacy risk assessment process. | 5.4.1 – Actions to address risk and opportunities | |||
ID.DE-P3: Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization’s privacy program. | 6.11 – System acquisition, development & manintenance | |||
ID.DE-P4: Interoperability frameworks or similar multi-party approaches are used to manage data processing ecosystem privacy risks. | 6.12 – Supply Chain | |||
ID.DE-P5: Data processing ecosystem parties are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual or framework obligations. | 5.7 – Performance Evaluation 5.8 – Improvement |
|||
GOVERN-P (GV-P): Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. | Governance Policies, Processes, and Procedures (GV.PP-P): The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. | GV.PP-P1: Organizational privacy values and policies (e.g., conditions on data processing, individuals’ prerogatives with respect to data processing) are established and communicated. | 5.3.2 – Policy 5.5.3 – Awareness 6.12 – Supplier Relationships |
|
GV.PP-P2: Processes to instill organizational privacy values within system/product/service development and operations are established and in place. | 6.4.2.2 – Information security awareness, education and training | |||
GV.PP-P3: Roles and responsibilities for the workforce are established with respect to privacy. | 5.3.3 Organizational roles, responsibilities and authorities 6.3.1 – Additional implementation guidance for 6.1.1, Information security roles and responsibilities, of ISO/IEC 27002:2013 |
|||
GV.PP-P4: Privacy roles and responsibilities are coordinated and aligned with third-party stakeholders (e.g., service providers, customers, partners). | 5.3.3 – Organizational Roles & Responsibilities 6.3 – Internal Organization – Roles & Responsibilities |
|||
GV.PP-P5: Legal, regulatory, and contractual requirements regarding privacy are understood and managed. | 5.2.2 – Understanding neds and expecttaions of interested parties | |||
GV.PP-P6: Governance and risk management policies, processes and procedures address privacy risks. | 5.4.1.3 – Risk Treatment | |||
Risk Management Strategy (GV.RM-P): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. | GV.RM-P1: Risk management processes are established, managed, and agreed to by organizational stakeholders. | 5.4.1.2 – Risk Assessment | ||
GV.RM-P2: Organizational risk tolerance is determined and clearly expressed. | 5.2.1 – Context of the organization & 6.15 – Compliance | |||
GV.RM-P3: The organization’s determination of risk tolerance is informed by its role in the data processing ecosystem. | 6.1.2 Information security risk assessment – establishes and maintains information security and privacy risk criteria that include: 1) the risk acceptance criteria |
|||
Awareness and Training (GV.AT-P): The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values. | GV.AT-P1: The workforce is informed and trained on its roles and responsibilities. | 5.5.3 – Awareness | ||
GV.AT-P2: Senior executives understand their roles and responsibilities. | 5.5.2 – Competence | |||
GV.AT-P3: Privacy personnel understand their roles and responsibilities. | 5.5.2 – Competence | |||
GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities. | 5.5.2 – Competence | |||
Monitoring and Review (GV.MT-P): The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. | GV.MT-P1: Privacy risk is re-evaluated on an ongoing basis and as key factors, including the organization’s business environment, governance (e.g., legal obligations, risk tolerance), data processing, and systems/products/services change. | 5.6.2 – Operation – Risk Assessment | ||
GV.MT-P2: Privacy values, policies, and training are reviewed and any updates are communicated. | 5.7.1 – Monitoring, measurement, analysis and evaluation 5.5.4 – Communication |
|||
GV.MT-P3: Policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place. | 6.15.1 Compliance with legal & contractual requirements 6.15.2.1 – Independent review of information security |
|||
GV.MT-P4: Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place. | 6.1.2 Information security risk assessment The organization shall define and apply an information security and privacy risk assessment process 5.6.2 Information security risk assessment |
|||
GV.MT-P5: Policies, processes, and procedures are established and in place to receive, analyze, and respond to problematic data actions disclosed to the organization from internal and external sources (e.g., internal discovery, privacy researchers). | 5.7.1 Monitoring, measurement, analysis and evaluation 5.7.2 Internal audit 6.13.1 Management of information security incidents and improvements |
|||
GV.MT-P6: Policies, processes, and procedures incorporate lessons learned from problematic data actions. | 6.13.1.5 Response to information security incidents and 6.13.1.6 – learning from information security incidents | |||
GV.MT-P7: Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place. | 7.3.9 – Handling Requests 7.3.2 – Determining information for PII Principals |
|||
CONTROL-P (CT-P): Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. | Data Management Policies, Processes, and Procedures (CT.PO-P): Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities) consistent with the organization’s risk strategy to protect individuals’ privacy. | CT.PO-P1: Policies, processes, and procedures for authorizing data processing (e.g., organizational decisions, individual consent), revoking authorizations, and maintaining authorizations are established and in place. | 7.2 – Conditions for collection and processing | |
