The Skill Set Needed To Implement The NIST Privacy Framework

The Skill Set Needed
to Implement the NIST

Privacy Framework
By IAPP Data Scientist & Strategist Suzannah Hicks
The Skill Set Needed to Implement
the NIST Privacy Framework
NIST Privacy Framework Version 1.0 alignment
with IAPP CIPM certification
By IAPP Data Scientist & Strategist Suzannah Hicks
T
o offer insight into the professional skillset needed to implement the NIST
Privacy Framework, the International Association of Privacy Professionals’
Westin Research Center mapped the Privacy Framework’s Core to the Body
of Knowledge for a Certified Information Privacy Manager. This body of knowledge
was created by the IAPP’s certification advisory board to reflect the skillset and
knowledge required by a privacy professional working in the field. It is annually
updated, as required by IAPP’s ANSI accreditation, through a formal process to
determine what professionals in the field are currently doing, under what conditions,
and with what levels of knowledge and skill. The IAPP’s CIPM certification is then
updated to align with this body of knowledge. The CIPM Body of Knowledge was
updated June 1, 2020 and this document reflects the current version.
As a privacy risk management framework, niques under the disassociated processing

NIST’s Privacy Framework aligns closely category will need more technical knowledge,
with the CIPM body of knowledge. However, such as that reflected in IAPP’s CIPT body
it should be noted that as a framework of knowledge. The NIST Framework and the
designed to bring together stakeholders CIPM body of knowledge can serve as the
across disciplines, additional skills are needed bridge between these stakeholders.
to go deeper into certain aspects of the
Privacy Framework. For instance, lawyers The IAPP’s Westin Research Center developed
implementing the governance policies, pro- the following table to document how NIST’s
cesses, and procedures category will require Privacy Framework, and more generally a risk
greater familiarity with the legal regimes in management framework designed to bring
the jurisdictions in which their organizations together security and privacy professionals,
operate, skillsets more closely aligned with aligns with IAPP’s CIPM certification. The
IAPP’s regionally based CIPP bodies of first mapping of the NIST Privacy Frame-
knowledge. Similarly, privacy engineers work’s Core to the CIPM Body of Knowledge
assessing options for de-identification tech- can help inform privacy professionals seeking
International Association of Privacy Professionals • iapp.org 2

to understand the skillset needed to imple- certifications are continually refined to meet
ment the Privacy Framework. The second the needs of the privacy profession across
mapping of the CIPM to the NIST Framework sectors and disciplines.
will inform IAPP’s own work to ensure its
Mapping the NIST privacy framework core v1.0 to

IAPP’s CIPM body of knowledge v2.04
NIST Privacy Framework Core

IAPP Certified Information Privacy
Manager (CIPM) Body of Knowledge v2.04
Function Category
Domain III. Privacy Operational Life Cycle:

Privacy Operational Life Cycle: Assess
A. Document current baseline of your
privacy program.
a. Education and awareness.
Identify-P Inventory and b. Monitoring and responding to the
(ID-P): Develop Mapping (ID.IM-P): regulatory environment.
the organizational Data processing by c. Internal policy compliance.
understanding to systems, products, d. Data, systems and process assessment.
manage privacy or services is under- i. Map data inventories, flows and
risk for individuals stood and informs classification.
arising from data the management of ii. Create “record of authority” of
processing. privacy risk. systems processing personal infor-
mation within the organization.
1. Map and document data flow in
systems and applications.
2. Analyze and classify types and
uses of data.

NIST PRIVACY FRAMEWORK CORE V1.0 TO IAPP CIPM BODY OF KNOWLEDGE V2.04
Function Category
Domain I. Developing a Privacy Program

A. Create a company vision.
a. Acquire knowledge on privacy
approaches.
b. Evaluate the intended objective.
c. Gain executive sponsor approval for
this vision.
C. Establish a privacy program
a. Define program scope and charter.
b. Identify the source, types, and uses of
personal information (PI) within the
Business Environ- organization and the applicable laws.
ment (ID.BE-P): c. Develop a privacy strategy.
The organization’s a. Business alignment.
mission, objectives, i. Finalize the operational business
stakeholders, and case for privacy.
activities are under- ii. Identify stakeholders.
stood and prioritized; iii. Leverage key functions.
this information is iv. Create a process for interfacing
used to inform privacy within organization.
roles, responsibilities, v. Align organizational culture
and risk management and privacy/data protection
decisions. objectives.
b. Obtain funding/budget for privacy
and the privacy team.
c. Develop a data governance strategy
for personal information (collection,
authorized use, access, destruction).
d. Plan inquiry/complaint handling
procedures (customers,
regulators, etc.).
e. Ensure program flexibility in order
to incorporate legislative/regula-
tory/market/business requirements.

Function Category
Domain III. Privacy Operational Life

Cycle: Assess
privacy program.
d. Data, systems and process assessment.
i. Map data inventories, flows and
classification.
ii. Create “record of authority” of
systems processing personal infor-
e. Risk assessment (PIAs, etc.).
C. Physical assessments.
Risk Assessment
a. Identify operational risk.
(ID.RA-P): The orga-
i. Data centers and offices.
nization understands
ii. Physical access controls.
the privacy risks to
iii. Document destruction.
individuals and how
iv. Media sanitization and disposal
such privacy risks
(e.g., hard drives, USB/thumb
may create follow-on
drives, etc.).
impacts on organi-
v. Device forensics.
zational operations,
vi. Device security (e.g., mobile devices,
including mission,
Internet of Things (IoT), geo-track-
functions, other risk
ing, imaging/copier hard drive
management priorities
security controls).
(e.g., compliance,
D. Mergers, acquisitions and divestitures.
financial), reputation,
a. Due diligence.
workforce, and
b. Risk assessment.
culture.
E. Privacy Impact Assessments (PIAs)
and Data Protection Impact
Assessments (DPIAs).
a. Privacy Threshold Analysis (PTAs) on
systems, applications and processes.
b. Privacy Impact Assessments (PIAs).
i. Define a process for conducting
Privacy Impact Assessments.
1. Understand the life cycle
of a PIA.
2. Incorporate PIA into system,
process, product life cycles.

