The NIST Privacy Framework: Why it Matters

Okta’s vision is to be the platform that enables any organisation to adopt any technology. To achieve that goal, it’s critical that Okta customers and partners have complete trust in our ability to keep their data private and secure. As such, we are constantly aligning our operations with comprehensive data privacy standards, developing best practices, and sharing our learnings with the industry.

To that end, I recently participated in an RSA 2020 panel with NIST Senior Privacy Policy Advisor Naomi Lefkovitz and Equifax Chief Privacy and Data Governance Officer Nick Oldham to discuss the NIST Privacy Framework. At the session, we shared our perspectives on this new and actionable resource for managing privacy risk, as well as our experiences as early adopters. Here’s what you need to know.

What is the NIST Privacy Framework?

The NIST Privacy Framework is a set of guidelines and best practices that organisations can use to design and implement privacy management policies. Officially made public on January 16, 2020, version 1.0 of the framework works alongside NIST’s existing Cybersecurity Framework to support organisations as they work to reduce their exposure to privacy and cybersecurity threats.

Before the framework’s official launch, NIST invited the public to give feedback on the document. As part of our mandate to actively share knowledge in our industry, we saw this as an opportunity to have our privacy team contribute to the development of the framework by offering insights and recommendations on how to shape it. As such, the framework is aligned with many of our key privacy and security values.

While NIST acknowledges that every organisation's privacy strategy is unique, the framework provides resources for them to effectively address various business priorities:

  • Mitigating privacy risks: Implementing the framework can reduce the risk of privacy incidents, helping to protect individuals from embarrassment, discrimination, economic loss, and other potential harm. For organisations, the framework can be leveraged to help prevent reputational damage, customer attrition, and potential non-compliance fines.
  • Fulfilling compliance obligations: NIST’s framework allows implementing organisations to embed privacy values and policies that align with existing regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This allows companies to tailor their approaches while remaining compliant with the various regulatory environments within which they operate.
  • Facilitating communication around privacy practices: The framework provides organisations with the tools to share privacy insights—both internally (between legal, policy, security, and IT teams) and for external communications and cross-organisational collaboration on privacy initiatives.
  • Building customer trust: Minimising the privacy risks in any system, product, or service enables organisations to build and increase trust with their customers and users.

As organisations build or improve upon their privacy strategies, they can incorporate the NIST Privacy Framework to create a guiding set of principles and practices that strengthens accountability, serves as a guideline for purchasing decisions, and informs system development lifecycles.

Why the framework matters—and why I advocate for it

There are a number of reasons why NIST’s Privacy Framework makes sense to us at Okta:

It’s flexible

Rather than offering a rigid set of requirements that companies must comply with, NIST has put forward a comprehensive set of best practices that implementing organisations can use to complement their existing approach to privacy.

It accounts for Identity & Access Management and Authentication

As the panelists discussed at the RSA Conference, while the terms “security” and “privacy” are often conflated, they don’t necessarily share identical compliance requirements, risks, and implications. That said, the two share enough overlap that bolstering one often results in the bolstering of the other.

At Okta, we believe that effective privacy protection means employing security-focused tools like identity management, access control, and secure authentication measures. This clearly aligns with the privacy framework, which incorporates identity and access management and secure authentication as key components.

It enables success

While the framework outlines several core areas of risk response, NIST encourages organisations to adopt the parts of the framework that align with how they use personal data and their broader goals. In this way, the framework becomes a system that an organisation relies on to map compliance goals and strengthen stakeholder trust.

It has global applicability

NIST designed the framework to be future-proof to changing laws and regulations, and this neutrality allows the framework’s practices to apply across global territories and with various data protection requirements. It provides a bedrock foundation from which organisations can ensure compliance and communicate sensible, trustworthy policies to stakeholders.

How we made NIST’s guidance a part of our DNA—and how you can too

For Okta, adopting the NIST Privacy Framework is an ongoing process that extends beyond the Privacy, Product, Security, and Compliance teams. Rather, our approach has been to instil a culture of privacy, emphasising privacy as a critical value that should matter to all employees.

Here’s some insight into how we’ve been working to facilitate this cultural emphasis, and how you can smoothly do the same at your organisation.

Our top priority in adopting the framework was finding our internal partners and getting buy-in across the organisation—something that’s key for any new corporate initiative. Start by thinking about which teams can best influence change when it comes to privacy initiatives. Is it Legal, HR, Compliance, or Security? Then arm them with the information they need to talk about the initiative.

For us, this meant engaging our General Counsel as a strong advocate, and who was key in communicating the value of the framework to our executive leadership. Once we had strong cross-organisational buy-in, we set up a Privacy Council. This council is made up of not only Security, Compliance, and Privacy leaders, but leaders from across Okta’s different departments, like Marketing, Sales, HR, Engineering, Product Management, and others. We hold regular meetings with this council to share knowledge about critical privacy topics, including the NIST Privacy Framework, as well as actionable steps that they can share with their teams.

The result has been a permeating sense that privacy concerns everyone throughout the organisation. It’s clear that this is a top priority for Okta leadership, and key company influencers are increasingly equipped to answer questions that their teams may have.

Going forward

As we continue implementing the NIST Privacy Framework here at Okta, we’re exploring how to build relevant aspects of NIST’s work into our tools. We’re excited to see how the framework evolves in the future, and we’re committed to ensuring that the personal data we’re entrusted with is used safely and properly.

Check out the following resources to find out more: