NIST SP 800-53 Revision 4, Appendix J: Privacy Control Catalog

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello everyone. It's Chris,
00:00
the privacy Gremlin once again,
00:00
and I'm glad to welcome you back to this course.
00:00
I'm the instructor for Cybrary's,
00:00
US information privacy course.
00:00
It's always a pleasure to have the opportunity to
00:00
dialogue with you about
00:00
important privacy concepts and topics.
00:00
In Lesson 4.3,
00:00
we're going to continue our examination of
00:00
important NIST special publications
00:00
and internal documents.
00:00
In this lesson, we're going to look at
00:00
specifically NIST special publication
00:00
853 Revision four and
00:00
we're going to look closely at Appendix J,
00:00
which is its privacy control catalog.
00:00
I've used NIST special publication 853 Revision four
00:00
extensively in my support
00:00
>> to public sector organizations,
00:00
>> agencies and also the private sector organizations,
00:00
institutes as an agency because of
00:00
the catalog of possible security controls
00:00
and privacy controls that
00:00
might be available to ensure that we have
00:00
the appropriate security controls in
00:00
place that might mitigate
00:00
both security and privacy risks.
00:00
It is an essential tool in my privacy toolkit.
00:00
Like I've previously stated,
00:00
I encourage private sector privacy officials
00:00
and professionals
00:00
to review this document to see how it might
00:00
make your privacy programs more successful.
00:00
We have several learning objectives.
00:00
We're going to look at Revision four's purpose,
00:00
and then we're going to take a closer look
00:00
at Revision four's Appendix J.
00:00
Then we'll close out with a review of
00:00
the eight privacy control families listed
00:00
in Appendix J and then look at
00:00
those associated privacy controls.
00:00
I'm waiting as many of you were waiting for NIST to
00:00
finalize it's Revision five,
00:00
which does a great job of
00:00
integrating privacy and security controls,
00:00
not looking at them from separate perspectives.
00:00
I believe that with the hard work that
00:00
NIST has done in preparing Revision five,
00:00
that it will greatly aid
00:00
organizations and better understand in
00:00
the applicability of both security and privacy controls
00:00
across their organizations and enterprises.
00:00
Let's talk about Rev four's purpose.
00:00
Basically it focuses on selecting and specifying
00:00
security controls for
00:00
information systems in organizations.
00:00
It does have Appendix J that
00:00
>> addresses privacy controls,
00:00
>> but the majority of the focus is
00:00
on those security controls.
00:00
Organizations in the public sector
00:00
or private sector have available to them
00:00
a stable but yet flexible catalog of security controls
00:00
that they can apply and
00:00
>> incorporate their security plans.
00:00
>> Also Appendix J will help them incorporate
00:00
those privacy controls into their privacy plans.
00:00
There is an alignment with FIPS
00:00
199 which talks about
00:00
the categorization of security levels
00:00
as they apply to federal systems,
00:00
and then the minimum security requirements
00:00
as stated in FIPS 200.
00:00
Just like we talked about previously,
00:00
we look at a mechanism for
00:00
including these security controls and
00:00
privacy controls to some degree into
00:00
your assessment and authorization processes.
00:00
Then it allows us as organizations,
00:00
we have to go back and have
00:00
a common language for how we discuss
00:00
these controls as they apply to
00:00
security risk management and
00:00
privacy risk management within organizations.
00:00
When we get to Appendix J,
00:00
when NIST established the Appendix J
00:00
in order to develop those
00:00
from those fair information
00:00
practice principles that you might
00:00
find in OMB circular A130,
00:00
the Privacy Act in 1974,
00:00
the e-government Act of 2002 section 208,
00:00
and the various OMB circular and memoranda.
00:00
We use these FIPS as we talked about earlier,
00:00
really to provide the public
00:00
with insights into an organization's privacy practices.
00:00
In LA, any fears that again,
00:00
these agencies are incapable of protecting
00:00
the American public's personal
00:00
identifiable information from time is
00:00
collected until the time it's disposed up.
00:00
We also make sure that again,
00:00
we've looked at potential privacy hoards,
00:00
privacy invasions to individuals,
00:00
and making sure that we have
00:00
the appropriate controls in place that
00:00
minimize the impact or damage to
00:00
individuals as a result of a security incident,
00:00
a privacy incident, or a
00:00
breach of personal identifiable information.
00:00
From a management perspective,
00:00
the SIOP that we talked
00:00
about earlier in this course plays
00:00
an important role together
00:00
with the Chief Privacy Officer,
00:00
depending on the size of the organization.