Function Category

Cycle: Assess
B. Processors and third-party vendor
assessment.
a. Evaluate processors and third-party
vendors, insourcing and outsourcing
privacy risks, including rules of interna-
tional data transfer.
Data Processing Eco-
i. Privacy and information security
system Risk Man-
policies.
agement (ID.DE-P):
ii. Access controls.
The organization’s
iii. Where personal information
priorities, constraints,
is being held.
risk tolerance, and
iv. Who has access to personal
assumptions are
information.
established and
b. Understand and leverage the different
used to support risk
types of relationships.
decisions associated
i. Internal audit.
with managing privacy
ii. Information security.
risk and third parties
iii. Physical security.
within the data
iv. Data protection authority.
processing ecosystem.
c. Risk assessment.
The organization has
i. Type of data being outsourced.
established and imple-
ii. Location of data.
mented the processes
iii. Implications of cloud computing
to identify, assess,
strategies.
and manage privacy
iv. Legal compliance.
risks within the data
v. Records retention.
processing ecosystem.
vi. Contractual requirements (incident
response, etc.).
vii. Establish minimum standards for
safeguarding information.
d. Contractual requirements.
e. Ongoing monitoring and auditing
Processors and third-party
vendor assessment.

Function Category

A. Create a company vision.
approaches.
b. Evaluate the intended objective.
c. Gain executive sponsor approval for
this vision.
B. Establish Data Governance model.
a. Centralized.
b. Distributed.
c. Hybrid.
C. Establish a privacy program.
Governance Policies,
Processes, and
Govern-P (GV-P): b. Identify the source, types, and uses of
Procedures
Develop and imple- personal information (PI) within the
(GV.PO-P):
ment the organiza- organization and the applicable laws.
The policies, pro-
tional governance c. Develop a privacy strategy.
cesses, and proce-
structure to a. Business alignment.
dures to manage and
enable an ongoing i. Finalize the operational business
monitor the organiza-
understanding of case for privacy.
tion’s regulatory, legal,
the organization’s ii. Identify stakeholders.
risk, environmental,
risk management iii. Leverage key functions.
and operational
priorities that iv. Create a process for interfacing
requirements are
are informed by within organization.
understood and
privacy risk. v. Align organizational culture
inform the manage-
and privacy/data protection
ment of privacy risk.
objectives.
b. Obtain funding/budget for privacy
and the privacy team.
c. Develop a data governance strategy
for personal information (collection,
authorized use, access, destruction).
regulators, etc.).
e. Ensure program flexibility in order
to incorporate legislative/regula-
tory/market/business requirements.

Function Category
D. Structure the privacy team.

a. Establish the organizational model,
responsibilities and reporting
structure appropriate to the size
of the organization.
i. Large organizations.
1. Chief privacy officer.
2. Privacy manager.
3. Privacy analysts.
4. Business line privacy leaders.
5. “First responders.”
ii. Small organizations/sole data
protection officer (DPO) including
when not only job.
b. Designate a point of contact for
privacy issues.
c. Establish/endorse the measurement
of professional competency.
E. Communicate.
a. Awareness.
i. Create awareness of the organiza-
tion’s privacy program internally
and externally.
ii. Develop internal and external
communication plans to ingrain
organizational accountability.
iii. Identify, catalog and maintain
documents requiring updates as
privacy requirements changes.

Function Category
Domain II. Privacy Program Framework

A. Develop the Privacy Program Framework.
a. Develop organizational privacy policies,
standards and/or guidelines.
b. Define privacy program activities.
i. Education and awareness.
ii. Monitoring and responding to
the regulatory environment.
iii. Internal policy compliance.
iv. Data inventories, data flows,
and classification.
v. Risk assessment (Privacy
Impact Assessments [PIAs])
(e,g., DPIAs etc.).
vi. Incident response and process,
including jurisdictional regulations.
vii. Remediation.
viii. Program assurance,
including audits.
B. Implement the Privacy Program
Framework.
a. Communicate the framework to inter-
nal and external stakeholders.
b. Ensure continuous alignment to appli-
cable laws and regulations to support
the development of an organizational
privacy program framework.
i. Understand when national laws and
regulations apply (e.g. GDPR).
ii. Understand when local laws and
regulations apply (e.g. CCCPA).
iii. Understand penalties for noncom-
pliance with laws and regulations.
iv. Understand the scope and author-
ity of oversight agencies (e.g., Data
Protection Authorities, Privacy
Commissioners, Federal Trade
Commission, etc.).
v. Understand privacy implications of
doing business with or basing oper-
ations in countries with inadequate,
or without, privacy laws.

