The NIST privacy framework refers to the term “current profile” to describe the current state of a company’s privacy program in relation to a specific Subcategory. So, for example, a company might include the following description in its current profile for the following subcategory:
Subcategory | Current Profile |
ID.IM-P1: Systems/products/services that process data are inventoried. | The company maintains a data inventory policy which requires that a data inventory be conducted every 12 months that identifies each system, product, and services that processes personal information. For systems, products, and services that have already been identified, the responsible employee for that system, product, or service is asked to verify the accuracy of the description that is contained within the inventory. |
The NIST privacy framework refers to the term “target profile” to describe the state that the company desires – but has not yet achieved – for its privacy program in the future. So, for example, a company might include the following description in the same subcategories target profile:
Subcategory | Target Profile |
ID.IM-P1: Systems/products/services that process data are inventoried. | The company maintains a data inventory policy which requires that a data inventory be conducted every 12 months that identifies each system, product, and services that processes personal information. For systems, products, and services that have already been identified, the responsible employee for that system, product, or service is asked to verify the accuracy of the description that is contained within the inventory. The company’s data inventory is electronically hosted online and maintains an audit trail of each responsible system owner that has reviewed a system’s description. The inventory automatically identifies when a system has not been reviewed and validated for accuracy within 12 months and triggers a reminder for the system owner to log into the inventory, review the system description, and modify the description as needed for accuracy. |
How many core categories are included in the NIST privacy framework?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. Categories are intended to be subdivisions of the Functions, and groupings of the Subcategories. In total, the NIST privacy framework contains 18 Categories
How many core subcategories are included in the NIST privacy framework?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. Subcategory is the most granular, and tangible, aspect of the core. In total, the NIST privacy framework proposes 100 Subcategories. It should be noted, however, that the Subcategories included within the NIST privacy framework are not intended to be exhaustive, and companies may alter the subcategories (as well as the functions and the categories) by tailoring the proposed Subcategories or adding additional Subcategories that align with a company’s privacy program.