00:00
Working in coordination with
00:00
the Chief Information Security Officer,
00:00
the Chief Information Officer,
00:00
and others to ensure we
00:00
have end-to-end privacy protections in place when a
00:00
time these information systems that we hope are
00:00
trustworthy collect or create
00:00
information until the time is disposed of.
00:00
One of the key takeaways I want
00:00
>> you to walk away with is
00:00
>> the emphasis on privacy controls,
00:00
>> which are significant.
00:00
>> Many organizations in adopting
00:00
route for simply focused on
00:00
the security controls at
00:00
the omission of the privacy controls.
00:00
It's difficult to do that and have
00:00
an effective privacy risk management program
00:00
or privacy program when you don't
00:00
account for these privacy controls and they're not
00:00
incorporated into
00:00
your assessment and authorization processes.
00:00
One thing that the controls also allow is,
00:00
it allows us to be able to analyze
00:00
a privacy risk associated
00:00
>> with our processing activities
00:00
>> and then to mitigate
00:00
those risks when appropriate and end applying
00:00
continuous monitoring and ensuring
00:00
that these primes controls as well as
00:00
the security controls are implemented
00:00
correctly working as intended.
00:00
These are the eight families of
00:00
privacy controls as stated in the Appendix J.
00:00
Appendix J goes away in Rev five,
00:00
which I believe is a good thing.
00:00
But starting with authority and purpose,
00:00
it has two controls.
00:00
The authority of the correct purpose specification.
00:00
When we look at accountability,
00:00
audit and risk management,
00:00
that control family looks at governance
00:00
and privacy program management,
00:00
privacy impact and risk assessments,
00:00
privacy requirements for contractors
00:00
and service providers,
00:00
privacy monitoring and auditing,
00:00
privacy awareness and training, privacy reporting,
00:00
privacy enhanced systems,
00:00
design and development and accounting of disclosures.
00:00
When we get to data quality and integrity,
00:00
that's what we're talking about.
00:00
Maintaining data quality, maintaining data integrity,
00:00
and making sure you have those data integrity boards,
00:00
like we talked about during our discussion with
00:00
the computer matching and Privacy
00:00
Protection Act to oversee those programs.
00:00
When we talk about data minimization or retention,
00:00
we want to make sure that the organizations are
00:00
minimizing their use and collection of
00:00
PII and making sure they have good strategies
00:00
for data retention and data disposal.
00:00
We also want to make sure that if we're
00:00
using PII for testing,
00:00
training, and research, that we minimize its use.
00:00
When we get to individual participation and redress,
00:00
we're talking about important
00:00
privacy controls like consent,
00:00
individual access to an individual's PII,
00:00
redress in complaints management.
00:00
We have to talk about security,
00:00
making sure that we've done an inventory of PII,
00:00
which should be the first thing that
00:00
the organization does because you must know via data.
00:00
Then making sure you have
00:00
the appropriate processes for
00:00
>> privacy incident response.
00:00
>> When we get to transparency,
00:00
that's when we're given notice.
00:00
Your privacy notices.
00:00
Those have to comply with the Privacy Act of 1974.
00:00
That's when you have to account for
00:00
your systems of records notice,
00:00
and Privacy Act statements.
00:00
Then you want make sure that you have a process
00:00
being transparent
00:00
to where you have the dissemination
00:00
of privacy program information.
00:00
Finally in use limitation,
00:00
we're talking about internal use of PII,
00:00
and then information sharing with third parties.
00:00
Question one asks, what is Revision four's purpose?
00:00
The appropriate answers are A and B.
00:00
Question two asks,
00:00
what is Appendix J's purpose?
00:00
The appropriate answers are A, B, C,
00:00
and D. Question three asks,
00:00
which of the following controls a part of
00:00
the eight NIST special publication 800-53 Revision four
00:00
Appendix J's privacy controls?
00:00
The appropriate answers are A, C,
00:00
and D. As always,
00:00
I believe NIST special publication 800-53
00:00
>> Revision four is
00:00
>> a phenomenal document that provides a catalog of
00:00
security controls and privacy controls
00:00
for the use of our organizations.
00:00
We have four specifically looks at privacy controls,
00:00
eight families of privacy controls
00:00
and associated controls.
00:00
Then Appendix J emphasizes the importance of
00:00
identifying and incorporating these privacy controls
00:00
into your assessment and authorization processes.
Up Next