New Guidance on Privacy Controls for the Federal Government

Similar documents
Risk-Based Cyber Security for the 21 st Century

NIST SP , Revision 1 CNSS Instruction 1253

Evolving Cybersecurity Strategies

Cybersecurity: Trust, Visibility, Resilience. Tom Albert Senior Advisor, Cybersecurity NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

NIST Security Certification and Accreditation Project

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Building More Secure Information Systems

TACIT Security Institutionalizing Cyber Protection for Critical Assets

The Future of Cyber Security NIST Special Publication , Revision 4

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

TEL2813/IS2621 Security Management

The Cybersecurity Risk Management Framework Applied to Enterprise Risk Management

Protecting the Nation s Critical Assets in the 21st Century

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity & Privacy Enhancements

FISMAand the Risk Management Framework

INFORMATION ASSURANCE DIRECTORATE

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

INFORMATION ASSURANCE DIRECTORATE

The NIST Cybersecurity Framework

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Ransomware. How to protect yourself?

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

TEL2813/IS2820 Security Management

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Cybersecurity Planning Lunch and Learn

MIS Week 9 Host Hardening

Security Management Models And Practices Feb 5, 2008

HIPAA Security and Privacy Policies & Procedures

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

A Structured Approach for Privacy Risk Assessments for Federal Organizations

David Missouri VP- Governance ISACA

Appendix 12 Risk Assessment Plan

Security and Privacy Controls for Federal Information Systems and Organizations

How AlienVault ICS SIEM Supports Compliance with CFATS

NW NATURAL CYBER SECURITY 2016.JUNE.16

Cybersecurity: Incident Response Short

Re: Special Publication Revision 4, Security Controls of Federal Information Systems and Organizations: Appendix J, Privacy Control Catalog

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Appendix 12 Risk Assessment Plan

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Ensuring System Protection throughout the Operational Lifecycle

Information Technology General Control Review

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

INFORMATION ASSURANCE DIRECTORATE

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

IASM Support for FISMA

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Executive Order 13556

Security Policies and Procedures Principles and Practices

Cyber Security Panel Discussion Gary Hayes, SVP & CIO Technology Operations. Arkansas Joint Committee on Energy March 16, 2016

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Designing and Building a Cybersecurity Program

Rethinking Cybersecurity from the Inside Out

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cyber Security Awareness for SmallSat Ground Networks

Written Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

SYSTEMS ASSET MANAGEMENT POLICY

Altius IT Policy Collection Compliance and Standards Matrix

Section One of the Order: The Cybersecurity of Federal Networks.

Security and Privacy Governance Program Guidelines

What Why Value Methods

The Common Controls Framework BY ADOBE

Checklist: Credit Union Information Security and Privacy Policies

QuickBooks Online Security White Paper July 2017

Guide for Assessing the Security Controls in Federal Information Systems

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

ISACA Arizona May 2016 Chapter Meeting

Streamlined FISMA Compliance For Hosted Information Systems

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Altius IT Policy Collection Compliance and Standards Matrix

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

Defining IT Security Requirements for Federal Systems and Networks

Cybersecurity and Data Protection Developments

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

Compliance with NIST

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Cyber Hygiene: A Baseline Set of Practices

SECURITY & PRIVACY DOCUMENTATION

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

Information Assurance 101

Certification Exam Outline Effective Date: September 2013

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

GDPR Update and ENISA guidelines

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Education Network Security

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

NIST Special Publication

Protecting Information Assets - Week 3 - Data Classification Processes and Models. MIS 5206 Protecting Information Assets

CA Security Management

NIST s Industrial Control System (ICS) Security Project

Transcription:

New Guidance on Privacy Controls for the Federal Government IAPP Global Privacy Summit 2012 March 9, 2012 Dr. Ron Ross Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US The Privacy Office, DHS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

The Perfect Storm Explosive growth and aggressive use of information technology. Proliferation of information systems and networks with virtually unlimited connectivity. Increasing sophistication of threat including exponential growth rate in malware (malicious code). Resulting in an increasing number of penetrations of information systems in the public and private sectors potentially affecting security and privacy NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

The Threat Situation Continuing serious cyber attacks on public and private sector information systems targeting key operations, assets, and individuals Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated. Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with hostile intentions. Effective deployment of malware causing significant exfiltration of sensitive information (e.g., intellectual property). Potential for disruption of critical systems and services. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

Unconventional Threats Affecting Security and Privacy Connectivity Complexity Culture NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

Mainstreaming Security and Privacy Information security and privacy requirements must be considered first order requirements and are critical to mission and business success. An effective organization-wide information security and privacy programs help to ensure that security and privacy considerations are specifically addressed in the enterprise architecture for the organization and are integrated early into the system development life cycle. Use Federal Segment Architecture Methodology and FEA Security and Privacy Profile for implementation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Mutually Supporting Objectives Enterprise Architecture Standardization, consolidation, optimization. Information Security Confidentiality, integrity, and availability of information processed, stored, and transmitted by information systems. Privacy Confidentiality and integrity of personally identifiable information; collection of information (data minimization); use of information (sharing and disclosure concerns). Requires a disciplined, structured process that takes a holistic, organization-wide view NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