CT.PO-P2: Policies, processes, and procedures for enabling data review, transfer, sharing or disclosure, alteration, and deletion are established and in place. | 7.4.3 – Accuracy & Quality, 7.4.7 – Retention 7.4.8 – Disposal 7.5. – PII sharing, transfer and disclosure |
|||
CT.PO-P3: Policies, processes, and procedures for enabling individuals’ data processing preferences and requests are established and in place. | 7.2.4 – Obtaining & recording consents | |||
CT.PO-P4: An information life cycle to manage data is aligned and implemented with the system development life cycle to manage systems. | 6.11.2.1 – Secure Development Policy | |||
Data Management (CT.DM-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). | CT.DM-P1: Data elements can be accessed for review. | 7.3.6 – Access/correction and erasure | ||
CT.DM-P2: Data elements can be accessed for transmission or disclosure. | 7.3.7 – PII controller’s obligations to inform third parties | |||
CT.DM-P3: Data elements can be accessed for alteration. | 7.3.6 – Access/correction and erasure | |||
CT.DM-P4: Data elements can be accessed for deletion. | 7.4.5 PII de-identification and deletion at the end of processing 7.3.6 Access, correction and/or erasure |
|||
CT.DM-P5: Data are destroyed according to policy. | 7.4.8 – Disposal | |||
CT.DM-P6: Data are transmitted using standardized formats. | 7.3.8 – Providing copy of data processed | |||
CT.DM-P7: Metadata containing processing permissions and related data values are transmitted with data elements. | 7.4.9 – PII transmission controls | |||
CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. | 7.4.1 – Limit collection, 7.4.2 – Limit Processing 7.4.4 – Data minimization |
|||
Disassociated Processing (CT.DP-P): Data processing solutions increase disassociability consistent with related policies, processes, procedures, and agreements and the organization’s risk strategy to protect individuals’ privacy. | CT.DP-P1: Data are processed in an unobservable or unlinkable manner (e.g., data actions take place on local devices, privacy-preserving cryptography). | 6.7.1 Cryptographic controls 7.4.4 – Data Minimization ISO 20889 |
||
CT.DP-P2: Data are processed to limit the identification of individuals (e.g., differential privacy techniques, tokenization). | 7.4.4 PII minimization objectives 6.9.4.2 Protection of log information ISO 20889 |
|||
CT.DP-P3: Data are processed to restrict the formulation of inferences about individuals’ behavior or activities (e.g., data processing is decentralized, distributed architectures). | 7.4.4 PII minimization objectives – ISO 20889 and ISO 19944 |
|||
CT.DP-P4: System or device configurations permit selective collection or disclosure of data elements. | 7.4.4 PII minimization objectives – technical system configurations | |||
CT.DP-P5: Attribute references are substituted for attribute values. | 7.4.4 PII minimization objectives – removal of attributes associated with PII principals | |||
CT.DP-P6: Data processing is limited to that which is relevant and necessary for a system/product/service to meet mission/business objectives. | 7.4.2 Limit processing | |||
COMMUNICATE-P (CM-P): Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding about how data are processed and associated privacy risks. | Communication Policies, Processes, and Procedures (CM.PP-P): Policies, processes, and procedures are maintained and used to increase transparency of the organization’s data processing practices (e.g., purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities) and associated privacy risks. | CM.PP-P1: Transparency policies, processes, and procedures for communicating data processing purposes, practices, and associated privacy risks are established and in place. | 7.3.1 – Determing and fulfilling obligations to PII Principals 7.3.2 – Determining information to PII Principals |
|
CM.PP-P2: Roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices, and associated privacy risks are established. | 5.5.4 Communication 5.7.3 – Management Review |
|||
Data Processing Awareness (CM.AW-P): Individuals and organizations have reliable knowledge about data processing practices and associated privacy risks, and effective mechanisms are used and maintained to increase predictability consistent with the organization’s risk strategy to protect individuals’ privacy. | CM.AW-P1: Mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks, and options for enabling individuals’ data processing preferences and requests are established and in place. | 7.3.3 – Providing information to PII Principals
7.3.7 – PII controller’s obligation to inform third parties |
||
CM.AW-P2: Mechanisms for obtaining feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and in place. | 5.7.3 – Management Review | |||
CM.AW-P3: System/product/service design enables data processing visibility. | 7.4 – Privacy by Design 6.11.2.1 – Secure development Policy |
|||
CM.AW-P4: Records of data disclosures and sharing are maintained and can be accessed for review or transmission/disclosure. | 7.5.3 – Records of transfer of PII 7.5.4 – Records of Disclosure of PII |
|||
CM.AW-P5: Data corrections or deletions can be communicated to individuals or organizations (e.g., data sources) in the data processing ecosystem. | 7.3.6 – Access/ correction and /or erasure | |||
