Video Activity

NIST SP 800-37 Revision 2 and Privacy

Video Transcript

Hello, everyone. It's Chris again, and I'm Cybrary's instructor for US information privacy course. It's always a pleasure to have the opportunity to talk to you about important privacy related concepts and topics. In Lesson 4.2, we're going to examine the NIST special publication 800-37 Revision 2 and Privacy. I can tell you during my work with certain public sector agencies that I had the opportunity to delve deeply into a revision 2 and see and recognize that NIST had placed great emphasis on the importance of privacy and its integration into the risk management framework.

We have several learning objectives. We're going to look at Revision 2's purpose. We'll review the fundamentals associated with Revision 2, and then we'll close out with a review of the risk management framework process. I can tell you that for those of you there in the private sector, once again, I'm going to emphasize the fact that you should look to guidance documents, like NIST special publication 800-37-Rev 2, that gives us great insights into the importance of information, security, and privacy. Ensuring that we have trustworthy systems that are processing personal identifiable information and other information that is important to organizations, specifically in the executive branch.

This special publication is mandatory for those agencies. But again, I encourage private sector, privacy officers, and other professionals to review it to see if you will add it to your privacy toolkit and I recommend you do so. Let's talk about the purpose. When NIST updated 800-37 with Revision 2 in December 2018, it was there really to make sure that it had integrated privacy and security risk management to ensure that it was addressing risk at the organizational, mission, and business and information system levels. They wanted to make sure that they had integrated, enhanced privacy protections to make sure that individuals were protected while their information is being processed by these systems.

It was there to really align this new focus on privacy together with information security to ensure that it was integrated throughout the assessment and authorization process. It wanted to make sure that organizations, as they were looking at their individual system development life cycles, ensured that they had integrated and identified their security and privacy requirements. Much like we see in frameworks like privacy by design, privacy by default, engineering these controls into the systems and activities and make sure that we had end-end privacy and security protections in place. It also wanted to make sure that again, this new framework itself, with the risk management framework was aligned against the NIST Cybersecurity Framework.

Let's talk about some of the organizational-wide risk management processes that are called for in Revision 2. Now when we look at the levels within these organizations, we look at them at Level 1 organization, Level 2 mission business process, Level 3 information systems. What Revision 2 advocates for, it's a holistic approach to security risk and privacy risk management. It wants to make sure that we have a broad base risk perspective. That we have horizontal and vertical communication reporting of risk, and that we have consistent risk management across all three levels. When we talk about information security and privacy in RMF, we have to go back to OMB Circular A-130 that calls for integration of information security and privacy. What OMB Circular A-130 says is it realizes that security and privacy are independent and separate disciplines, that they are closely related. But it calls for these agencies to take a coordinated approach identifying and managing security and privacy risks and complying with those applicable requirements, laws, rules, regulations, directives.

With the revision of OMB Circular A-130 in 2016, it required these executive branch agencies to integrate privacy into the RMF process throughout all seven steps. There's preparatory step and then six main steps which did not exist in Rev 1. I did a comparative analysis of Rev 1 and I determined that privacy was barely mentioned in Rev 1, and it was extensive mentioned in Rev 2 because of its importance. When we talk about requirements in control, we're talking about those requirements that have been enacted, promulgated, that call for the appropriate security and privacy protections in place as it applies to federal information and Federal Information Systems. One difference is from a privacy risk perspective. We're not just looking at unauthorized access of a system or unauthorized behavior. We're looking at also those incidents where you have authorized activities that goes beyond the scope of information security.

That assessment itself is not performing as intended, which may place PII or personally identifiable information at risk from the time is created or collected until the time has been disposed of. When we talk about privacy controls, we're talking about those administrative, technical, or physical safeguards that are there to ensure that the organizations are compliant with their applicable privacy requirements and assess them and managing privacy risk. When we talk about security and privacy postures, many of you that are have participated in the assessment and authorization processes within your respective organizations, have created a security plans based on either system-specific, high breaker common controls that are inherited by these systems, and they're documented in your security points.

There's also a requirement for privacy plans when we're looking at your privacy posture, and those are continuously monitor to ensure that the controls that have been selected from a security privacy perspective are working as intended. They're implemented correctly, and they're satisfying the established or documented security and privacy requirements and response to laws, executive orders, regulations, directives, policies, standards or mission and business for our requirements. Now we're going to briefly look at the preparatory step and then the six main steps associated with the risk management framework. We start with the prepare step, step 0 is purposes make sure organizations are executing  their essential activities at the organizational mission of business and information system levels. Help them start preparing for addressing or implementing the risk management framework to assess and manage security privacy risks.

When we get to step 1 we're talking about categorize, that's when the organizations themselves are really working to inform organizational risk management processes and task by determining the adverse impact to their own operations and as individuals and other organizations. Then we move to step 2, select. That's when these organizations select their security and privacy controls, they tailor and document those controls necessary to protect the information systems and the organization. When we get to step 3, then we get to implement. When we get to implement we're talking about how the organization will now implement those security and privacy controls and incorporate those into the security privacy plans for the systems and for the organizations. That's where are you documenting your security and privacy baseline.

In step 4, we'll get to assess. That's we're going to determine whether the controls from a privacy security standpoint are implemented correctly, operating as intended, and producing the desired outcomes in respect to satisfying those established and documented security and privacy requirements for the system and for the organization. When we get to authorize, that's when some authorizing official or another person charged to do so makes a determination of the security and privacy risk has been managed appropriately. Then we get to monitor, that's a continuous monitoring to determine that if the system that are part of this process or the organization is compliant from a risk management standpoint. We've made the appropriate risk decisions from a risk acceptance, risk tolerance, and risk response perspective. Question 1 is Revision 2 ask organizations to integrate privacy security, their risk management processes by.

The answers are A, B, C, and D. Question 2 ask the question, how does Revision 2 assist organizations in assessing privacy security risks across what levels? That would be A, B, and C. When we will look at question 3, it asks which of these steps is not a part of the risk management framework? The answer is D. Somewhere I believe that NIST special publication 800-37, Revision 2 is an essential tool that every privacy professionals should have in their toolkit-s. It helps organizations manage both security and privacy risk across the three levels organization, mission business, and information systems. The rest management framework consists of a preparatory step and six main steps.

Course link:
US Information Privacy
Are you overwhelmed by the intricacies of U.S. information privacy and data security laws? Privacy and data security are critical in today’s digital world. Gain the insight you need to navigate the realm of information privacy in the U.S. public and private sectors by taking this U.S. Information Privacy course.
Instructed by
Chris Stevens

Chris Stevens has 35+ years of experience working in the private/public sectors in counterterrorism, data protection, homeland security intelligence, information privacy, strategic intelligence and as a Senior National Intelligence Service Executive.