Control(s)
Category
Identity Management, Authentication, and Access Control (PR.AC-P): Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.
Subcategory
- PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices.
- PR.AC-P2: Physical access to data and devices is managed.
- PR.AC-P3: Remote access is managed.
- PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
- PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation).
- PR.AC-P6: Individuals and devices are proofed and bound to credentials, and authenticated commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
Function
- PROTECT-P (PR-P)
What is the NIST Privacy Framework
The NIST Privacy Framework is a voluntary tool for improving privacy through Enterprise Risk Management, to enable better privacy engineering practices that support privacy by design concepts and
help organizations protect individuals’ privacy. The Privacy Framework can support organizations in:
- Building customers’ trust by supporting ethical decision-making in product and service design or
deployment that optimizes beneficial uses of data while minimizing adverse consequences for
individuals’ privacy and society as a whole;1 - Fulfilling current compliance obligations, as well as future-proofing products and services to
meet these obligations in a changing technological and policy environment; and - Facilitating communication about privacy practices with individuals, business partners,
assessors, and regulators.
Source: https://www.nist.gov/privacy-framework/privacy-framework
Note: NIST and related copyright and trademarks belong to their respective owner(s). This guide is for educational purposes only.