Lefkovitz told the audience that privacy should be considered as part of organizations’ “broader enterprise risk management activity.” She explained the Privacy Framework’s identify, protect, control, inform and respond functions. When it comes to protection, she discussed an overlap with data security and that NIST considers including privacy engineering, information lifecycle and cryptographic techniques in the protection concept.
“We are trying to provide concepts to act as a foundation for more clearly defined relationships between privacy and security,” Lefkovitz said. “Privacy risk is more than data risk – companies also process data, over the entire lifecycle, from collection through disposal. And they need to process that data to achieve business or data objectives – but there can be unintended consequences and privacy issues can arise for individuals.”
Kevin Stine, chief of NIST’s applied cybersecurity division, joined Lefkovitz to discuss the Privacy Framework, which is expected to be completed by October. The report said NIST is looking for comments on the framework and will host a live webinar on March 14 and a workshop in May.