Privacy Professionals Needed in NIST Framework Process
In February of this year, the White House issued an Executive Order (EO) tasking NIST (National Institute of Standards and Technology) to develop a Cybersecurity Framework aimed at reducing cybersecurity risk to the nation’s critical infrastructure. The EO calls for a framework that provides a “prioritized, flexible, repeatable, performance-based, and cost effective approach” for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk. Further, it instructs that the Framework incorporate privacy and civil liberties protections.
NIST recently released the Preliminary Cybersecurity Framework and with it, opened the 45 day public comment period, which closes December 13, 2013. In particular, Appendix B of the Preliminary Framework will be interesting to privacy professionals as it proposes a methodology to help protect privacy.
As a privacy professional, I am grateful that the White House recognized the importance of privacy in cybersecurity. NIST in turn has taken meaningful steps to include privacy as part of its Framework. Now that the Preliminary Framework is available it is critical that members of our profession provide feedback to NIST on its applicability.
While cybersecurity experts have been very engaged with NIST throughout the Framework drafting process, privacy professionals have been less deeply involved. Whether or not your organization chooses to adopt the Framework, it may impact your privacy governance programs and data-related practices. Let’s start exploring and discussing these implications.
The NIST Framework presents a unique opportunity for privacy professionals to deepen our partnership with cybersecurity colleagues. Together, we can best understand how the Framework might apply to our organizations and how it could be implemented. Our privacy point of view is critical to fulfilling the intent of the EO and the Framework. And while the Preliminary Framework is US centric, similar dialogues are beginning to occur around the globe, highlighting the need for greater integration among the privacy and cybersecurity communities.
NIST is holding its next Framework workshop on November 14-15 in Raleigh, North Carolina. Talk with your cybersecurity counterparts, discuss how your organization is engaging in this process and bring your privacy perspective into the conversation.
About the Author
Before joining Microsoft, Lynch led the privacy and risk solutions business at software maker Watchfire. Prior to entering the software industry in 2002, Lynch spent nine years in Europe and North America with PricewaterhouseCoopers, where he provided consulting services in relation to privacy and risk management.
Lynch serves on the Board of Directors of the International Association of Privacy Professionals (IAPP), is a Certified Information Privacy Professional (CIPP) and holds a business degree from the University of Waikato, in his home country of New Zealand.