
NIST Releases Version 1.0 of Privacy Framework - infodocket
https://www.nist.gov/news-events/news/2020/01/nist-releases-version-10-privacy-framework
======
waterheater
Link to framework document:
[https://www.nist.gov/system/files/documents/2020/01/16/NIST%...](https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf)

NIST had a number of workshops dedicated to creating this framework. NIST was
very hopeful they could receive the amount of quality feedback which made
their prior Cybersecurity Framework so wildly popular and successful.

I had the good fortune of attending the second workshop, and it's quite
fascinating to see the changes since their initial working draft.

The biggest changes I see come in the Core Functions. There have always been
five, but some of them were significantly altered from the draft to v1.0:

1) Identify -> Identify 2) Protect -> Govern 3) Control -> Control 4) Inform
-> Communicate 5) Respond -> Protect

If I remember right, much of the feedback NIST received at the workshop
centered around the difference (or lack thereof) from the Cybersecurity
Framework. The Venn diagram on page 7 of the Privacy Framework absolutely
demonstrates that they recognized this lack of difference, made modifications,
and show how the frameworks complement each other.

Overall, kudos to NIST for producing these frameworks. Issues of cybersecurity
and privacy are fraught with nuance, and these documents are quite useful in
providing "laypersons" with an informed way to reason about these issues.

\----

Prior workshops:

[https://www.nist.gov/news-events/events/2018/10/kicking-
nist...](https://www.nist.gov/news-events/events/2018/10/kicking-nist-privacy-
framework-workshop-1)

[https://www.nist.gov/news-events/events/2019/05/drafting-
nis...](https://www.nist.gov/news-events/events/2019/05/drafting-nist-privacy-
framework-workshop-2)

[https://www.nist.gov/news-
events/events/2019/07/getting-v10-...](https://www.nist.gov/news-
events/events/2019/07/getting-v10-nist-privacy-framework-workshop-3)

------
mushufasa
A lot of enterprise / financial compliance processes require adhering to an
ISO or NIST framework.

Has anyone created a tl:dr checklist of these, like Sqreen has done with their
"Startup CTO Checklist?" [https://www.sqreen.com/checklists/saas-cto-security-
checklis...](https://www.sqreen.com/checklists/saas-cto-security-checklist)

~~~
twunde
Within the US, SOC2 is the enterprise security compliance program of choice,
although the reality is that ISOs, NIST, SOC2, HITRUST are largely
overlapping. Because these security frameworks are already checklists, there
aren't any tl;dr checklists that I know of. The closest thing is Comply:
[https://github.com/strongdm/comply](https://github.com/strongdm/comply) which
has the rules for SOC2 and pre-written policy templates

------
badrabbit
I've used and greatly appreciate their security related standards. For
privacy, there needs to be a lot more legislation upon which standards can be
built. Security is in the interest of companies but customer privacy most of
the time is not, they need legal mandates with real repurcussions.

------
smartbit
GDPR <> checklist

