NIST Privacy Framework

EMC logo

Privacy Discussion Begins

I had the distinct pleasure Tuesday to sit in on a livestream of NIST Privacy Framework: Workshop #1.   Hosted by the National Institute of Science and Technology (NIST), Workshop #1 was the kick off of an initiative NIST is leading to develop a voluntary privacy framework.  Although the NIST Cyber Security Framework has been hugely popular across industries, NIST feels that it does not adequately address Privacy.  NIST’s objective is to establish “a voluntary Enterprise Risk Management tool that organizations can pick up and use to manage privacy risk.”  They have lofty goals that include producing a tool that can be used long into the future; encompasses emerging and unknown future technologies and uses of information; is as useful as NIST CSF; and to make the framework broad enough to be consistent with existing privacy and risk management standards, where practical! 


NIST recorded the three hour workshop and is going to make the recording available to anyone that wants to watch it.  I encourage you to do so as a lot of REALLY interesting concepts were discussed by some seriously qualified thought leaders in this space.  I’m super “geeked out” about this material and excited to share with you what I found most interesting.  None of this is final in any way but represents some of the conversations I found most compelling.

  • Privacy is defined by the harm, if any, inflicted upon an individual by the way their information is handled.
  • Harm is defined by each individual and may change over time.
  • One individual’s harm may be different than another individual’s harm and is almost certainly different from the harm to the business that was the source of the privacy-related harm to the individual.

I personally think it is brilliant to be defining privacy in terms of the harm that it presents to an individual.  However, it has significant risk management ramifications that will need to be worked out in the privacy framework.


Risk Management Ramifications of the NIST Privacy Framework 

Identification of Privacy Risk

Organizations will need to know everywhere they have information about individuals.  The use of scanning tools will increase in order to find information across the enterprise.  But the information you are looking for may not be the obvious: name, address, account number, account balance, health information, etc., The question may be: what information do we have about an individual that could be used in a way that could bring about harm to an individual? You also have to ask, if we give any individual’s information to a third party, what could the third party intentionally or unintentionally do with the information that could harm an individual?  Will third party assessments begin to include questions to find out what other information third parties might have that can be combined with the information you are sharing with them, that could cause harm to an individual?


Inherent Risk Assessments

Defining privacy in terms of harm to an individual will make inherent risk assessments more challenging and scenario-based.  You will most certainly need to think outside the box to consider all the different ways information you collect and handle could harm an individual. How will you determine whether your information collection, information handling and sharing with third parties, potential breaches and incident response will harm any individual and by how much?  Will you need to start asking individuals how they would feel if their information was breached or used in an unintended manner?  Will your organization need to periodically refresh its understanding of individual harm, particularly as new technologies and uses of information emerge?


You will need to stay abreast of every new and changed way information is collected, managed, shared with a third party, destroyed, etc. In each of these cases you will no doubt need to document what and why information is being collected, the information lifecycle from collection to destruction, the intended use of the information, and the numerous possible uses of the information that could cause harm to an individual, including through your extended third party ecosystem. 

If you do conclude that information you handle could cause harm to individuals, how will you rate the risk?  What is the measure of harm – anything from financial loss, embarrassment, harassment, loss of time from unwanted marketing, black mail, psycho-social manipulation, even physical harm and death? Many of these kinds of harms do not readily translate in financial terms.


Residual Risk Assessments

With cyber security risk you apply appropriate organizational and technical measures to reduce the likelihood and / or impact of unauthorized access, alteration, or destruction of the information.  Defining privacy risk as harm to an individual(s), you aren’t solely concerned with unauthorized access, alteration, and destruction.  Your intended and unintended use of the information could cause harm. At a minimum, organizational controls will take on a relatively greater importance to ensure you are effectively capturing and controlling residual risk.


Risk Evaluation

Let’s say that you do find a way to rate residual risk in terms of harm to individual(s).  Mature organizations that manage risk against risk appetites and tolerances will have to go back and look at those values and somehow incorporate harm to individuals.  How much harm and what type(s) of harm to individuals will organizations be comfortable with?


