Skill

nist-pf-identify

Implements NIST Privacy Framework IDENTIFY function covering ID.BE business environment, ID.DA data actions, ID.IM improvement, and ID.RA risk assessment. Provides control mapping, gap analysis templates, and workflows for privacy risk identification.

security

npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-complete

Tool Access

This skill uses the workspace's default tool permissions.

Preview

The IDENTIFY function in the NIST Privacy Framework (Version 1.0, January 2020) enables organizations to develop organizational understanding of privacy risk arising from data processing. This skill covers all four subcategories: Business Environment (ID.BE), Data Actions (ID.DA), Improvement (ID.IM), and Risk Assessment (ID.RA).

Supporting Assets

assets/template.mdreferences/standards.mdreferences/workflows.mdscripts/process.py

SKILL.md

Similar Skills

github-deep-research

63.9k

Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.

2 files

bytedance-deer-flow-1

surprise-me

63.9k

Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.

bytedance-deer-flow-1

image-generation

63.9k

Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.

2 files

bytedance-deer-flow-1

Stats

Parent Repo Stars37

Parent Repo Forks4

Last CommitMar 15, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

NIST Privacy Framework — IDENTIFY Function

Overview

IDENTIFY Function Subcategories

ID.BE — Business Environment

Understanding the organization's mission, objectives, stakeholders, and activities to prioritize privacy risk management decisions.

Subcategory	Description	Implementation Guidance
ID.BE-P1	The organization's role(s) in the data processing ecosystem are identified and communicated	Document whether the organization acts as data controller, processor, or both. Map all data flows identifying organizational role at each stage.
ID.BE-P2	Priorities for organizational mission, objectives, and activities are established and communicated	Align privacy objectives with business strategy. Ensure executive leadership endorses privacy as a business priority.
ID.BE-P3	Systems/products/services that process data are identified and prioritized	Maintain an inventory of all systems processing personal data. Classify by risk tier based on data sensitivity and volume.

ID.DA — Data Actions

Understanding the data actions the organization performs and associated privacy risks.

Subcategory	Description	Implementation Guidance
ID.DA-P1	A data processing ecosystem inventory is created and maintained	Catalog all data processing activities including collection points, storage locations, sharing partners, and retention periods.
ID.DA-P2	Owners of data actions are identified	Assign clear ownership for each data processing activity. Document accountability chains from operational to executive level.
ID.DA-P3	Problematic data actions are identified and prioritized for management	Use the NIST problematic data actions catalog to assess risk. Score based on likelihood and impact to individuals.

ID.IM — Improvement

Continuous improvement of privacy risk management.

Subcategory	Description	Implementation Guidance
ID.IM-P1	A process for continuous improvement of the privacy risk assessment approach is established	Schedule quarterly reviews of risk methodology. Incorporate lessons from incidents and regulatory developments.
ID.IM-P2	Privacy risk assessment findings are incorporated into improvement plans	Track remediation actions in a centralized register. Assign deadlines and owners for each improvement item.

ID.RA — Risk Assessment

Understanding and evaluating privacy risks.

Subcategory	Description	Implementation Guidance
ID.RA-P1	Data actions and their expected problematic data actions are identified	Map each data action to potential problematic outcomes using NIST's catalog of problematic data actions.
ID.RA-P2	Organizational systems, products, and services are monitored for problematic data actions	Deploy continuous monitoring for unauthorized access, unexpected data flows, and policy violations.
ID.RA-P3	Risk responses are identified and prioritized	Define response strategies: mitigate, transfer, avoid, or accept. Document rationale for each risk response decision.

Implementation Workflow

Phase 1: Inventory and Discovery (Weeks 1-4)

Stakeholder Identification: Identify all internal and external stakeholders involved in data processing
System Inventory: Catalog all systems, applications, and services that process personal data
Data Flow Mapping: Document how data moves through the organization from collection to deletion
Role Classification: Determine the organization's role (controller/processor) for each data processing activity

Phase 2: Data Action Analysis (Weeks 5-8)

Data Action Catalog: Document all data actions (collection, retention, logging, generation, disclosure, transfer)
Ownership Assignment: Assign data stewards for each data action category
Problematic Data Action Screening: Evaluate each data action against NIST's problematic data actions list
Impact Assessment: Score each problematic data action on likelihood and severity scales (1-5)

Phase 3: Risk Assessment (Weeks 9-12)

Risk Scoring: Calculate risk scores as Likelihood x Impact for each identified problematic data action
Risk Prioritization: Rank risks and identify those exceeding organizational risk tolerance
Response Planning: Select and document risk response strategies for each high-priority risk
Control Mapping: Map existing and planned controls to identified risks

Phase 4: Continuous Improvement (Ongoing)

Quarterly Reviews: Reassess risk landscape and update risk register
Incident Integration: Incorporate findings from privacy incidents into risk assessments
Regulatory Monitoring: Track changes in applicable privacy regulations
Metrics Tracking: Monitor key risk indicators and report to governance bodies

Control Mapping to Other Frameworks

NIST PF IDENTIFY	ISO 27701	GDPR Article	CCPA Section
ID.BE-P1	5.2.1	Art. 24, 26, 28	1798.140(d),(v)
ID.BE-P2	5.2.2	Art. 5(2)	1798.100
ID.BE-P3	A.7.2.1	Art. 30	1798.110
ID.DA-P1	A.7.2.8	Art. 30(1)	1798.110(c)
ID.DA-P2	5.3	Art. 37-39	1798.130
ID.DA-P3	A.7.2.5	Art. 35	1798.185
ID.RA-P1	6.1.2	Art. 35(7)	1798.185(a)(15)
ID.RA-P2	9.1	Art. 32(1)(d)	1798.150
ID.RA-P3	6.1.3	Art. 35(7)(d)	1798.185(a)(15)

Maturity Assessment

Level 1 — Initial

Ad hoc privacy risk identification
No formal inventory of data processing activities
Reactive approach to privacy issues

Level 2 — Managed

Basic data inventory exists
Some data actions documented
Risk assessments conducted periodically

Level 3 — Defined

Comprehensive data processing inventory maintained
All data actions cataloged with owners
Structured risk assessment process in place

Level 4 — Quantitatively Managed

Metrics-driven risk assessment
Automated monitoring of data actions
Quantitative risk scoring methodology

Level 5 — Optimizing

Continuous improvement process embedded
Predictive risk analytics
Industry-leading privacy risk management practices

References

NIST Privacy Framework Version 1.0 (January 16, 2020)
NIST SP 800-37 Rev. 2 — Risk Management Framework
NIST IR 8062 — An Introduction to Privacy Engineering and Risk Management in Federal Systems
ISO/IEC 27701:2019 — Privacy Information Management