Function Category
vi. Maintain the ability to manage a

global privacy function.
vii. Maintain the ability to track mul-
tiple jurisdictions for changes in
privacy law.
viii. Understand international data
sharing arrangement agreements.
III. Privacy Operational Life Cycle: Privacy

Operational Life Cycle: Assess
E. Privacy Impact Assessments (PIAs) and
Risk Management
Data Protection Impact Assessments
Strategy (GV.RM-P):
(DPIAs).
priorities, constraints,
risk tolerances, and
assumptions are
established and used
Privacy Impact Assessments.
to support operational
1. Understand the life cycle
risk decisions.
of a PIA.
Awareness and
Training (GV.AT-P):
workforce and third
E. Communicate.
parties engaged in
a. Awareness.
data processing are
provided privacy
awareness education
and externally.
and are trained to
ii. Develop internal and external
perform their pri-
communication plans to ingrain
vacy-related duties
organizational accountability.
and responsibilities
iii. Identify, catalog and maintain docu-
consistent with related
ments requiring updates as privacy
policies, processes,
requirements changesEducation
procedures, and
and awareness.
agreements and
organizational
privacy values.

Function Category
Domain V. Privacy Operational Life

Cycle: Sustain
B. Audit.
e. Targeted employee, management and
contractor training.
i. Privacy policies.
ii. Operational privacy practices (e.g.,
standard operating instructions),
such as:
1. Data creation/usage/retention/
disposal.
2. Access control.
3. Reporting incidents.
4. Key contacts.

c. Develop a privacy strategy.
Monitoring and regulators, etc.).
Review (GV.
MT-P): The policies, Domain II. Privacy Program Framework
processes, and A. Develop the Privacy Program Framework.
procedures for b. Define privacy program activities.
ongoing review of the i. Education and awareness.
organization’s privacy ii. Monitoring and responding to
posture are under- the regulatory environment.
stood and inform iii. Internal policy compliance.
the management of iv. Data inventories, data flows,
privacy risk. and classification.
v. Risk assessment (Privacy
Impact Assessments [PIAs])
(e,g., DPIAs etc.).
vi. Incident response and process,
including jurisdictional regulations.

Function Category
C. Develop Appropriate Metrics.

a. Identify intended audience for metrics.
b. Define reporting resources.
c. Define privacy metrics for oversight
and governance per audience.
i. Compliance metrics (examples,
will vary by organization).
1. Collection (notice).
2. Responses to data subject
inquiries.
3. Use.
4. Retention.
5. Disclosure to third parties.
6. Incidents (breaches, complaints,
inquiries).
7. Employees trained.
8. PIA metrics.
9. Privacy risk indicators.
10. Percent of company functions
represented by governance
mechanisms.
ii. Trending.
iii. Privacy program return on
investment (ROI).
iv. Business resiliency metrics Privacy
program maturity level.
v. Resource utilization.
d. Identify systems/application
collection points.

Function Category

Cycle: Assess
privacy program.
b. Monitoring and responding to
c. Internal policy compliance.
d. Data, systems and process assessment.
i. Map data inventories, flows
and classification.
ii. Create “record of authority” of
systems processing personal infor-
1. Map and document data flow in
systems and applications.
2. Analyze and classify types and
uses of data.
e. Risk assessment (PIAs, etc.).
f. Incident response.
g. Remediation.
h. Determine desired state and perform
gap analysis against an accepted
standard or law (including GDPR).
i. Program assurance, including audits.

Cycle: Sustain
A. Monitor.
a. Environment (e.g., systems,
applications) monitoring.
b. Monitor compliance with
established privacy policies.
c. Monitor regulatory and
legislative changes.
d. Compliance monitoring (e.g.
collection, use and retention).
i. Internal audit.
ii. Self-regulation.
iii. Retention strategy.
iv. Exit strategy.

Function Category
Domain VI. Privacy Operational Life

Cycle: Respond
B. Privacy incident response.
a. Legal compliance.
i. Preventing harm.
ii. Collection limitations.
iii. Accountability.
iv. Monitoring and enforcement.
b. Incident response planning.
i. Understand key roles and
responsibilities.
1. Identify key business
stakeholders.
1. Information security.
2. Legal.
3. Audit.
4. Human resources.
5. Marketing.
6. Business development.
7. Communications and
public relations.
8. Other.
2. Establish incident
oversight teams.
3. Develop a privacy incident
response plan.
4. Identify elements of the privacy
incident response plan.
5. Integrate privacy incident
response into business
continuity planning.
c. Incident detection.
1. Define what constitutes
a privacy incident.
2. Identify reporting process.
3. Coordinate detection
capabilities.
a. Organization IT.
b. Physical security.
c. Human resources.
d. Investigation teams.
e. Vendors.

Function Category
d. Incident handling.
1. Understand key roles and
responsibilities.
2. Develop a communications plan
to notify executive management.
e. Follow incident response process to
ensure meeting jurisdictional, global
and business requirements.
1. Engage privacy team.
2. Review the facts.
3. Conduct analysis.
4. Determine actions (contain,
communicate, etc.).
5. Execute.
6. Monitor.
7. Review and apply
lessons learned.
f. Identify incident reduction techniques.
g. Incident metrics—quantify the cost of
a privacy incident.
Data Processing
Policies, Processes,
and Procedures
(CT.PO-P): Policies,
Control-P (CT-P):
processes, and proce-
Develop and imple-
dures are maintained
ment appropriate Domain I. Developing a Privacy Program
and used to manage
activities to enable C. Establish a privacy program.
data processing (e.g.,
organizations c. Develop a privacy strategy.
purpose, scope, roles
or individuals to iii. Develop a data governance strategy
and responsibilities in
manage data with for personal information (collection,
the data processing
sufficient granu- authorized use, access, destruction).
ecosystem, and
larity to manage
management commit-
privacy risks.
ment) consistent with
the organization’s risk
strategy to protect
individuals’ privacy.

