NIST Privacy Framework Announced At RSAC

As the enterprise risk management tool is under development, here’s what to expect




The National Institute of Standards and Technology (NIST) is developing an enterprise risk management tool to protect consumer privacy while advancing prosperity and innovation. During RSA Conference 2019, Kevin Stine, Chief, Applied Cybersecurity Division for NIST, and Naomi Lefkovitz, Senior Privacy Policy Advisor NIST, talked about what to expect from the voluntary Privacy Framework (targeted for release later in 2019).

According to Stine, fundamentally at NIST, “We seek to cultivate trust and information, and in technology” … through advances in standards, technology and measurement science — from a cyber security and privacy perspective, in open, transparent, inclusive way. He also explained that they look to tap into the diversity of its stakeholders in order to work collaboratively with the public and private sectors.

While the NIST Privacy Framework is a few months into the process, NIST has an extensive track record of privacy expertise, which is close to 50 years now Stine said. Modeled after its NIST Cyber Security Framework, the Privacy Framework is also meant to be risk-based/outcome-based and non-prescriptive, in order to increase adoption.

See Related: “Implementing A Risk-Base Cyber Security Framework

Call To Action

Through a series of formal as well as informal events, NIST collaborates with the public for feedback as it works on development. This also includes working with Academia and all layers of Government — in order to have a comprehensive approach to the Framework.

Similarly, NIST took to the stage at RSAC to show attendees what to expect from the Privacy Framework, how it can benefit the enterprise, and understand the process for developing a Privacy Framework so that cyber security professionals can learn how to contribute.

To help in the risk-management endeavor, NIST has so far proposed five functions of the framework: Identify, protect, control, inform and respond. Each of these headings will contain a set of best practices and approaches for achieving desired outcomes.

“Privacy is just another dimension of risk, and should be a part of that broader enterprise risk management activity in an organization,” said Lefkovitz.

See Related: “RSAC Day 1 Theme: People And Tech Are ‘Better Together’

More NIST Session Highlights from RSAC

Your Data’s Integrity: Protect and Respond to Ransomware and Critical Events  
At the RSA Conference last year, NIST’s National Cybersecurity Center of Excellence (NCCoE) — MITRE, took to the stage to share ways to quickly recover from an event that alters or destroys data. This year, Anne Townsend, Lead Cyber Security Engineer was back with an entire suite that organizations can deploy to effectively identify, protect, detect and respond to data integrity events.

These solutions are follow-on projects to the highly publicized NIST Special Publication (SP) 1800-11, Recovering from Ransomware and Other Destructive Events.

Townsend went over:
1: How to understand easy-to-implement data security methods.
2: How to build a data security architecture with commercially available technologies.
3: Line-by-line guidance and how-to directions to build this solution in your own organization.

In accordance to this methodology, the NCCoE has developed three data integrity projects that are dedicated to solving businesses most pressing cyber security challenges, here.

See Related: “Recapping 2018 in Data Security and Privacy

Hot Topics in Cyber-Law 2019    
ABA attorney-SMEs kicked off the Law Track with an annual theme-setting panel on critical emerging legal issues. The aim was a practical, useable snapshot of recent developments in cyber-policy, -law and -litigation. For 2019, topics included elections as critical infrastructure, GDPR compliance and privacy shield, new foreign tech investment rules / CFIUS, and new NIST guidance on security and privacy and SCRM.

Blockchainification of Cyber-Supply Chain Risk: Hype vs. Hope   
Protecting Data & Applied Crypto 
The buzz around blockchains can be exciting, bewildering and, at times, troubling. This session got to the bottom of fact and fiction as a NIST researcher discussed how various blockchain technologies are or could be used, focusing on cyber-supply chain risk management.

Grappling with Zero-Trust Networking: How Are You Doing It?    
The concept of zero-trust networking is gaining more momentum. Vendors are coming out with new technologies or re-positioning current products to align with zero-trust initiatives. But is your organization actually implementing zero trust? This session asked, "How are you doing it? What have you learned?"

How to Eliminate a Major Vulnerability in the Cyber Security Workforce    
There’s a major vulnerability in most cyber security firms and workforces that has yet to be addressed: the industry’s gender gap. At a gathering of cyber-practitioners, behavioral scientists, and industry and government leaders in fall 2018, NIST developed strategies to solve the problem and then road tested them with participants at this year's session.

The NIST Cyber Security Framework: Building on Success    
This panel discussed the adoption of the Cyber Security Framework around the world and shared experiences and lessons learned from implementing the Framework. Panel members included the NIST program manager for the Cyber Security Framework as well as Cyber Security Framework practitioners. Attendees learned how the Framework is being used today and where NIST sees it going tomorrow.

Healthcare Cyber Security: Helping Secure Emerging Health Technologies    
Healthcare innovation is advancing at a rapid pace with the proliferation of network-connected medical devices, remote patient monitoring and telehealth opportunities. But is security keeping up with the innovation? This session assessed current medical device security and discussed how health delivery organizations and care providers can help mitigate these risks as new technologies emerge.

Measuring Cyber Security Effectiveness in a Threat-Based World    
The panel helped to increase understanding of how DHS, NSA and NIST are using threat data to help agencies protect information and detect and respond quickly to adversarial actions. They examined how DHS CISA fuses threat intelligence with agency vulnerability data to improve info sharing and how efforts such as the .gov CAR initiative are helping create better threat models and solutions.

See Related: “RSAC Opening Day Focuses On Cyber Security Talent