NIST SP 800-122 and Privacy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello, everyone. Welcome back to the course.
00:00
I'm Chris, the privacy gremlin,
00:00
and I'm cyber's instructor for
00:00
its US information privacy course.
00:00
Here in lesson 4.4, we're going to examine
00:00
NIST special publication 800-122,
00:00
entitled guide to protecting
00:00
the confidentiality of Personal
00:00
>> Identifiable Information.
00:00
>> We discussed Personal Identifiable Information
00:00
earlier in the course where we said that it was
00:00
any information that could be used to
00:00
distinguish or to trace
00:00
an individual's identity or that
00:00
was linked or linkable to a specific individual.
00:00
We talked about things like names,
00:00
social security numbers, driver's licenses,
00:00
device identifiers such as IP addresses,
00:00
mac addresses and the like, bio-metric data also.
00:00
We have several learning objectives.
00:00
We're going to talk about the purpose
00:00
and scope of 800-122.
00:00
We're going to talk about
00:00
PII confidentiality impact levels,
00:00
confidentiality safeguards, and then we'll talk about
00:00
incident response to breaches
00:00
involving PII and some of the requirements.
00:00
I have used NIST special publication 800-122 both as
00:00
a port of public sector organizations
00:00
and also private sector companies, institutions,
00:00
and organizations to really give me
00:00
insights on how to best defined PII for
00:00
an organization and then how to
00:00
take those steps and ensure that I was maintaining
00:00
the confidentiality or the organization was maintaining
00:00
the confidentiality of PII
00:00
throughout their information life cycle,
00:00
collection, use, disclosure, retention,
00:00
and disposal of PII.
00:00
NIST special publication 800-122,
00:00
which is a great complement to OMB memorandum 1712,
00:00
which we discussed earlier in the course,
00:00
preparing for and responding to a breach of PII.
00:00
NIST understands, just
00:00
like the rest of the federal government,
00:00
that not only are private sector companies vulnerable
00:00
to access to PII but
00:00
also public sector companies
00:00
have been breached in the past,
00:00
so what NIST special publication
00:00
800-122 wants to make sure
00:00
>> that executive branch agencies
00:00
>> that must comply with this NIST guidance are protecting
00:00
the confidentiality of PII
00:00
collected and processed
00:00
>> by a Federal Information Systems.
00:00
>> Again, this guidance document
00:00
is also applicable to the private sector.
00:00
This 800-122 directs these agencies
00:00
also to ensure that they are using
00:00
the appropriate PII confidentiality impact levels when
00:00
assessing the confidentiality of PII.
00:00
Says also to link those to those Fair Information
00:00
Practice Principles that we
00:00
talked about earlier in the course.
00:00
Then it also assists them in
00:00
developing effective incident response plans
00:00
should they experience a breach
00:00
of the confidentiality of PII.
00:00
Let's talk about the confidentiality impact levels,
00:00
which are extremely important.
00:00
Many of you are familiar with
00:00
the Federal Information Processing
00:00
Standards Publication 199,
00:00
entitled status for security categorization
00:00
of federal information and information systems,
00:00
and how it assesses
00:00
impact levels as it applies to security.
00:00
Well, in this instance,
00:00
800-122's PII confidentiality impact levels
00:00
use similar language,
00:00
but it focuses on
00:00
assessing impacts and the confidentiality of PII,
00:00
while FIPS 199 is more
00:00
focused on security categorization.
00:00
If you are looking for
00:00
a good guidance document to assist you
00:00
in determining the appropriate integrity
00:00
and availability impact levels,
00:00
then this publication recommends that you use
00:00
NIST special publication 837 Revision 2,
00:00
the risk management framework.
00:00
There are three PII confidentiality impact levels.
00:00
The first being low.
00:00
If there's a loss of confidentiality, integrity,
00:00
availability that could result in
00:00
a limited adverse effect on organization operations,
00:00
it's assets, or individuals.
00:00
Examples would be a low adverse impact level
00:00
that results in some type of
00:00
minor damaged organizational assets,
00:00
minor financial loss,
00:00
or minor harm to individuals.
00:00
The next level is
00:00
moderate and that occurs
00:00
if you have a loss of confidentiality, integrity,
00:00
availability that could result in
00:00
a more serious adverse action on the organization,
00:00
its assets, or individuals.
00:00
In this impact level,
00:00
we're looking at results in
00:00
significant damage to organizational assets,
00:00
significant financial loss,
00:00
significant harm to individuals that does
00:00
not involve the loss of
00:00
lives or serious, life-threatening injuries.
