NISTIR 8062 and Privacy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello everyone. It's Chris [inaudible] Gremlin,
00:00
and I'm Cybrary's instructor for
00:00
its US Information Privacy course.
00:00
In lesson 4.5, we're going to look at
00:00
NISTIR internal report 8062 entitled,
00:00
An Introduction to Privacy
00:00
Engineering and Risk Management in Federal Systems.
00:00
As a privacy professional that
00:00
supported executive branch agencies,
00:00
legislative branch agencies,
00:00
and also have supported private sector organizations,
00:00
institutions, and companies,
00:00
I see the applicability and the utility in
00:00
using privacy engineering to be able
00:00
to translate privacy policies,
00:00
procedures and standards, translate
00:00
those fair information practice principles
00:00
into system privacy requirements.
00:00
Also the ability to identify
00:00
the appropriate privacy controls
00:00
to help these organizations be
00:00
able to mitigate risk associated with
00:00
the data processing of
00:00
personally identifiable information.
00:00
NISTIR 8062 is mandatory for executive branch agencies,
00:00
but I also encourage privacy professionals in
00:00
the private sector to use this internal report,
00:00
place it in your privacy tool kits while you work with
00:00
your counterparts to implement programs
00:00
like privacy by design, privacy by default.
00:00
We have several learning objectives.
00:00
We're going to look at NISTIR's purpose and scope.
00:00
We're going to look at
00:00
the engineering approach to privacy that it
00:00
proposes and then we are also going to look at
00:00
the components for privacy engineering
00:00
in federal systems.
00:00
It was in July of 2016 when
00:00
the Office of Management and Budget
00:00
revised OMB Circular A-130,
00:00
managing information as a strategic resource
00:00
to place greater emphasis
00:00
on privacy risk management
00:00
as it apply to the risk management framework.
00:00
It challenged these organizations not
00:00
only to look and manage security risks,
00:00
but also privacy risk associated
00:00
with their federal information systems and processes.
00:00
You know what NISTIR 8062 does
00:00
>> is where security tends to
00:00
>> look at the unauthorized system behaviors
00:00
of an information system,
00:00
privacy engineering looks at
00:00
both unauthorized and authorized
00:00
system behaviors to see if there are
00:00
any adverse actions or
00:00
problematic data actions that might
00:00
occur from the processing of PII
00:00
that might pose harm to individuals and organizations.
00:00
NISTIR 8062 also helps
00:00
these organizations be able to
00:00
translate this guidance into
00:00
effective information security risk management programs
00:00
as well as privacy risk management programs.
00:00
Let's look at an engineering approach to privacy.
00:00
We can look back at
00:00
OMB Circular A-130 that
00:00
has placed greater emphasis on privacy,
00:00
the use of privacy controls,
00:00
effective privacy risk management
00:00
>> to ensure that we have
00:00
>> trustworthy systems that are
00:00
processing this valuable information.
00:00
When we go back and look at
00:00
Circular A-130's FIPS as revised in 2016,
00:00
they reflected principles like access and amendment,
00:00
accountability, authority, minimization,
00:00
quality integrity, individual participation,
00:00
purpose specification and use limitation,
00:00
security, and transparency.
00:00
Organizations were supposed to be able
00:00
to take these FIPs themselves
00:00
and build effective privacy programs
00:00
that allow them to safely collect,
00:00
use, disclose, retain,
00:00
dispose of personally identifiable information.
00:00
We talked earlier about privacy problems that might
00:00
arise not only from an authorized access to PII,
00:00
but the authorized processing of PII.
00:00
We use terms like data actions,
00:00
collection use, disclosure,
00:00
retention, and disposal.
00:00
We talked about the importance of data processing,
00:00
combining one or more of those data activities
00:00
to process personally identifiable information.
00:00
We talked about problematic data actions,
00:00
which are those adverse actions that arise during
00:00
unauthorized and authorized system behavior that might
00:00
cause or create privacy harms,
00:00
privacy invasion, privacy events
00:00
that place individuals and organizations at risk.