NIST is just beginning the process to come up with a Privacy Framework and nothing is set in stone yet.  The privacy conversation is just beginning but it benefits each of us and our organizations to try and shape the conversation so any privacy framework published by NIST provides meaningful value without undue complexity and implementation heart burn. 

Update your feed preferences





submit to reddit


  • No Related Posts

Re: Proxy NASサーバについて



NASサーバをメイン機、サブ機それぞれ別のホスト名/IPアドレスで作成し、サブ機側のNASサーバでは、メイン機からレプリケーションされたファイルシステム(Read Only)とサブ機上で作成したファイルシステム(Read/Write)を両方マウントさせる構成をとりたいと考えています。

OE4.3から、Proxy NASサーバという機能により、ファイルシステムやスナップショットがRead Onlyで参照させることが可能となり、これにより実現できるのではないかと考えておりますが、下記2点についてご教示いただけないでしょうか。


① サブ機側に作成したProxy NASサーバにて、Read OnlyのファイルシステムとRead/Writeのファイルシステム2種類をマウントさせることは可能でしょうか。

それとも、サブ機でProxy NASサーバの他にもう1つNASサーバを作成する必要があるのでしょうか。

② Proxy NASサーバにRead Onlyのファイルシステムをマウントさせる手順について、詳細マニュアル等ございましたらご教示いただけないでしょうか。







  • No Related Posts

Re: HA connectivity for Unity replication ports


SP-A FCP 4 of array1 need to be in same fabric as SP-A FCP4 of array2

SP-B FCP 4 of array1 need to be in same fabric as SP-B FCP4 of array2

So no redundancy within the fabric, only accross the fabrics. Works as designed :-/

If 1 fabric fails, all replicated sessions within that fabric are paused and if that takes long to fix,

you have to switch them manually to the other SP (SP Owner)


  • No Related Posts

Re: Unisphere page is not working using control station ip

Hello everyone,

I am facing an issue after replacement of control station of my vnx 5700 whenever I am trying to login through putty using nasadmin , following notification has appeared. need advice as I am out of support contract.

EMC NAS Service is not running due to one of the following reasons:

1. EMC NAS Service is still starting or there was an error during

service start-up.

Please logout and try logging in after 5 minutes. It can take up to

15 minutes after Control Station boot for EMC NAS Service to start.

If the problem persists after 3 login retries, please reboot the

Control Station and try again. If this message is still displayed,

contact EMC Customer Support.

2. EMC NAS Software upgrade is in progress, which required stopping

the Service temporarily.

Please DO NOT use the administrative interface while EMC NAS Software

upgrade is in progress. EMC NAS Service starts automatically after

the upgrade finishes.

I have used .


  • No Related Posts






管理 1G 1ポート:管理用

オンボード10G Base-T ポート1:NFS用(1Gとしてリンクアップさせる)

オンボード10G Base-T ポート2:レプリケーション用(1Gとしてリンクアップさせる)









  • No Related Posts

Re: Unityのレプリケーション要件について







504733 : Dell EMC Unity: The Network/TCP ports for Unity Replication (Customer Correctable)


492861 : Dell EMC Unity – Back to Back File Replication is unsupported (DELL EMC Correctable)





VNX Replicator セッションに関して(VNX2時代のものですがUnityでも同じ動きです)

参考:Unityの筐体間のNASレプリケーション初期同期について(Unity での動作。疎通が確認されれば自動復旧する)





  • No Related Posts

Re: Unity300のポートのスピード設定について

replicationで使用されるポートについて、 LACP(LAG)を組んでおります。

ポートは各SPのEthernet Port 2 & 3で統合されており、






SPA Eth 2 : 100 Mbps

SPA Eth 3 : 1 Gbps

SPB Eth 2 : 1 Gbps

SPB Eth 3 : 100 Mbps










  • No Related Posts