CM.AW-P6: Data provenance and lineage are maintained and can be accessed for review or transmission/disclosure. | 7.3.7 – PII controller’s obligation to inform third parties | |||
CM.AW-P7: Impacted individuals and organizations are notified about a privacy breach or event. | 7.3.7 – PII controller’s obligation to inform third parties | |||
CM.AW-P8: Individuals are provided with mitigation mechanisms to address impacts to individuals that arise from data processing. | 6.13.1.1 – Responsibilities and procedures – incident management | |||
PROTECT-P (PR-P): Develop and implement appropriate data processing safeguards. | Identity Management, Authentication, and Access Control (PR.AC-P): Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. | PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. | 6.6.2.2 – user access provisioning | |
PR.AC-P2: Physical access to data and devices is managed. | 6.8 – Physical and environmental policy | |||
PR.AC-P3: Remote access is managed. | 6.3.2.2 – Teleworking | |||
PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. | 6.9.6.2 – Restriction on software installation & 6.3.1.2 Segregation of duties | |||
PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). | 6.10.1.3 Segregation in networks | |||
PR.AC-P6: Individuals and devices are proofed and bound to credentials, and authenticated commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks). | 6.6 – Access Control | |||
Data Security (PR.DS-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and availability. | PR.DS-P1: Data-at-rest are protected. | 6.7 – Cryptographic controls 7.4.2 – Limit processing & 7.4.4 – Data minimization Objectives; 7.4.5 – PII deidentification and deletion at the end of processing; 7.4.6 – Tempfiles; 7.4.7 – Retention; 7.4.8 – Disposal; |
||
PR.DS-P2: Data-in-transit are protected. | 7.4.9 – PII transmission controls | |||
PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition. | 7.4.7 – Retention; 7.4.8 – Disposal; | |||
PR.DS-P4: Adequate capacity to ensure availability is maintained. | 6.9.1.3 Capacity management | |||
PR.DS-P5: Protections against data leaks are implemented. | 6.5.3.2 Disposal of media 6.8.2.1- Equipment siting and protection; 6.11.2.4 Restrictions of changes to software packages; 6.10.2.4 – Confidentiality or non-disclosure agreements; | |||
PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. | 6.7.1 Cryptographic controls; 6.9.5 Control of operational software | |||
PR.DS-P7: The development and testing environment(s) are separate from the production environment. | 6.9.1.4 Separation of development, testing and operational environments | |||
PR.DS-P8: Integrity checking mechanisms are used to verify hardware integrity. | 6.6.2.4 Management of secret authentication information of users; 6.15.2.3 Technical compliance review | |||
Data Protection Policies, Processes, and Procedures (PR.DP-P): Security and privacy policies (which address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage the protection of data. | PR.DP-P1: A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality). | 7.4.4 – PII minimization objectives; | ||
PR.DP-P2: Configuration change control processes are established and in place. | 6.6.2.2 – User access provisioning; & 6.9.1.2 Change management; | |||
PR.DP-P3: Backups of information are conducted, maintained, and tested. | 6.9.3 – Backup; | |||
PR.DP-P4: Policy and regulations regarding the physical operating environment for organizational assets are met. | 6.8 Physical and environmental security; | |||
PR.DP-P5: Protection processes are improved. | 5.8 – Improvement; | |||
PR.DP-P6: Effectiveness of protection technologies is shared. | 5.7.3 Management review; | |||
PR.DP-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. | 6.14.1.1 Planning information security continuity; | |||
PR.DP-P8: Response and recovery plans are tested. | 6.14.1.3 Verify, renew and evaluate information security continuity; | |||
PR.DP-P9: Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening). | 6.6.2.1 – User registration and deregistration; | |||
PR.DP-P10: A vulnerability management plan is developed and implemented. | 6.9.6 – Technical vulnerability management | |||
Maintenance (PR.MA-P): System maintenance and repairs are performed consistent with policies, processes, and procedures. | PR.MA-P1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools. | 6.9.2.1 Controls against malware; (establishing a formal policy prohibiting the use of unauthorized software – 12.2.1 ISO 27002) | ||
PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. | 6.2.2 – Teleworking | |||
Protective Technology (PR.PT-P): Technical security solutions are managed to ensure the security and resilience of systems/products/services and associated data, consistent with related policies, processes, procedures, and agreements. | PR.PT-P1: Removable media is protected and its use restricted according to policy. | 6.5.3.1 Management of removable media; | ||
PR.PT-P2: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. | 7.4.4 – PII minimization objectives; | |||
PR.PT-P3: Communications and control networks are protected. | 6.10 Communications security; | |||
PR.PT-P4: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations. | 6.14.2.1- Availability of information processing facilities |