NIST SP 800-53 Revision 4, Appendix J: Privacy Control Catalog

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
Hello everyone? S chris the privacy gremlin once again and I'm glad to welcome you back to this course.
00:08
I'm the structure for cyberrays us information privacy course. It's always a pleasure to have the opportunity to dialogue with you about important privacy concepts and topics.
00:21
And less than 4.3 we're going to continue our examination of important this special publications
00:27
and internal documents
00:30
in this lesson. We're going to look at specifically in this special publication.
00:35
853
00:38
revision for
00:39
And we're going to look closely at appendix J which is its privacy control catalog.
00:47
I've used this special publication 853 revision for extensively in my support to
00:54
public sector organizations, agencies and also the private sector organizations. Institutions and agency because of
01:03
the catalogue of possible security controls
01:07
and privacy controls that might be available
01:11
to ensure that
01:12
we have the appropriate
01:15
security controls in place that might mitigate both security and privacy risks.
01:22
It is an essential tool in my privacy tool kit
01:25
and like I've previously stated
01:27
to encourage private sector um privacy officials and and professionals to review this document to see how it might make your privacy programs more successful.
01:41
We have several learning objectives. We're gonna look at revision force
01:45
purpose and then we're going to take a closer look
01:48
at revision
01:51
for his appendix J.
01:53
And then we'll close out with a review of the 8th
01:57
privacy control families listed in appendix J and then look at those associated privacy controls.
02:06
I'm waiting as many of you are waiting for nest to finalize.
02:10
It's
02:13
Revision five, which does a great job of integrating privacy and security control is not looking at them from
02:20
separate perspectives.
02:23
And I believe that with the hard work that Nist has done in preparing revision five, that it will greatly aid organizations and better understanding the applicability of both security and privacy controls across their organizations and enterprises.
02:43
So let's talk about reb
02:46
for this purpose.
02:47
You know,
02:49
basically it focuses on selecting and specifying security controls for information systems and organizations.
02:58
No, it does of appendix J,
03:00
that you know, addresses privacy controls, but the majority of the focuses on those security controls,
03:07
organizations and in the public sector, private sector have available to them are stable but yet flexible catalogue of security controls that they can apply and incorporate into those their security plans.
03:21
Also, appendix J will help them incorporate those privacy controls until their privacy plans.
03:29
There is an alignment with
03:31
Phipps 199
03:36
and which talks about, you know, the categorization uh security levels as they apply to and from uh federal systems.
03:43
And then the minimum security requirements are stated in 5th 200.
03:50
You know, just like we talked about previously, you know, we look at, you know, mechanism for including the security controls
03:57
and probably control to some degree but
04:00
into your assessment and authorization processes.
04:04
And then it allows us to be able as organizations, we have to go back
04:10
and have a common language for how we discuss these controls as they apply to security risk management and privacy risk management within organizations.
04:25
When we get to
04:27
appendix J
04:30
when you know, ness established
04:32
the
04:34
uh appended to J,
04:36
you know, I developed those from
04:40
those Fair Information practice principles that you might find in O. M. B.
04:46
Uh circular 8 1 30.
04:49
The Privacy Act in 1974.
04:53
The E Government Act of 2002 section to Await
04:57
and the various Ownby circular and memoranda.
05:02
And so
05:03
we use these Phipps as we talked about earlier, really to provide the public with insights into an organization's privacy practices
05:13
in L. A. Any fears that again these agencies are incapable of protecting the american public's personal identifiable information from thomas collected until the time it's disposed of.
05:27
I want to make sure that again, we've
05:30
looked at potential privacy horns, private invasions to individuals
05:35
and making sure that we have the appropriate controls in place that minimize minimize the impact or damage to individuals
05:45
as a result of a security incident,
05:47
privacy incident
05:49
were breached purse identifiable information.
05:54
From a management perspective, the SAP that we talked about earlier in this course plays an important role together with the chief privacy officer depending on the size of the organization,
06:04
working in coordination with the Chief
06:08
information security Officer, the Chief information Officer and others assure, ensure we have
06:15
end end privacy protections in place from the time. These information systems that we hope are trustworthy,
06:21
collect or create information until the time is disposed of.
06:28
You know, one of the key takeaways. I want you to walk away with us
06:31
the emphasis on privacy controls,
06:35
which are significant many organizations and adopting uh for simply focused on the security controls
06:46
at the um omission of the privacy controls.
06:50
It's difficult to do that and have an effective privacy risk management program or privacy program when you don't account for these
07:00
privacy controls and they're not incorporated into your assessment and authorization processes.
07:08
You know, one thing that the controls also allow is,
07:12
you know, it allows us to be able to
07:14
analyze the privacy risk associated with our processing activities and then to mitigate those risks when appropriate.
07:23
And end up like continuous monitoring to ensure that these private controls as well as the security controls, are implemented correctly working as intended.
07:33
These are the eight families of privacy controls as stated in
07:40
the appendix J.
07:44
Appendix J goes away in Red five which I believe is a good thing.
07:47
But starting with authority and purpose it has to controls
07:53
the authority of the correct
07:54
purpose specification.
07:56
When we look at accountability, audit and risk management
08:01
that control family looks at governance and privacy broke. Uh program management, price, impact and risk assessments, privacy requirements for contractors and service providers,
08:11
privacy monitoring and auditing,
08:13
privacy awareness and training
08:16
probably to reporting privacy enhanced systems design and development and accounting of disclosures
08:24
When we get to data quality
08:26
and integrity. That's what we're talking about maintaining data quality,
08:31
maintaining data integrity and making sure you have those data integrity boards. Like we talked about during our discussion with the computer matching
08:39
and privacy protection Act to oversee those programs.
08:43
When we talk about data minimization of retention, we want to make sure that the organizations are minimizing their use and collection of P. Ii and making sure they have good strategies for data retention and data disposal.
08:58
We also want to make sure that if we're using P II. For testing training and research that we minimize its use
09:07
when we get to individual participation and redress.
09:09
We're talking about important privacy controls like consent,
09:15
individual access to an individual's P. I.
09:18
Redressing complaints management.
09:22
We have to talk about security,
09:24
making sure that we've done an inventory of P. I. Which should be the first thing that the organization does because you must know the data
09:33
and then making sure you have the appropriate processes for privacy incident response.
09:39
When we get to transparency. That's when we're given notice for privacy notices.
09:45
Those have to comply with the Privacy Act in 1970. For that's when you have to account for your systems of no records notice and privacy act statements.
09:56
And then you want to make sure you have a process being transparent to where you have the dissemination of privacy program information
10:01
Finally, and use limitation. We're talking about the internal use of P.I. and then information sharing with 3rd parties.
10:11
Question one asked what is revision for his purpose?
10:18
The appropriate answers are A and B.
10:22
Question to ask what is appendix jay's purpose.
10:26
The appropriate answers are A B, C and D.
10:31
Question three asked which of the fallen controls are part of the eight Nist special publication 800 days 53 rep four pendant jay's privacy controls.
10:43
Appropriate answers are A C and D.
10:46
As always, I believe. Nist Special publication 853 provisions for is a phenomenal document that provides a catalogue of security controls and privacy controls for the use by organizations.
11:01
Read four specifically looks at
11:03
Privacy controls, eight families of privacy controls and associated controls,
11:09
and then appendix J,
11:11
emphasizes the importance
11:13
of identifying and incorporating these privacy controls until your assessment and authorization processes.
Up Next