00:00
The highest impact level is
00:00
high and that occurs if you have
00:00
a loss of confidentiality, integrity,
00:00
availability that could result in a severe
00:00
or a catastrophic adverse effect on an organization,
00:00
its assets, or on individuals.
00:00
That could be a severe degradation in a loss of
00:00
mission capability that prevents
00:00
organization from performing its mission.
00:00
It could result in major damage
00:00
to the organization's assets,
00:00
major financial loss,
00:00
could result also in a severe,
00:00
catastrophic harm to individuals involving loss of life
00:00
or serious life-threatening injuries.
00:00
We use several factors to
00:00
determine PII confidentiality impact levels.
00:00
The first being identifiability.
00:00
How identifiable is the PII that
00:00
it can be used to link or distinguish an individual?
00:00
The quantity of PII.
00:00
How much PII might have been
00:00
disclosed and how many individuals
00:00
might be impacted by that disclosure?
00:00
Data field sensitivity.
00:00
Assessing the sensitivity of
00:00
each individual PII data field,
00:00
or in combination, those data fields together,
00:00
much like the mosaic effect.
00:00
We have contexts of use.
00:00
How the information is being used.
00:00
How is it being collected, stored,
00:00
processed, disclosed, disseminated?
00:00
We have an obligation to protect
00:00
confidentiality as to find
00:00
and applicable laws, regulations,
00:00
and other mandates,
00:00
that in regards to
00:00
protecting Personal Identifiable Information.
00:00
We also have access to and location of PII.
00:00
We're also sensing not only just unauthorized access
00:00
but authorized access.
00:00
An example would be, say, for instance,
00:00
your organization had an incident response roster
00:00
that it maintained for
00:00
its computer incident response team.
00:00
The organization had listed names,
00:00
professional titles, office,
00:00
and work cell phone numbers,
00:00
work email addresses,
00:00
and it always also had made
00:00
this roster available to the public.
00:00
From an identifiability perspective,
00:00
we're talking about small number of
00:00
individuals using their names,
00:00
phone numbers, and email addresses.
00:00
Quantity of PII, less than 20 people.
00:00
Data fields sensitivity, since we've
00:00
already made this information available to the public,
00:00
then again, there's low data field sensitivity.
00:00
Let's talk about contexts of use.
00:00
How likely would it be that if
00:00
someone got access to this roster
00:00
that they could make use of the names and
00:00
other contact information to
00:00
adversely impact individuals?
00:00
Then finally, access to and location of PII.
00:00
While this roster has been posted to the internet,
00:00
it's also available to the public.
00:00
Again, when we look at our analysis,
00:00
this would probably result in
00:00
a low PII confidentiality impact.
00:00
Let's talk about security safeguards.
00:00
We have three. We have operational safeguards.
00:00
It really focused on policy procedure creation,
00:00
education, training, and welfare.
00:00
We have awareness training and education.
00:00
We also have privacy-specific safeguards
00:00
like data minimization, collection limitation,
00:00
having a good data retention strategy for your PII,
00:00
conducting privacy impact assessments,
00:00
de-identifying your information,
00:00
anonymizing the information.
00:00
Security safeguard you can look
00:00
to NIST special publication 800-53
00:00
Revision 4 for guidance
00:00
on how to select the appropriate security controls.
00:00
We have four steps that apply
00:00
to responding to breaches of PII.
00:00
As we stated earlier in the course,
00:00
executive branch agencies have
00:00
to report within one hour to
00:00
the US Computer Emergency Readiness Team
00:00
of any breaches of PII.
00:00
The four steps are preparation, detection and analysis,
00:00
containment, eradication, recovery,
00:00
and then post-incident activity.
00:00
Question 1 asked the purpose and
00:00
scope of 800-122 includes.
00:00
The choices are A, B, C,
00:00
and D. Question 2
00:00
asked what are the PII confidentiality levels?
00:00
A, C, and D.
00:00
Question 3 asked what are the confidentiality safeguards?
00:00
The appropriate answers are A, B,
00:00
and D. Four asked
00:00
what are the steps for addressing
00:00
>> breaches involving PII?
00:00
>> A, B, C, and D are the appropriate answers.
00:00
In summary, 800-122 provides
00:00
executive branch agencies with
00:00
a guidance document that assist them in
00:00
protecting the confidentiality PII in their systems.
00:00
The impact levels are low,
00:00
moderate, and high.
00:00
We have operational, private-specific,
00:00
and security controls as safeguards.
00:00
The steps for addressing a breach are preparation,
00:00
detection, and analysis,
00:00
containment, eradication,
00:00
recovery, and post-incident activity.
Up Next