[WG-P3] Release of NIST SP 800-53 Appendix J, , DRAFT Privacy Control Catalog

Anna Slomovic/Equifax anna.slomovic at equifax.com
Thu Jul 21 06:52:47 EDT 2011


I already forwarded the appendix to Bob.

Anna Slomovic
CPO, Equifax

Sent via DROID on Verizon Wireless

-----Original message-----
From: Mark Lizar <mark at smartspecies.com>
To: Shin_Adachi <shin at adachi.us>
Cc: Kantara P3WG <wg-p3 at kantarainitiative.org>
Sent: Thu, Jul 21, 2011 10:18:45 GMT+00:00
Subject: Re: [WG-P3] Release of NIST SP 800-53 Appendix J, , DRAFT Privacy Control Catalog

Thank you for this Shin,

This is definitely of great interest.  This Appendix provides great assessment criteria for notice choice. As a result  I am quite impressed and may even have a few comments myself :-)  If there is any other interest in developing some comments, please let me know, as I would be interested in contributing to this effort.

First, I think that Appendix J should be included in the privacy assessment criteria that we are developing. My biggest concern about the privacy guidelines for FICAM has been the lack of adequate assessment criteria for notification and evaluating choice was not sufficient.

"Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated
authentication.  Adequate Notice includes a general description of the authentication event, any
transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or
transmission of PII to any party.  Adequate Notice should be incorporated into the Opt In process. "

Second, it has been a difficult conversation to broach as there were no established criteria to standardised assessments against, while it was obvious that that without some criteria, 'adequate notice' as described in the FICAM assessment guidance needed additional work.

So with great relief I propose that the PAC should now be supplemented with NIST 800-53 Draft Appendix J, where necessary especially with:

Control: The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that
impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal
of personally identifiable information (PII); (ii)  authority for collecting PII; (iii) the choices,
if any, individuals may have regarding how the organization uses PII and the consequences of
exercising or not exercising those choices; and (iv) the ability to access and have PII amended
or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that
information; (ii) how the organization uses PII internally; (iii) whether the organization shares
PII with external entities and the purposes for such sharing; (iv) whether individuals have the
ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v)
how individuals may obtain access to PII for the purpose of having it amended or corrected,
where appropriate; and (vi) how the PII will be protected;
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in
its activities that impact privacy; and
d. Ensures (e.g., through updated public notice) that individuals are aware of and, where
feasible, consent to all uses of PII not initially described in the public notice that was in effect
at the time the organization collected the PII.

Anna, do we need to discuss this in a call or can we just forward this NIST Appendix document to Bob and ask him to include this in the assessment?

Best Regards, and thanks for sending to the list.

Mark Lizar

On 19 Jul 2011, at 21:43, Shin_Adachi wrote:

Of your possible interest,


SP 800-53 Appendix J

DRAFT Privacy Control Catalog

The National Institute of Standards and Technology (NIST) announces the
initial public draft of Special Publication 800-53, Appendix J, Privacy
Control Catalog. With the increasing dependency on information systems,
dramatic advances in information technologies, and significant growth in
new applications of those technologies in such areas as cloud computing,
smart grid, and mobile computing, information security and privacy are
taking on new levels of importance in the public and private sectors.
Privacy, with respect to personally identifiable information, is a core
value that can be achieved only with appropriate legislation, policies,
and associated controls to ensure compliance with requirements. In
today's digital world, effective privacy for individuals depends on a
solid foundation of information security safeguards in the information
systems that are processing, storing, and transmitting personally
identifiable information. Privacy and security controls in federal i!
 nformation systems, programs, and organizations are complementary and
mutually reinforcing in trying to achieve the privacy and security
objectives of organizations. Appendix J, Privacy Control Catalog, is a
new addition to NIST's family of standards and guidelines that will be
incorporated into the 2011 update to Special Publication 800-53,
Revision 4, projected for release in December 2011. Due to the
importance and special nature of the material in this Appendix, it is
being publicly vetted separately from the other changes to the
publication which will be released later this year. The objectives of
the Privacy Appendix are fourfold:

Provide a structured set of privacy controls, based on international
standards and best practices, that help organizations enforce
requirements deriving from federal privacy legislation, policies,
regulations, directives, standards, and guidance;
Establish a linkage and relationship between privacy and security
controls for purposes of enforcing respective privacy and security
requirements which may overlap in concept and in implementation within
federal information systems, programs, and organizations;
Demonstrate the applicability of the NIST Risk Management Framework in
the selection, implementation, assessment, and monitoring of privacy
controls deployed in federal information systems, programs, and
organizations; and
Promote closer cooperation between privacy and security officials within
the federal government to help achieve the objectives of senior
leaders/executives in enforcing the requirements in federal privacy
legislation, policies, regulations, directives, standards, and guidance.
The public comment period for NIST Special Publication 800-53, Appendix
J, is July 19 through September 2, 2011.
Please send comments to sec-cert at nist.gov<mailto:sec-cert at nist.gov>.


Here is the URL to the News & Announcement page:

URL to Appendix J - PDF file:

WG-P3 mailing list
WG-P3 at kantarainitiative.org

This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110721/8887b767/attachment-0001.html 

More information about the WG-P3 mailing list