The National Institute of Standards and Technology (NIST) has developed a comprehensive privacy framework that can help organizations assess and improve their privacy practices. The framework consists of three main components: the core, the profiles, and the implementation tiers. In this blog post, we will focus on implementation tier 3, which is the third of four tiers in the NIST privacy framework.
Implementation tier 3 is the next level of the NIST privacy framework after implementation tier 2. It is intended for organizations that have implemented the recommended activities in at least two of the five privacy outcome profiles: individual participation, transparency, security, integrity, or accountability.
To achieve implementation tier 3, organizations must implement the optional activities in at least one of the privacy outcome profiles that they have already implemented. This means that they must go beyond the minimum and recommended requirements for that privacy outcome and implement additional activities that can help further improve their privacy practices.
For example, if an organization has already implemented the recommended activities in the security profile, they can move on to implementing the optional activities in that profile. This might include things like implementing a security awareness training program, implementing encryption for sensitive data, and implementing privacy by design principles.
Once an organization has achieved implementation tier 3, they can move on to the highest tier, implementation tier 4, to further improve their privacy practices. The higher tiers have additional requirements, such as implementing the optional activities in at least two privacy outcome profiles and demonstrating continuous improvement of privacy practices.
Overall, implementation tier 3 is an important step in the NIST privacy framework. By achieving this tier, organizations can take additional steps to protect individuals’ personal information and further improve their privacy practices.
The Personal Blog of Sean Goodwin 