Information security and privacy, traditional societal values, are at greater risk today due to the ever increasing size of our digital footprint NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Enterprise-Wide Risk Management Multi-tiered Risk Management Approach Implemented by the Risk Executive Function Enterprise Architecture and SDLC Focus Information Security Architecture Flexible and Agile Implementation Threat Aware TIER 1 Organization (Governance) TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information System (Environment of Operation) STRATEGIC RISK FOCUS TACTICAL RISK FOCUS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

Risk Management Process Risk Framing Risk Framing Assess Respond Risk Risk Framing Monitor Risk Framing NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Risk Management Framework Starting Point CATEGORIZE Information System MONITOR Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Security Life Cycle SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). IMPLEMENT Security Controls Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

A new initiative to develop privacy controls for federal information systems and organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

Privacy Control Families Families are based upon the Fair Information Practice Principles (FIPPs) Use them to build privacy into new or modified: Programs, research, pilots; Information systems; Technology (surveillance cameras, body imaging devices, data mining); and Any other business-related activity that involves personally identifiable information (PII). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

Applying Privacy Control Families (1 of 2) Preliminary steps: Identify the types of PII involved; Identify the legal framework that applies; (Statutes, regulations, and policies that must be applied) Map the data flows. Law enforcement and intelligence programs and systems, particularly those that are classified, will require modifications in light of their legal and operational requirements. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

Applying Privacy Control Families (2 of 2) Families are interrelated -- action taken in one family likely will affect the implementation of another. Families are not in any particular order and should be considered individually and as a whole. Families are iterative and must be revisited to determine the impact of changes to any particular family. Families must be analyzed and applied to each agency s distinct mission, operation, and legal authorities and obligations. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Fair Information Practice Principles Transparency Individual Participation and Redress Purpose Specification Data Minimization and Retention Use Specification Data Quality and Integrity Security Accountability and Auditing NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Privacy Control Families Authority and Purpose (AP) Accountability, Audit, and Risk Management (AR) Data Quality and Integrity (DI) Data Minimization and Retention (DM) Individual Participation and Redress (IP) Security (SE) Transparency (TR) Use Limitation (UL) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

What do we achieve? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

Benefits Well defined privacy controls that help demonstrate compliance with federal legislation and policies. Measurable and enforceable privacy requirements. Closer linkage to enterprise cyber security programs to provide a solid foundation for privacy. Enterprise-wide defense-in-depth for security and privacy. Security and privacy requirements traceability. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

Defense-in-Depth Links in the Security and Privacy Chain: Security and Privacy Controls Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical and personnel security Security assessments and authorization Continuous monitoring Privacy protection Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Adversaries attack the weakest link where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

Hybrid Controls Hybrid Controls Ongoing Authorization Decisions Ongoing Authorization Decisions Defense-in-Breadth RISK EXECUTIVE FUNCTION Organization-wide Risk Governance and Oversight Strategic Risk Management Focus Security/Privacy Plan Assessment Report Core Missions / Business Processes Security Requirements Policy Guidance INFORMATION SYSTEM System-specific Controls INFORMATION SYSTEM System-specific Controls Security/Privacy Plan Assessment Report Top Level Risk Management Strategy Informs Plan of Action and Milestones Plan of Action and Milestones Tactical Risk Management Focus RISK MANAGEMENT FRAMEWORK (RMF) COMMON CONTROLS Security Controls Inherited by Organizational Information Systems New Privacy Controls Operational Elements Enterprise-Wide Security/Privacy Plan Assessment Report Plan of Action and Milestones Ongoing Authorization Decisions NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

Requirements Traceability 30,000 FT Legislation, Presidential Directives, OMB Policies High Level, Generalized, Information Security and Privacy Requirements 15,000 FT Federal Information Processing Standards FIPS 200: Minimum Information Security Requirements FIPS 199: Security Categorization 5,000 FT Security and Privacy Controls NIST Special Publication 800-53 Ground Zero Information Systems and Environments of Operation Hardware, Firmware, Software, Facilities NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

Joint Task Force Transformation Initiative Core Risk Management Publications NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations SP 800-53, Revision 4 Appendix J: Privacy Control Catalog NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans SP 800-53A, Revision 2 Privacy Assessment Procedures NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

Important Take Aways Developing new privacy controls in NIST SP 800-53. Creating stronger relationship between security and privacy groups within organizations. Providing a standardized approach for specifying privacy requirements within organizations. Building on strong foundation of cyber security to achieve a more comprehensive privacy program within organizations. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Contact Information Dr. Ron Ross ron.ross@nist.gov Computer Security Division, NIST Martha Landesberg, J.D., CIPP/US martha.landesberg@hq.dhs.gov The Privacy Office, DHS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback