1. Home
  2. Frameworks and Standards
  3. NIST Privacy Framework
  4. NIST Privacy Framework – PROTECT-P (PR-P) – Data Protection Policies, Processes, and Procedures (PR.PO-P)
Searching...

NIST Privacy Framework – PROTECT-P (PR-P) – Data Protection Policies, Processes, and Procedures (PR.PO-P)

Control(s)

Category

Data Protection Policies, Processes, and Procedures (PR.PO-P): Security and privacy policies (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment), processes, and procedures are maintained and used to manage the protection of data.

 

Subcategory

  • PR.PO-P1: A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality).
  • PR.PO-P2: Configuration change control processes are established and in place.
  • PR.PO-P3: Backups of information are conducted, maintained, and tested.
  • PR.PO-P4: Policy and regulations regarding the physical operating environment for organizational assets are met.
  • PR.PO-P5: Protection processes are improved.
  • PR.PO-P6: Effectiveness of protection technologies is shared.
  • PR.PO-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed.
  • PR.PO-P8: Response and recovery plans are tested.
  • PR.PO-P9: Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening).
  • PR.PO-P10: A vulnerability management plan is developed and implemented.

 

Function

  • PROTECT-P (PR-P)

 

What is the NIST Privacy Framework

The NIST Privacy Framework is a voluntary  tool for improving privacy through Enterprise Risk Management, to enable better privacy engineering practices that support privacy by design concepts and
help organizations protect individuals’ privacy. The Privacy Framework can support organizations in:

  • Building customers’ trust by supporting ethical decision-making in product and service design or
    deployment that optimizes beneficial uses of data while minimizing adverse consequences for
    individuals’ privacy and society as a whole;1
  • Fulfilling current compliance obligations, as well as future-proofing products and services to
    meet these obligations in a changing technological and policy environment; and
  • Facilitating communication about privacy practices with individuals, business partners,
    assessors, and regulators.

Source: https://www.nist.gov/privacy-framework/privacy-framework

Note: NIST and related copyright and trademarks belong to their respective owner(s). This guide is for educational purposes only.

Updated on September 24, 2022
Was this article helpful?
Yes No

Related Articles