Function Category
Domain IV. Privacy Operational Life

Cycle: Protect
B. Privacy by Design.
a. Integrate privacy throughout the
system development life cycle (SDLC).
b. Establish privacy gates as part of the
system development framework C.
Integrate privacy requirements and
representation into functional areas
across the organization.
i. Informtion security.
ii. IT operations and development.
iii. Business continuity and disaster
recovery planning.
iv. Mergers, acquisitions and
divestitures.
v. Human resources.
vi. Compliance and ethics.
vii. Audit.
viii. Marketing/business development.
ix. Public relations.
x. Procurement/sourcing.
xi. Legal and contracts.
xii. Security/emergency services.
xiii. Finance.
xiv. Others.
D. Other Organizational Measures.
a. Quantify the costs of
technical controls.
b. Manage data retention with respect
to the organization’s policies.
c. Define the methods for physical and
electronic data destruction.
d. Define roles and responsibilities for
managing the sharing and disclosure
of data for internal and external use.

Function Category

Cycle: Assess
E. Privacy Impact Assessments (PIAs)
and Data Protection Impact
Assessments (DPIAs).
Data Processing Privacy Impact Assessments.
Management (CT. 1. Understand the life cycle
DM-P): Data are man- of a PIA.
aged consistent with 2. Incorporate PIA into system,
the organization’s risk process, product life cycles.
strategy to protect
individuals’ privacy, Domain IV. Privacy Operational Life
increase manageabil- Cycle: Protect
ity, and enable the A. Information security practices.
implementation of a. Access controls for physical and
privacy principles (e.g., virtual systems.
individual participa- i. Access control on need to know.
tion, data quality, data ii. Account management
minimization). (e.g., provision process).
iii. Privilege management.
b. Technical security controls.
c. Implement appropriate administrative
safeguards.
B. Privacy by Design.
a. Integrate privacy throughout the
system development life cycle (SDLC).
b. Establish privacy gates as part of the
system development framework.

Function Category

iii. Develop a data governance strategy
Disassociated for personal information (collection,
Processing (CT. authorized use, access, destruction).
DP-P): Data process-
ing solutions increase Domain IV. Privacy Operational Life
disassociability consis- Cycle: Protect
tent with the organi- B. Privacy by Design.
zation’s risk strategy a. Integrate privacy throughout the
to protect individuals’ system development life cycle (SDLC).
privacy and enable b. Establish privacy gates as part of the
implementation of system development framework.
privacy principles (e.g.,
data minimization). Domain VI. Privacy Operational Life
Cycle: Respond
Communication
Policies, Processes,
Communicate-P and Procedures
(CM-P): Develop (CM.PO-P): Policies, Domain I. Developing a Privacy Program
and implement processes, and proce- E. Communicate.
appropriate dures are maintained a. Awareness.
activities to enable and used to increase i. Create awareness of the organiza-
organizations transparency of the tion’s privacy program internally
and individuals organization’s data and externally.
to have a reliable processing practices ii. Develop internal and external
understanding and (e.g., purpose, communication plans to ingrain
engage in a dia- scope, roles and organizational accountability.
logue about how responsibilities in iii. Identify, catalog and maintain docu-
data are processed the data processing ments requiring updates as privacy
and associated ecosystem, and requirements changes.
privacy risks. management commit-
ment) and associated
privacy risks.

Function Category

E. Communicate.
a. Awareness.
Data Processing and externally.
Awareness (CM. ii. Develop internal and external
AW-P): Individuals communication plans to ingrain
and organizations organizational accountability.
have reliable knowl- iii. Identify, catalog and maintain docu-
edge about data ments requiring updates as privacy
processing practices requirements changes.
and associated privacy Domain VI. Privacy Operational Life
risks, and effective Cycle: Respond
mechanisms are used A. Data-subject information requests and
and maintained to privacy rights.
increase predictability a. Access.
consistent with the b. Redress.
organization’s risk c. Correction.
strategy to protect d. Managing data integrity.
individuals’ privacy. B. Privacy incident response.
i. Preventing harm.

Function Category
b. Incident response planning.

i. Understand key roles and
responsibilities.
1. Identify key business
stakeholders.
1. Information security.
2. Legal.
3. Audit.
4. Human resources.
5. Marketing.
6. Business development.
7. Communications and
public relations.
8. Other.
2. Establish incident
oversight teams.
response plan.
c. Incident detection.
1. Define what constitutes
a privacy incident.
2. Identify reporting process.
3. Coordinate detection capabilities.
a. Organization IT.
c. Human resources.
e. Vendors.
responsibilities.
2. Develop a communications plan
to notify executive management.
e. Follow incident response process to
ensure meeting jurisdictional, global
and business requirements.

Function Category

communicate, etc.).
5. Execute.
6. Monitor.
7. Review and apply
lessons learned.
f. Identify incident reduction techniques.
g. Incident metrics—quantify the cost of
a privacy incident.
Domain VI. Privacy Operational Life

Cycle: Respond
i. Preventing harm.
Data Protection b. Incident response planning.
Policies, Processes, i. Understand key roles and
and Procedures responsibilities.
(PR.PO-P): Security 1. Identify key business
and privacy policies stakeholders.
Protect-P (PR-P): (e.g., purpose, scope, 1. Information security.
Develop and imple- roles and responsi- 2. Legal.
ment appropriate bilities in the data 3. Audit.
data processing processing ecosystem, 4. Human resources.
safeguards. and management 5. Marketing.
commitment), pro- 6. Business development.
cesses, and proce- 7. Communications and
dures are maintained public relations.
and used to manage 8. Other.
the protection of data. 2. Establish incident
oversight teams.
response plan.

