NIST SP 800-37 Revision 2 and Privacy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello, everyone. It's Chris again,
00:00
and I'm Cybrary's instructor
00:00
for US information privacy course.
00:00
It's always a pleasure to have
00:00
the opportunity to talk to you about
00:00
important privacy related concepts and topics.
00:00
In Lesson 4.2,
00:00
we're going to examine the NIST special publication
00:00
800-37 Revision 2 and Privacy.
00:00
I can tell you during my work with
00:00
certain public sector agencies
00:00
that I had the opportunity to delve
00:00
deeply into a revision 2 and
00:00
see and recognize that NIST had placed
00:00
great emphasis on the importance of
00:00
privacy and its integration
00:00
into the risk management framework.
00:00
We have several learning objectives.
00:00
We're going to look at Revision 2's purpose.
00:00
We'll review the fundamentals
00:00
associated with Revision 2,
00:00
and then we'll close out with a review of
00:00
the risk management framework process.
00:00
I can tell you that for those of you there
00:00
in the private sector, once again,
00:00
I'm going to emphasize the fact
00:00
that you should look to guidance documents,
00:00
like NIST special publication 800-37-Rev 2,
00:00
that gives us great insights
00:00
into the importance of information,
00:00
security, and privacy.
00:00
Ensuring that we have
00:00
trustworthy systems that are processing
00:00
personal identifiable information and
00:00
other information that is important to organizations,
00:00
specifically in the executive branch.
00:00
This special publication is mandatory for those agencies.
00:00
But again, I encourage
00:00
private sector, privacy officers,
00:00
and other professionals to review it to see if you
00:00
will add it to your privacy toolkit
00:00
and I recommend you do so.
00:00
Let's talk about the purpose.
00:00
When NIST updated 800-37
00:00
with Revision 2 in December 2018,
00:00
it was there really to make sure that it had integrated
00:00
privacy and security risk management to ensure
00:00
that it was addressing risk at the organizational,
00:00
mission, and business and information system levels.
00:00
They wanted to make sure that they had integrated,
00:00
enhanced privacy protections to make sure that
00:00
individuals were protected while
00:00
their information is being processed by these systems.
00:00
It was there to really align
00:00
this new focus on privacy together with
00:00
information security to ensure that it was integrated
00:00
throughout the assessment and authorization process.
00:00
It wanted to make sure that organizations,
00:00
as they were looking at their
00:00
individual system development life cycles,
00:00
ensured that they had integrated and
00:00
identified their security and privacy requirements.
00:00
Much like we see in frameworks like privacy by design,
00:00
privacy by default,
00:00
engineering these controls into
00:00
the systems and activities
00:00
and make sure that we had end-end privacy
00:00
and security protections in place.
00:00
It also wanted to make sure that again,
00:00
this new framework itself,
00:00
with the risk management framework was aligned
00:00
against the NIST Cybersecurity Framework.
00:00
Let's talk about some of
00:00
the organizational-wide risk management processes
00:00
that are called for in Revision 2.
00:00
Now when we look at
00:00
the levels within these organizations,
00:00
we look at them at Level 1 organization,
00:00
Level 2 mission business process,
00:00
Level 3 information systems.
00:00
What Revision 2 advocates for,
00:00
it's a holistic approach
00:00
to security risk and privacy risk management.
00:00
It wants to make sure that we have
00:00
a broad base risk perspective.
00:00
That we have horizontal
00:00
and vertical communication reporting of risk,
00:00
and that we have consistent risk management
00:00
across all three levels.
00:00
When we talk about information security
00:00
and privacy in RMF,
00:00
we have to go back to OMB Circular A-130 that
00:00
calls for integration of
00:00
information security and privacy.
00:00
What OMB Circular A-130 says is it
00:00
realizes that security and privacy
00:00
are independent and separate disciplines,
00:00
that they are closely related.
00:00
But it calls for these agencies to
00:00
take a coordinated approach identifying and managing
00:00
security and privacy risks and
00:00
complying with those applicable requirements,
00:00
laws, rules, regulations, directives.
00:00
With the revision of OMB Circular A-130 in 2016,
00:00
it required these executive branch agencies
00:00
to integrate privacy into
00:00
the RMF process throughout all seven steps.
00:00
There's preparatory step and then
00:00
six main steps which did not exist in Rev 1.
00:00
I did a comparative analysis of Rev 1 and I determined
00:00
that privacy was barely mentioned in Rev 1,
00:00
and it was extensive mentioned
00:00
in Rev 2 because of its importance.
00:00
When we talk about requirements in control,
00:00
we're talking about those requirements
00:00
that have been enacted, promulgated,
00:00
that call for the appropriate security and
00:00
privacy protections in place as it
00:00
applies to federal information
00:00
and Federal Information Systems.
