Sunday, January 8, 2017

NIST brings Privacy forward - NIST IR 8062


It is so good to see NIST bring Privacy out of the closet. I promoted the "hints of Privacy" that are deep within NIST 800-53, but always needed to enhance with a harmonized set of  Privacy Principles as a Framework, Privacy Impact Assessment, and Privacy Risk Management.

I lead my previous employer to create a "Design Engineering Privacy and Security Framework". This leveraged the NIST frameworks, especially SP 800-53, but we added an overall framework to bring in Privacy as equal goal to Security and Safety. Then added Privacy Impact Assessment to discover and manage risks to Privacy. Bringing in Safety is important in Healthcare, especially Medical Devices, as balancing the Risk Management plans between the three is important to get all three optimally reduced with all as low as possible.  My Venn is speaking to the kinds of technical controls available to address the risk domains. Nothing is ever clean bright line...

It is great to see NIST bring forward Privacy in the NIST IR 8062 - An Introduction to Privacy Engineering and Risk Management (in Federal Systems) as a distinct, yet related. 

Their stated purpose:
For purposes of this publication, privacy engineering means a specialty discipline of systems engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII. This definition provides a frame of reference for identifying a privacy-positive outcome for federal systems and a basis for privacy risk analysis that has been lacking in the privacy field.
The great news about this is that their goal is to speak to those developing IT systems. Most of the other Privacy Frameworks are targeting those that are running IT systems. Even Privacy-By-Design, which declares it is 'design', is more about deployment than software or database design. Software engineers have trouble with these frameworks as they are not the prime audience. These other frameworks are speaking toward business management, and business risk. There is a need to speak to the engineering level audience.

NIST writes standards for the USA Federal Government, thus this standard is targeted for IT 'in Federal Systems'. This is more about NIST scope. This has NOTHING to do with the usefulness or global applicability of this specification.

The publication of NIST IR 8062 - An Introduction to Privacy Engineering and Risk Management (in Federal Systems) is just the start. I have hopes that these will refine and get more useful as experience using the NIST Privacy framework happens.