Function Category

Cycle: Sustain
A. Monitor.
a. Environment (e.g., systems,
applications) monitoring.
b. Monitor compliance with
established privacy policies.
legislative changes.
d. Compliance monitoring (e.g.
collection, use and retention).
i. Internal audit.
iii. Retention strategy.
iv. Exit strategy.
Identity Manage-
ment, Authentica-
tion, and Access
Cycle: Protect
Control (PR.AC-P):
A. Information security practices.
Access to data and
a. Access controls for physical and
devices is limited to
virtual systems.
authorized individ-
i. Access control on need to know.
uals, processes, and
ii. Account management (e.g.,
devices, and is man-
provision process).
aged consistent with
iii. Privilege management.
the assessed risk of
unauthorized access.
Data Security
(PR.DS-P): Data are
managed consistent
with the organization’s Domain V. Privacy Operational Life
risk strategy to Cycle: Protect
protect individuals’ A. Information security practices.
privacy and maintain b. Technical security controls.
data confidentiality,
integrity, and
availability.

Function Category
Maintenance
(PR.MA-P): System Domain V. Privacy Operational Life
maintenance and Cycle: Protect
repairs are performed A. Information security practices.
consistent with c. Implement appropriate
policies, processes, administrative safeguards.
and procedures.

Cycle: Assess
Protective Tech-
C. Physical assessments.
nology (PR.PT-P):
Technical security
i. Data centers and offices.
solutions are managed
ii. Physical access controls.
to ensure the security
iii. Document destruction.
and resilience of
iv. Media sanitization and disposal
systems/products/ser-
(e.g., hard drives, USB/thumb
vices and associated
drives, etc.).
data, consistent with
v. Device forensics.
related policies, pro-
vi. Device security (e.g., mobile
cesses, procedures,
devices, Internet of Things (IoT),
and agreements.
geo-tracking, imaging/copier
hard drive security controls).

Mapping IAPP’s CIPM body of knowledge v2.04 to
the NIST privacy framework core v1.0
IAPP Certified Information Privacy Manager

(CIPM) Body of Knowledge v2.04
Business Environment (ID.BE-P):

The organization’s mission, objectives,
stakeholders, and activities are
A. Create a company vision
understood and prioritized; this

information is used to inform privacy
roles, responsibilities, and risk

approaches. management decisions.
b. Evaluate the intended objective. Governance Policies, Processes,
c. Gain executive sponsor approval and Procedures (GV.PO-P): The
for this vision. policies, processes, and procedures
to manage and monitor the organiza-
tion’s regulatory, legal, risk, environ-
mental, and operational requirements
are understood and inform the
management of privacy risk.
Governance Policies, Processes,

Governance model
B. Establish a Data
and Procedures (GV.PO-P): The

policies, processes, and procedures
a. Centralized.
b. Distributed.
c. Hybrid.

IAPP CIPM BODY OF KNOWLEDGE V2.04 TO NIST PRIVACY FRAMEWORK CORE V1.0

b. Identify the source, types, and uses
of personal information (PI) within
the organization and the applicable
laws.
a. Business alignment.
i. Finalize the operational
business case for privacy. Inventory and Mapping (ID.IM-P):
ii. Identify stakeholders.
C. Establish a privacy program
Data processing by systems, products,

iii. Leverage key functions. or services is understood and informs
iv. Create a process for interfac- the management of privacy risk.
ing within organization.
v. Align organizational culture Governance Policies, Processes,
and privacy/data protection and Procedures (GV.PO-P): The
objectives. policies, processes, and procedures
b. Obtain funding/budget for to manage and monitor the organiza-
privacy and the privacy team. tion’s regulatory, legal, risk, environ-
c. Develop a data governance mental, and operational requirements
strategy for personal informa- are understood and inform the
tion (collection, authorized use, management of privacy risk.
access, destruction).
e. Plan inquiry/complaint handling
procedures (customers, regula-
tors, etc.).
f. Ensure program flexibility in
order to incorporate legislative/
regulatory/market/business
requirements.

a. Establish the organizational model,

responsibilities and reporting
structure appropriate to the size of
the organization.
D. Structure the privacy team
i. Large organizations.
1. Chief privacy officer.
2. Privacy manager.
3. Privacy analysts.
4. Business line privacy leaders.
5. “First responders.”
ii. Small organizations/sole data
protection officer (DPO) includ-
ing when not only job.
b. Designate a point of contact for
privacy issues.
c. Establish/endorse the measurment
of professional competency.

Awareness and Training (GV.AT-P):

The organization’s workforce and third
parties engaged in data processing are
provided privacy awareness education
and are trained to perform their priva-
cy-related duties and responsibilities
consistent with related policies, pro-
cesses, procedures, and agreements
and organizational privacy values.
a. Awareness. Communication Policies, Pro-
i. Create awareness of the orga- cesses, and Procedures (CM.PO-P):
nization’s privacy program Policies, processes, and procedures
E. Communicate
internally and externally. are maintained and used to increase

ii. Develop internal and external transparency of the organization’s
communication plans to ingrain data processing practices (e.g., pur-
organizational accountability. pose, scope, roles, responsibilities,
iii. Identify, catalog and maintain management commitment, and
documents requiring updates as coordination among organizational
privacy requirements change. entities) and associated privacy risks.
Data Processing Awareness
(CM.AW-P): Individuals and orga-
nizations have reliable knowledge
about data processing practices and
associated privacy risks, and effective
mechanisms are used and maintained
to increase predictability consistent
with the organization’s risk strategy
to protect individuals’ privacy.