00:00
When we talk about privacy engineering,
00:00
privacy engineering is a concept that we're going to be
00:00
able to take those fair
00:00
>> information practice principles,
00:00
>> translate those into system privacy requirements.
00:00
We're going to look at
00:00
>> our privacy policies, procedures,
00:00
>> and standards and engineer those into
00:00
trustworthy systems so that we know that these systems
00:00
themselves that are going to process
00:00
PII have the appropriate controls in place
00:00
to mitigate the risk associated
00:00
with the processing of PII.
00:00
When we talk about the privacy engineering objectives,
00:00
those of you that have worked in
00:00
the information security career field are familiar
00:00
with terms like confidentiality,
00:00
>> integrity, availability.
00:00
>> Here from a privacy engineering perspective,
00:00
these objectives now,
00:00
the terms we're using are predictability,
00:00
manageability, and disassociability.
00:00
Now again, these privacy objectives are
00:00
not there to replace the FIPs,
00:00
they're there to help organizations translate those
00:00
into applicable privacy controls
00:00
and system privacy requirements.
00:00
When we talk about predictability, then again,
00:00
users should not be surprised by the processing of
00:00
their personally identifiable information
00:00
by these systems.
00:00
It should be transparent to them that again,
00:00
if we're talking about a control like
00:00
notice that the system
00:00
itself not only gives
00:00
them notice of an organization's privacy principles,
00:00
but it can make reliable assumptions
00:00
on whether the user actually read and
00:00
understood the privacy notice
00:00
or they responded as anticipated.
00:00
Predictability from
00:00
a privacy engineering standpoint is it allows
00:00
us to determine if
00:00
those privacy controls are working as intended.
00:00
They also allow them to be able to
00:00
better manage accountability for
00:00
their systems complying with
00:00
organizational privacy policies
00:00
and system privacy requirements.
00:00
When we talk about manageability,
00:00
it allows us to take certain of
00:00
those fair information practice principles that
00:00
we talked about earlier; access and amendment,
00:00
accountability, minimization, quality and integrity,
00:00
and individual participation,
00:00
and then to makes sure that the system owner can ensure
00:00
that any inaccurate information
00:00
can be readily identified and corrected,
00:00
any obsolete information is disposed of,
00:00
and only the necessary information is
00:00
collected or disclosed,
00:00
and that we're maintaining
00:00
an individual's privacy preferences about how
00:00
their information is implemented and maintained.
00:00
When we talked about disassociability, again,
00:00
we've built in those system privacy requirements,
00:00
those privacy controls that place
00:00
some separation again between
00:00
the processing of information
00:00
that pertains to a person and the information itself.
00:00
[NOISE] You've used terms like anonymity, pseudonymity,
00:00
controls themselves that allow for
00:00
the processing of PII by these systems without
00:00
having any type of
00:00
direct or indirect link to
00:00
the individual to whom that information pertains.
00:00
Question 1 asks,
00:00
NISTIR's 8062 purpose and
00:00
scope includes which of the following choices?
00:00
The appropriate answers are A, B,
00:00
and D. Question 2 asks,
00:00
how does NISTIR 8062 define privacy engineering?
00:00
Again, the appropriate answer would be
00:00
D. Question 3 asks
00:00
questions about the privacy engineering objectives.
00:00
B, C, and D are the appropriate answers.
00:00
In summary, when we look at NISTIR 8062 and
00:00
its contributions to
00:00
executive branch agencies and the federal government,
00:00
it allows them to engineer
00:00
system privacy requirements and
00:00
privacy controls into information systems
00:00
so that we have
00:00
trustworthy systems that are able to process and
00:00
safely secure personally identifiable information
00:00
from the time it's collected till
00:00
the time is disposed by these systems.
00:00
It proposes these three engineering objectives
00:00
: predictability, manageability, and disassociability.
00:00
It emphasizes the importance of
00:00
privacy engineering to ensure
00:00
that these information systems that
00:00
are going to process
00:00
personally identifiable information throughout
00:00
their information life cycle can do
00:00
that while meeting OMB Circular A-130's requirements
00:00
for effective privacy risk management.
Up Next