[WG-P3] Release of NIST SP 800-53 Appendix J, , DRAFT Privacy Control Catalog

Mark Lizar mark at smartspecies.com
Thu Jul 21 06:18:45 EDT 2011


Thank you for this Shin,

This is definitely of great interest.  This Appendix provides great  
assessment criteria for notice choice. As a result  I am quite  
impressed and may even have a few comments myself :-)  If there is any  
other interest in developing some comments, please let me know, as I  
would be interested in contributing to this effort.

First, I think that Appendix J should be included in the privacy  
assessment criteria that we are developing. My biggest concern about  
the privacy guidelines for FICAM has been the lack of adequate  
assessment criteria for notification and evaluating choice was not  
sufficient.

"Adequate Notice – Identity Provider must provide End Users with  
adequate notice regarding federated
authentication.  Adequate Notice includes a general description of the  
authentication event, any
transaction(s) with the RP, the purpose of the transaction(s), and a  
description of any disclosure or
transmission of PII to any party.  Adequate Notice should be  
incorporated into the Opt In process. "

Second, it has been a difficult conversation to broach as there were  
no established criteria to standardised assessments against, while it  
was obvious that that without some criteria, 'adequate notice' as  
described in the FICAM assessment guidance needed additional work.

So with great relief I propose that the PAC should now be supplemented  
with NIST 800-53 Draft Appendix J, where necessary especially with:

Control: The organization:
a. Provides effective notice to the public and to individuals  
regarding: (i) its activities that
impact privacy, including its collection, use, sharing, safeguarding,  
maintenance, and disposal
of personally identifiable information (PII); (ii)  authority for  
collecting PII; (iii) the choices,
if any, individuals may have regarding how the organization uses PII  
and the consequences of
exercising or not exercising those choices; and (iv) the ability to  
access and have PII amended
or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s)  
for which it collects that
information; (ii) how the organization uses PII internally; (iii)  
whether the organization shares
PII with external entities and the purposes for such sharing; (iv)  
whether individuals have the
ability to consent to specific uses or sharing of PII and how to  
exercise any such consent; (v)
how individuals may obtain access to PII for the purpose of having it  
amended or corrected,
where appropriate; and (vi) how the PII will be protected;
c. Revises its public notices to reflect changes in practice or policy  
that affect PII or changes in
its activities that impact privacy; and
d. Ensures (e.g., through updated public notice) that individuals are  
aware of and, where
feasible, consent to all uses of PII not initially described in the  
public notice that was in effect
at the time the organization collected the PII.

Anna, do we need to discuss this in a call or can we just forward this  
NIST Appendix document to Bob and ask him to include this in the  
assessment?

Best Regards, and thanks for sending to the list.

Mark Lizar



On 19 Jul 2011, at 21:43, Shin_Adachi wrote:

> Of your possible interest,
>
> Shin
> ---
> Shin_ADACHI, CISSP, PMP
> PGP_Key_ID:0xF9EAD9DF
> +1-408-217-9980
>
> ----------------------
> SP 800-53 Appendix J
>
> DRAFT Privacy Control Catalog
>
> The National Institute of Standards and Technology (NIST) announces  
> the
> initial public draft of Special Publication 800-53, Appendix J,  
> Privacy
> Control Catalog. With the increasing dependency on information  
> systems,
> dramatic advances in information technologies, and significant  
> growth in
> new applications of those technologies in such areas as cloud  
> computing,
> smart grid, and mobile computing, information security and privacy are
> taking on new levels of importance in the public and private sectors.
> Privacy, with respect to personally identifiable information, is a  
> core
> value that can be achieved only with appropriate legislation,  
> policies,
> and associated controls to ensure compliance with requirements. In
> today's digital world, effective privacy for individuals depends on a
> solid foundation of information security safeguards in the information
> systems that are processing, storing, and transmitting personally
> identifiable information. Privacy and security controls in federal i!
>  nformation systems, programs, and organizations are complementary and
> mutually reinforcing in trying to achieve the privacy and security
> objectives of organizations. Appendix J, Privacy Control Catalog, is a
> new addition to NIST's family of standards and guidelines that will be
> incorporated into the 2011 update to Special Publication 800-53,
> Revision 4, projected for release in December 2011. Due to the
> importance and special nature of the material in this Appendix, it is
> being publicly vetted separately from the other changes to the
> publication which will be released later this year. The objectives of
> the Privacy Appendix are fourfold:
>
> Provide a structured set of privacy controls, based on international
> standards and best practices, that help organizations enforce
> requirements deriving from federal privacy legislation, policies,
> regulations, directives, standards, and guidance;
> Establish a linkage and relationship between privacy and security
> controls for purposes of enforcing respective privacy and security
> requirements which may overlap in concept and in implementation within
> federal information systems, programs, and organizations;
> Demonstrate the applicability of the NIST Risk Management Framework in
> the selection, implementation, assessment, and monitoring of privacy
> controls deployed in federal information systems, programs, and
> organizations; and
> Promote closer cooperation between privacy and security officials  
> within
> the federal government to help achieve the objectives of senior
> leaders/executives in enforcing the requirements in federal privacy
> legislation, policies, regulations, directives, standards, and  
> guidance.
> The public comment period for NIST Special Publication 800-53,  
> Appendix
> J, is July 19 through September 2, 2011.
> Please send comments to sec-cert at nist.gov.
>
> ________________________________________
>
> Here is the URL to the News & Announcement page:
> http://csrc.nist.gov/news_events/index.html#july19
>
>
> URL to Appendix J - PDF file:
> http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf
>
>
>
> DRAFTS page URL:
> http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Appendix%20J--
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110721/1454901e/attachment.html 


More information about the WG-P3 mailing list