Inventory and Mapping (ID.IM-P):
Data processing by systems, products,
or services is understood and informs
the management of privacy risk.
Risk Assessment (ID.RA-P): The
a. Develop organizational privacy pol- organization understands the privacy
icies, standards and/or guidelines. risks to individuals and how such
A. Develop the Privacy Program Framework
Domain II. Privacy Program Framework
b. Define privacy program activities. privacy risks may create follow-on

i. Education and awareness. impacts on organizational operations,
ii. Monitoring and responding to including mission, functions, reputa-
the regulatory environment. tion, other risk management priorities
iii. Internal policy compliance. (e.g. compliance, financial), reputation,
iv. Data inventories, data flows, workforce, and culture.
and classification. Awareness and Training (GV.AT-P):
v. Risk assessment (Privacy The organization’s workforce and third
Impact Assessments [PIAs]) parties engaged in data processing are
(e,g., DPIAs etc.). provided privacy awareness education
vi. Incident response and and are trained to perform their priva-
process, including jurisdictional cy-related duties and responsibilities
regulations. consistent with related policies, pro-
vii. Remediation. cesses, procedures, and agreements
viii. Program assurance, and organizational privacy values.
including audits.
Monitoring and Review (GV.
MT-P): The policies, processes, and
procedures for ongoing review of the
organization’s privacy posture are
understood and inform the manage-
Data Protection Policies, Processes,
and Procedures (PR.PO-P): Security
and privacy policies (e.g., purpose,
scope, roles and responsibilities in the
data processing ecosystem, and man-
agement commitment), processes, and
procedures are maintained and used
to manage the protection of data.

a. Communicate the framework to

internal and external stakeholders.
b. Ensure continuous alignment to
Communication Policies, Pro-
applicable laws and regulations
cesses, and Procedures (CM.PO-P):
to support the development
Policies, processes, and procedures
of an organizational privacy
are maintained and used to increase
program framework.
transparency of the organization’s
i. Understand when national
data processing practices (e.g., pur-
laws and regulations apply
B. Implement the Privacy Program Framework
pose, scope, roles, responsibilities,

(e.g. GDPR).
management commitment, and
ii. Understand when local laws and
coordination among organizational
regulations apply (e.g. CCPA).
entities) and associated privacy risks.
iii. Understand penalties for
noncompliance with laws Data Processing Awareness
and regulations. (CM.AW-P): Individuals and orga-
iv. Understand the scope and nizations have reliable knowledge
authority of oversight agencies about data processing practices and
(e.g., Data Protection Author- associated privacy risks, and effective
ities, Privacy Commissioners, mechanisms are used and maintained
Federal Trade Commission, etc.). to increase predictability consistent
v. Understand privacy implications with the organization’s risk strategy
of doing business with or to protect individuals’ privacy.
basing operations in countries
with inadequate, or without,
privacy laws.
vi. Maintain the ability to manage
a global privacy function.
vii. Maintain the ability to track
multiple jurisdictions for
changes in privacy law.
viii. Understand international
data sharing arrangement
agreements.

a. Identify intended audience

for metrics.
b. Define reporting resources.
c. Define privacy metrics for over-
sight and governance per audience.
i. Compliance metrics (examples,
will vary by organization):
1. Collection (notice).
2. Response to data
C. Develop Appropriate Metrics
subject inquiries.
3. Use.
4. Retention.
Monitoring and Review
5. Disclosure to third parties.
(GV.MT-P): The policies, processes,
6. Incidents (breaches,
and procedures for ongoing review
complaints, inquiries).
of the organization’s privacy posture
7. Employees trained.
8. PIA metrics.
9. Privacy risk indicators.
10. Percent of company
functions represented by
governace mechanisms.
ii. Trending.
iii. Privacy program return
on investment (ROI).
iv. Business resiliency metrics.
v. Privacy program maturity level.
vi. Resource utilization.
d. Identify systems/application
collection points.


b. Monitoring and responding to
A. Document current baseline of your privacy program
Domain III. Privacy Operational Life Cycle: Assess
c. Internal policy compliance.

d. Data, systems and process
assessment. Inventory and Mapping (ID.IM-P):
i. Map data inventories, flows Data processing by systems, products,
and classification. or services is understood and informs
ii. Create “record of authority” of the management of privacy risk.
systems processing personal
information within the Risk Assessment (ID.RA-P): The
organization. organization understands the privacy
1. Map and document data flow risks to individuals and how such
in systems and applications. privacy risks may create follow-on
2. Analyze and classify types impacts on organizational operations,
and uses of data. including mission, functions, reputa-
e. Risk assessment (PIAs, etc.). tion, other risk management priorities
f. Incident response. (e.g. compliance, financial), reputation,
g. Remediation. workforce, and culture.
h. Determine desired state and
perform gap analysis against
an accepted standard or law
(including GDPR).
h. Program assurance, including audits.

a. Evaluate processors and third-

party vendors, insourcing and
outsourcing privacy risks, including
rules of international data transfer.
i. Privacy and information
security policies.
ii. Access controls.
B. Processors and third-party vendor assessment
iii. Where personal information

is being held.
iv. Who has access to personal Data Processing Ecosystem Risk
information. Management (ID.DE-P): The orga-
b. Understand and leverage the nization’s priorities, constraints, risk
different types of relationships. tolerances, and assumptions are
i. Internal audit. established and used to support risk
ii. Information security. decisions associated with managing
iii. Physical security. privacy risk and third parties within
iv. Data protection authority. the data processing ecosystem. The
c. Risk assessment. organization has established and
i. Type of data being outsourced. implemented the processes to identify,
ii. Location of data. assess, and manage privacy risks
iii. Implications of cloud within the data processing ecosystem.
computing strategies.
iv. Legal compliance.
v. Records retention.
vi. Contractual requirements
(incident response, etc.).
vii. Establish minimum standards
for safeguarding information.
d. Contractual requirements.
e. Ongoing monitoring and auditing.

