U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

NISTIR 8062 (Draft)

Privacy Risk Management for Federal Information Systems

Date Published: May 2015
Comments Due: July 31, 2015 (public comment period is CLOSED)
Email Questions to: privacyeng@nist.gov

Author(s)

Michael Garcia (NIST), Naomi Lefkovitz (NIST), Suzanne Lightman (NIST)

Editor(s)

Sean Brooks (NIST), Ellen Nadeau (NIST)

Announcement

NIST requests comments on the draft report NISTIR 8062, Privacy Risk Management for Federal Information Systems, which describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems.

Background:

Expanding opportunities in cloud computing, big data, and cyber-physical systems are bringing dramatic changes to how we use information technology. While these technologies bring advancements to U.S. national and economic security and our quality of life, they also pose risks to individuals' privacy.

Privacy Risk Management for Federal Information Systems (NISTIR 8062) introduces a privacy risk management framework for anticipating and addressing risks to individuals' privacy. In particular, it focuses on three privacy engineering objectives and a privacy risk model. To develop this document, NIST conducted significant public outreach and research. We are soliciting public comments on this draft to obtain further input on the proposed privacy risk management framework, and we expect to publish a final report based on this additional feedback.

Note to Reviewers:

To facilitate public review, we have compiled a number of topics of interest to which we would like reviewers to respond. Please keep in mind that it is not necessary to respond to all topics listed below, Reviewers should also feel free to suggest other areas of revision or enhancement to the document.

  • Privacy Risk Management Framework: Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy? Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel? Are there any gaps in the framework?
  • Privacy Engineering Objectives: Do these objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies' privacy goals and requirements? Are there properties or capabilities that systems should have that these objectives do not cover?
  • Privacy Risk Model:
    • Does the equation seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks?
    • Can data actions be evaluated as the document proposes? Is the approach of identifying and assessing problematic data actions usable and actionable?
    • Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?
    • The NISTIR describes the difficulty of assessing the impact of problematic data actions on individuals alone, and incorporates organizational impact into the risk assessment. Is this appropriate or should impact be assessed for individuals alone? If so, what would be the factors in such an assessment

Abstract

Keywords

cybersecurity; information security; privacy; computer security; risk management
Control Families

Risk Assessment

Documentation

Publication:
Draft NISTIR 8062

Supplemental Material:
None available

Document History:
05/28/15: NISTIR 8062 (Draft)
01/04/17: NISTIR 8062 (Final)

Topics

Security and Privacy
privacy; risk assessment