00:00
One difference is from a privacy risk perspective.
00:00
We're not just looking at
00:00
unauthorized access of a system or unauthorized behavior.
00:00
We're looking at also those incidents
00:00
where you have authorized
00:00
activities that goes beyond
00:00
the scope of information security.
00:00
That assessment itself is not performing as intended,
00:00
which may place PII or
00:00
personally identifiable information at risk from the time
00:00
is created or collected until
00:00
the time has been disposed of.
00:00
When we talk about privacy controls,
00:00
we're talking about those administrative, technical,
00:00
or physical safeguards that are there to
00:00
ensure that the organizations are
00:00
compliant with their applicable privacy requirements
00:00
and assess them and managing privacy risk.
00:00
When we talk about security and privacy postures,
00:00
many of you that are have
00:00
participated in the
00:00
assessment and authorization processes
00:00
within your respective organizations,
00:00
have created a security plans
00:00
based on either system-specific,
00:00
high breaker common controls
00:00
that are inherited by these systems,
00:00
and they're documented in your security points.
00:00
There's also a requirement for
00:00
privacy plans when we're
00:00
looking at your privacy posture,
00:00
and those are continuously monitor to ensure that
00:00
the controls that have been selected from
00:00
a security privacy perspective are working as intended.
00:00
They're implemented correctly,
00:00
and they're satisfying the established or documented
00:00
security and privacy requirements and response to laws,
00:00
executive orders, regulations,
00:00
directives, policies,
00:00
standards or mission and business for our requirements.
00:00
Now we're going to briefly look at
00:00
the preparatory step and then
00:00
the six main steps associated with
00:00
the risk management framework.
00:00
We start with the prepare step,
00:00
step 0 is purposes make sure
00:00
>> organizations are executing
00:00
>> their essential activities at
00:00
the organizational mission of
00:00
business and information system levels.
00:00
Help them start preparing for addressing or implementing
00:00
the risk management framework
00:00
to assess and manage security privacy risks.
00:00
When we get to step 1 we're talking about categorize,
00:00
that's when the organizations themselves are
00:00
really working to inform
00:00
organizational risk management processes
00:00
and task by determining
00:00
the adverse impact to
00:00
their own operations and as
00:00
individuals and other organizations.
00:00
Then we move to step 2, select.
00:00
That's when these organizations
00:00
select their security and privacy controls,
00:00
they tailor and document those controls necessary
00:00
to protect the information systems and the organization.
00:00
When we get to step 3,
00:00
then we get to implement.
00:00
When we get to implement we're talking
00:00
about how the organization will now
00:00
implement those security and
00:00
privacy controls and incorporate those into
00:00
the security privacy plans for
00:00
the systems and for the organizations.
00:00
That's where are you documenting
00:00
your security and privacy baseline.
00:00
In step 4,
00:00
we'll get to assess.
00:00
That's we're going to determine whether the controls from
00:00
a privacy security standpoint are implemented correctly,
00:00
operating as intended,
00:00
and producing the desired outcomes
00:00
in respect to satisfying those
00:00
established and documented
00:00
security and privacy requirements
00:00
for the system and for the organization.
00:00
When we get to authorize,
00:00
that's when some authorizing official
00:00
or another person charged to
00:00
do so makes a determination of
00:00
the security and privacy risk
00:00
has been managed appropriately.
00:00
Then we get to monitor,
00:00
that's a continuous monitoring to determine that
00:00
if the system that are
00:00
part of this process or
00:00
the organization is compliant
00:00
from a risk management standpoint.
00:00
We've made the appropriate risk decisions from
00:00
a risk acceptance,
00:00
risk tolerance, and risk response perspective.
00:00
Question 1 is Revision 2 ask
00:00
organizations to integrate privacy security,
00:00
their risk management processes by.
00:00
The answers are A, B, C,
00:00
and D. Question 2 ask the question,
00:00
how does Revision 2 assist organizations in assessing
00:00
privacy security risks across what levels?
00:00
That would be A, B,
00:00
and C. When we will look at question 3,
00:00
it asks which of these steps is not
00:00
a part of the risk management framework?
00:00
The answer is D.
00:00
Somewhere I believe that
00:00
NIST special publication 800-37,
00:00
Revision 2 is an essential tool that
00:00
every privacy professionals should
00:00
have in their toolkit-s.
00:00
It helps organizations manage
00:00
both security and privacy risk
00:00
across the three levels organization,
00:00
mission business, and information systems.
00:00
The rest management framework consists of
00:00
a preparatory step and six main steps.
Up Next