7 hours 2 minutes
Hello everyone? S chris the privacy gremlin once again and I'm glad to welcome you back to this course.
I'm the structure for cyberrays us information privacy course. It's always a pleasure to have the opportunity to dialogue with you about important privacy concepts and topics.
And less than 4.3 we're going to continue our examination of important this special publications
and internal documents
in this lesson. We're going to look at specifically in this special publication.
And we're going to look closely at appendix J which is its privacy control catalog.
I've used this special publication 853 revision for extensively in my support to
public sector organizations, agencies and also the private sector organizations. Institutions and agency because of
the catalogue of possible security controls
and privacy controls that might be available
to ensure that
we have the appropriate
security controls in place that might mitigate both security and privacy risks.
It is an essential tool in my privacy tool kit
and like I've previously stated
to encourage private sector um privacy officials and and professionals to review this document to see how it might make your privacy programs more successful.
We have several learning objectives. We're gonna look at revision force
purpose and then we're going to take a closer look
for his appendix J.
And then we'll close out with a review of the 8th
privacy control families listed in appendix J and then look at those associated privacy controls.
I'm waiting as many of you are waiting for nest to finalize.
Revision five, which does a great job of integrating privacy and security control is not looking at them from
And I believe that with the hard work that Nist has done in preparing revision five, that it will greatly aid organizations and better understanding the applicability of both security and privacy controls across their organizations and enterprises.
So let's talk about reb
for this purpose.
basically it focuses on selecting and specifying security controls for information systems and organizations.
No, it does of appendix J,
that you know, addresses privacy controls, but the majority of the focuses on those security controls,
organizations and in the public sector, private sector have available to them are stable but yet flexible catalogue of security controls that they can apply and incorporate into those their security plans.
Also, appendix J will help them incorporate those privacy controls until their privacy plans.
There is an alignment with
and which talks about, you know, the categorization uh security levels as they apply to and from uh federal systems.
And then the minimum security requirements are stated in 5th 200.
You know, just like we talked about previously, you know, we look at, you know, mechanism for including the security controls
and probably control to some degree but
into your assessment and authorization processes.
And then it allows us to be able as organizations, we have to go back
and have a common language for how we discuss these controls as they apply to security risk management and privacy risk management within organizations.
When we get to
when you know, ness established
uh appended to J,
you know, I developed those from
those Fair Information practice principles that you might find in O. M. B.
Uh circular 8 1 30.
The Privacy Act in 1974.
The E Government Act of 2002 section to Await
and the various Ownby circular and memoranda.
we use these Phipps as we talked about earlier, really to provide the public with insights into an organization's privacy practices
in L. A. Any fears that again these agencies are incapable of protecting the american public's personal identifiable information from thomas collected until the time it's disposed of.
I want to make sure that again, we've
looked at potential privacy horns, private invasions to individuals
and making sure that we have the appropriate controls in place that minimize minimize the impact or damage to individuals
as a result of a security incident,
were breached purse identifiable information.
From a management perspective, the SAP that we talked about earlier in this course plays an important role together with the chief privacy officer depending on the size of the organization,
working in coordination with the Chief
information security Officer, the Chief information Officer and others assure, ensure we have
end end privacy protections in place from the time. These information systems that we hope are trustworthy,
collect or create information until the time is disposed of.
You know, one of the key takeaways. I want you to walk away with us
the emphasis on privacy controls,
which are significant many organizations and adopting uh for simply focused on the security controls
at the um omission of the privacy controls.
It's difficult to do that and have an effective privacy risk management program or privacy program when you don't account for these
privacy controls and they're not incorporated into your assessment and authorization processes.
You know, one thing that the controls also allow is,
you know, it allows us to be able to
analyze the privacy risk associated with our processing activities and then to mitigate those risks when appropriate.
And end up like continuous monitoring to ensure that these private controls as well as the security controls, are implemented correctly working as intended.
These are the eight families of privacy controls as stated in
the appendix J.
Appendix J goes away in Red five which I believe is a good thing.
But starting with authority and purpose it has to controls
the authority of the correct
When we look at accountability, audit and risk management
that control family looks at governance and privacy broke. Uh program management, price, impact and risk assessments, privacy requirements for contractors and service providers,
privacy monitoring and auditing,
privacy awareness and training
probably to reporting privacy enhanced systems design and development and accounting of disclosures
When we get to data quality
and integrity. That's what we're talking about maintaining data quality,
maintaining data integrity and making sure you have those data integrity boards. Like we talked about during our discussion with the computer matching
and privacy protection Act to oversee those programs.
When we talk about data minimization of retention, we want to make sure that the organizations are minimizing their use and collection of P. Ii and making sure they have good strategies for data retention and data disposal.
We also want to make sure that if we're using P II. For testing training and research that we minimize its use
when we get to individual participation and redress.
We're talking about important privacy controls like consent,
individual access to an individual's P. I.
Redressing complaints management.
We have to talk about security,
making sure that we've done an inventory of P. I. Which should be the first thing that the organization does because you must know the data
and then making sure you have the appropriate processes for privacy incident response.
When we get to transparency. That's when we're given notice for privacy notices.
Those have to comply with the Privacy Act in 1970. For that's when you have to account for your systems of no records notice and privacy act statements.
And then you want to make sure you have a process being transparent to where you have the dissemination of privacy program information
Finally, and use limitation. We're talking about the internal use of P.I. and then information sharing with 3rd parties.
Question one asked what is revision for his purpose?
The appropriate answers are A and B.
Question to ask what is appendix jay's purpose.
The appropriate answers are A B, C and D.
Question three asked which of the fallen controls are part of the eight Nist special publication 800 days 53 rep four pendant jay's privacy controls.
Appropriate answers are A C and D.
As always, I believe. Nist Special publication 853 provisions for is a phenomenal document that provides a catalogue of security controls and privacy controls for the use by organizations.
Read four specifically looks at
Privacy controls, eight families of privacy controls and associated controls,
and then appendix J,
emphasizes the importance
of identifying and incorporating these privacy controls until your assessment and authorization processes.
Penetration Testing and Ethical Hacking
The Penetration Testing and Ethical Hacking course prepares students for certifications, like CEH. This course ...
7 CEU/CPE Hours Available
Certificate of Completion Offered
Privacy Program Management
In this Privacy Program Management training course, students will learn privacy program strategies, applicable laws ...
4 CEU/CPE Hours Available
Certificate of Completion Offered