i. Data centers and offices. Risk Assessment (ID.RA-P): The
D. Physical assessments
ii. Physical access controls. organization understands the privacy

iii. Document destruction. risks to individuals and how such
iv. Media sanitization and disposal privacy risks may create follow-on
(e.g., hard drives, USB/thumb impacts on organizational operations,
drives, etc.). including mission, functions, reputa-
v. Device forensics. tion, other risk management priorities
vi. Device security (e.g., mobile, IoT, (e.g. compliance, financial), reputation,
geo-tracking, imaging/copier workforce, and culture.
hard drive security controls).

C. Mergers, acquisitions Risk Assessment (ID.RA-P): The

and divestitures organization understands the privacy
risks to individuals and how such
privacy risks may create follow-on
a. Due diligence.
impacts on organizational operations,
b. Risk assessment.
including mission, functions, reputa-
tion, other risk management priorities
(e.g. compliance, financial), reputation,
workforce, and culture.
Data Protection Impact Assessments (DPIs)
E. Privacy Impact Assessments (PIAs) and
a. Privacy Threshold Analysis

(PTAs) on systems, applications
and processes. Monitoring and Review (GV.
b. Privacy Impact Assessments (PIAs). MT-P): The policies, processes, and
i. Define a process for conducting procedures for ongoing review of the
Privacy Impact Assessments. organization’s privacy posture are
1. Understand the life cycle understood and inform the manage-
of a PIA. ment of privacy risk.

Data Security (PR.DS-P): Data are

managed consistent with the organiza-
tion’s risk strategy to protect individ-
Domain IV. Privacy Operational Life Cycle: Protect
uals’ privacy and maintain data confi-

dentiality, integrity, and availability.
Identity Management, Authentica-
A. Information security practices
tion, and Access Control (PR.AC-P):

a. Access controls for physical Access to data and devices is limited
and virtual systems. to authorized individuals, processes,
i. Access control on need to know. and devices, and is managed consis-
ii. Account management tent with the assessed risk of unau-
(e.g., provision process). thorized access.
iii. Privilege management. Maintenance (PR.MA-P): System
b. Technical security controls. maintenance and repairs are per-
c. Implement appropriate administra- formed consistent with policies,
tive safeguards. processes, and procedures.
Protective Technology (PR.PT-P):
Technical security solutions are
managed to ensure the security
and resilience of systems/products/
services and associated data, consis-
tent with related policies, processes,
procedures, and agreements.

Data Processing Policies, Pro-

cesses, and Procedures (CT.PO-P):
are maintained and used to manage
data processing (e.g., purpose, scope,
roles and responsibilities in the data
processing ecosystem, and manage-
ment commitment) consistent with
the organization’s risk strategy to
protect individuals’ privacy.
B. Privacy by design
Data Processing Management (CT.

a. Integrate privacy throughout
DM-P): Data are managed consistent
the system development life
with the organization’s risk strategy to
cycle (SDLC).
protect individuals’ privacy, increase
b. Establish privacy gates as part
manageability, and enable the imple-
of the system development
mentation of privacy principles (e.g.,
framework.
individual participation, data quality,
data minimization).
Disassociated Processing (CT.
DP-P): Data processing solutions
increase disassociability consistent
with related policies, processes,
procedures, and agreements and the
organization’s risk strategy to protect
individuals’ privacy and enable imple-
mentation of privacy principles (e.g.,
data minimization).

C. Integrate privacy requirements and representation

i. Information security.
into functional areas across the organization
ii. IT operations and development.

iii. Business continuity and disaster
recovery planning.
iv. Mergers, acquisitions
and divestitures.
v. Human resources.
vi. Compliance and ethics.
vii. Audit.
viii. Marketing/business
development.
ix. Public relations.
x. Procurement/sourcing.
xi. Legal and contracts.
xii. Security/emergency services.
xiii. Finance.
xiv. Others.
a. Quantify the costs of

technical controls.
D. Other Organizational
Data Processing Management

b. Manage data retention
(CT.DM-P): Data are managed
with respect to the
consistent with the organization’s risk
Measures
organization’s polices.
strategy to protect individuals’ privacy,
c. Define the methods for physical
increase manageability, and enable the
and electronic data destruction.
implementation of privacy principles
d. Define roles and responsibilities
(e.g., individual participation, data
for managing the sharing and
quality, data minimization).
disclosure of data for internal
and external use.

Monitoring and Review (GV.

a. Environment (e.g. systems, MT-P): The policies, processes, and
applications) monitoring. procedures for ongoing review of the
b. Monitor compliance with organization’s privacy posture are
established privacy policies. understood and inform the manage-
A. Monitor

legislative changes. Data Protection Policies, Processes,
d. Compliance monitoring (e.g. and Procedures (PR.PO-P): Security
collections, use and retention). and privacy policies (e.g., purpose,
i. Internal audit. scope, roles and responsibilities in the
Domain V. Privacy Operational Life Cycle: Sustain
data processing ecosystem, and man-

iii. Retention strategy. agement commitment), processes, and
iv. Exit strategy. procedures are maintained and used
to manage the protection of data.
a. Align privacy operations to an

internal and external compliance
audit program.
i. Knowledge of audit processes.
ii. Align to industry standards.
b. Audit compliance with privacy
policies and standards.
c. Audit data integrity and quality
and communicate audit findings
Monitoring and Review
with stakeholders.
(GV.MT-P): The policies, processes,
d. Audit information access, modifica-
B. Audit
and procedures for ongoing review

tion and disclosure accounting.
of the organization’s privacy posture
e. Targeted employee, management
and contractor training.
i. Privacy policies.
ii. Operational privacy practices
(e.g., standard operating instruc-
tions), such as:
1. Data creation/usage/
retention/disposal.
2. Access control.
3. Reporting incidents.
4. Key contacts.


