Innovations in cloud computing, big data and cyber-physical systems are bringing dramatic changes to how we use information technology. But while these technologies promise important benefits for the nation’s economy and security and our quality of life, they pose an increasing risk to individual privacy.
To better anticipate and address the impacts these technologies can have on privacy in federal information systems, the National Institute of Standards and Technology (NIST) has drafted a document that lays out a framework for privacy risk management. NIST is asking for public comment on the draft framework.
The draft document supports such methods by providing a common vocabulary, objectives to facilitate privacy engineering, and a risk model for assessing privacy risk in information systems.
The privacy engineering objectives provide a conceptual framework for engineers and system designers to bridge the gap between high-level principles and implementation. The objectives are intended to support privacy risk management by facilitating consistent, actionable and measurable design decisions. The privacy risk model aims to provide a repeatable and measurable method for addressing privacy risk in information systems.
In developing the draft Privacy Risk Management Framework, NIST sought the perspectives and experiences of privacy experts across a variety of sectors in an open and transparent process that included workshops, public comment periods and various other outreach activities.
Future areas of work will focus on improving the application of policy, operational and technical controls to mitigate risks identified with the Privacy Risk Management Framework. NIST will continue to request feedback from federal agencies, academic institutions and other organizations to refine the privacy engineering objectives and the privacy risk model, and to develop additional guidance to assist agencies in determining the likelihood and impact of privacy risks.
Read the full draft document on the NIST website [and embedded below] and submit comments to email@example.com using the format provided. Collected input will be used to refine the framework. The public comment closes July 13, 2015, at 5 p.m. Eastern time.
From the Abstract:
This document describes a privacy risk management framework for federal information systems. The framework provides the basis for the establishment of a common vocabulary to facilitate better understanding of and communication about privacy risks and the effective implementation of privacy principles in federal information systems.
This publication focuses on the development of two key pillars to support the application of the framework: privacy engineering objectives and a privacy risk model.
See Also: Notes to Reviewers From NIST:
To facilitate public review, we have compiled a number of topics of interest to which we would like reviewers to respond. Please keep in mind that it is not necessary to respond to all topics listed below, Reviewers should also feel free to suggest other areas of revision or enhancement to the document.
- Privacy Risk Management Framework: Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy? Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel? Are there any gaps in the framework?
- Privacy Engineering Objectives: Do these objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies’ privacy goals and requirements? Are there properties or capabilities that systems should have that these objectives do not cover?
- Privacy Risk Model:
- Does the equation seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks?
- Can data actions be evaluated as the document proposes? Is the approach of identifying and assessing problematic data actions usable and actionable?
- Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?
- The NISTIR describes the difficulty of assessing the impact of problematic data actions on individuals alone, and incorporates organizational impact into the risk assessment. Is this appropriate or should impact be assessed for individuals alone? If so, what would be the factors in such an assessment.
Direct to Full Text Document (Also Embedded Below): DRAFT: Privacy Risk Management for Federal Information Systems (64 pages; PDF)