Skip to Content

New NIST Privacy Framework: A Tailor-made Resource for Internal Audit

Blogs Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA Feb 03, 2020

​In the 21st century, data is gold. It is what underpins some of the biggest companies in the world, including Amazon, Facebook, and Google.

The need for gathering and using data has become a major economic driver, spawned a cybercriminal underworld, and pushed technological advancement to gather ever-increasing amounts of data, faster and more efficiently.

Over the past two decades, most organizations have found ways to adopt information technologies to gather and leverage customer data, but few have taken time to focus on how that data collection affects the privacy of individuals. In the past several years, there have been concerted efforts to control the rampant collection and monetization of personal data. The growing number of laws aimed at regulating the collection, management, storage, and protection of personal data, such as the European Union's General Data Protection Regulation (GDPR), reflect that backlash.

Late last month, the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) released a new privacy framework. It provides strategies to improve privacy practices, build customer trust, and comply with a growing list of privacy regulations.

The privacy framework, subtitled A Tool for Improving Privacy Through Enterprise Risk Management, is designed to support any organization's privacy efforts and works in concert with the NIST Cybersecurity Framework, released in 2014. The privacy framework is designed to support examination of data-collection practices and how those practices affect individual privacy. It helps manage privacy risks by encouraging organizations to:

  • Consider privacy when systems, products, and services are designed and deployed.
  • Communicate about their privacy practices.
  • Encourage cross-organizational collaboration, such as among executives, general counsel, and IT.

The privacy framework breaks down privacy risk management into three parts it calls the Core, Profiles, and Implementation Tiers.

  • Beginning the Dialogue. The Core exercise enables discussions about privacy protection activities and outcomes.
  • Meeting Organizational Goals. The Profile step sets priorities for activities and outcomes that match an organization's needs with its privacy values and risks.
  • Managing the Risk. A series of Implementation Tiers support examination of the adequacy of processes and resources to manage privacy risks.

The privacy framework offers an excellent and much-needed tool for internal auditors. Its focus on risk management, adequacy of processes, and balancing organizational needs with privacy risk all fit nicely with the core of internal audit's services and strengths. What's more, the privacy framework offers a group of appendices that provide tools for assessing and implementing reasoned strategies for privacy that internal auditors should find incredibly valuable.

  • The Privacy Framework Core appendix provides a comprehensive table of functions, categories, and subcategories that describe specific activities and outcomes that can support managing privacy risks when systems, products, and services are processing data. It provides a risked-based approach that identifies roles, addresses scalability, and describes how the privacy framework aligns with the NIST Cybersecurity Framework.
  • The appendix on Privacy Risk Management Practices addresses considerations around privacy risk management, including the relationship between cybersecurity and privacy risk and the role of privacy risk assessment. Those considerations include organizing preparatory resources, determining privacy capabilities, defining privacy requirements, and conducting privacy risk assessments.
  • The final appendix provides in-depth descriptions of four levels of privacy implementation tiers: partial, risk-informed, repeatable, and adaptive.

The NIST Privacy Framework provides long-overdue support for organizations to understand and manage privacy. It provides enough flexibility for organizations to build privacy strategies and processes that fit their individual needs, strategies, and risk appetites.

I encourage all internal audit leaders to review the framework, determine how it can help their organizations, and make stakeholders aware of this valuable tool.

As always, I look forward to your comments.

Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA

Former president and CEO of The IIA, the global professional association and standard-setting body for internal auditors.