A. Data-subject information requests and privacy rights
Domain VI. Privacy Operational Life Cycle: Respond

Data Processing Management
(CT.DM-P): Data are managed
a. Access.
consistent with the organization’s risk
b. Redress.
strategy to protect individuals’ privacy,
c. Correction.
increase manageability, and enable the
d. Managing data integrity.
implementation of privacy principles
(e.g., individual participation, data
quality, data minimization).
Data Processing Awareness
(CM.AW-P): Individuals and orga-
nizations have reliable knowledge
about data processing practices and
associated privacy risks, and effective
mechanisms are used and maintained
to increase predictability consistent
with the organization’s risk strategy
to protect individuals’ privacy.

i. Preventing harm.
iv. Monitoring and enforcement. Governance Policies, Processes,
b. Incident response planning. and Procedures (GV.PO-P): The
i. Understand key roles policies, processes, and procedures
and responsibilities. to manage and monitor the organiza-
1. Identify key business tion’s regulatory, legal, risk, environ-
stakeholders. mental, and operational requirements
1. Information security. are understood and inform the
2. Legal. management of privacy risk.
3. Audit. Monitoring and Review
4. Human resources. (GV.MT-P): The policies, processes,
5. Marketing. and procedures for ongoing review of
B. Privacy incident response
6. Business development. the organization’s privacy posture are

7. Communications and understood and inform the manage-
public relations. ment of privacy risk.
8. Other.
2. Establish incident Data Processing Awareness
oversight teams. (CM.AW-P): Individuals and orga-
3. Develop a privacy incident nizations have reliable knowledge
response plan. about data processing practices and
4. Identify elements of associated privacy risks, and effective
the privacy incident mechanisms are used and maintained
response plan. to increase predictability consistent
5. Integrate privacy incident with the organization’s risk strategy
response into business to protect individuals’ privacy.
continuity planning. Data Protection Policies, Processes,
c. Incident detection. and Procedures (PR.PO-P): Security
1. Define what constitutes and privacy policies (e.g., purpose,
a privacy incident. scope, roles and responsibilities in the
2. Identify reporting process. data processing ecosystem, and man-
3. Coordinate detection agement commitment), processes, and
capabilities. procedures are maintained and used
a. Organization IT. to manage the protection of data.
c. Human resources.
e. Vendors.

responsibilities.
2. Develop a communications
plan to notify executive
management.
e. Follow incident response process
to ensure meeting jurisdictional,
global and business requirements.
communicate, etc.).
5. Execute.
6. Monitor.
7. Review and apply
lessons learned.
f. Identify incident reduction
techniques.
g. Incident metrics—quantify the
cost of a privacy incident.

The Skill Set Needed To Implement The NIST Privacy Framework

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Skill Set Needed To Implement The NIST Privacy Framework

Uploaded by

Copyright:

Available Formats

The Skill Set Needed

to Implement the NIST

By IAPP Data Scientist & Strategist Suzannah Hicks

As a privacy risk management framework, niques under the disassociated processing

International Association of Privacy Professionals • iapp.org 2

Mapping the NIST privacy framework core v1.0 to

NIST Privacy Framework Core

Domain III. Privacy Operational Life Cycle:

International Association of Privacy Professionals • iapp.org 3

Domain I. Developing a Privacy Program

International Association of Privacy Professionals • iapp.org 4

Domain III. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 5

Domain III. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 6

Domain I. Developing a Privacy Program

International Association of Privacy Professionals • iapp.org 7

D. Structure the privacy team.

International Association of Privacy Professionals • iapp.org 8

Domain II. Privacy Program Framework

International Association of Privacy Professionals • iapp.org 9

vi. Maintain the ability to manage a

III. Privacy Operational Life Cycle: Privacy

International Association of Privacy Professionals • iapp.org 10

Domain V. Privacy Operational Life

Domain I. Developing a Privacy Program

International Association of Privacy Professionals • iapp.org 11

C. Develop Appropriate Metrics.

International Association of Privacy Professionals • iapp.org 12

Domain III. Privacy Operational Life

Domain V. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 13

Domain VI. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 14

International Association of Privacy Professionals • iapp.org 15

Domain IV. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 16

Domain III. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 17

Domain I. Developing a Privacy Program

International Association of Privacy Professionals • iapp.org 18

Domain I. Developing a Privacy Program

International Association of Privacy Professionals • iapp.org 19

b. Incident response planning.

International Association of Privacy Professionals • iapp.org 20

1. Engage privacy team.

Domain VI. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 21

Domain V. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 22

Domain III. Privacy Operational Life

International Association of Privacy Professionals • iapp.org 23

IAPP Certified Information Privacy Manager

Business Environment (ID.BE-P):

understood and prioritized; this

a. Acquire knowledge on privacy

Governance Policies, Processes,

and Procedures (GV.PO-P): The

International Association of Privacy Professionals • iapp.org 24

a. Define program scope and charter.

Data processing by systems, products,

International Association of Privacy Professionals • iapp.org 25