Lefkovitz told the audience that privacy should be considered as part of organizationsâ âbroader enterprise risk management activity.â She explainedÂ the Privacy Frameworkâs identify, protect, control, inform and respond functions. When it comes to protection, she discussedÂ an overlap with data security and that NIST considers including privacy engineering, information lifecycle and cryptographic techniques in the protection concept.
âWe are trying to provide concepts to act as a foundation for more clearly defined relationships between privacy and security,â Lefkovitz said. âPrivacy risk is more than data risk â companies also process data, over the entire lifecycle, from collection through disposal. And they need to process that data to achieve business or data objectives â but there can be unintended consequences and privacy issues can arise for individuals.â
Kevin Stine, chief of NISTâs applied cybersecurity division, joined Lefkovitz to discuss the Privacy Framework, which is expected to be completed by October. The report said NIST is looking for comments on the framework and will host a live webinar on March 14 and a workshop in May.