From HealthCareInfoSecurity.com | Eric Chabrow, June 1, 2015
In assessing risk, computer security has three characteristics: confidentiality, integrity and availability. But not all of those traits help systems designers assess privacy risks. So the National Institute of Standards and Technology is developing a privacy risk management framework.
NIST has issued a draft of the privacy framework, Interagency Report 8062: Privacy Risk Management for Federal Information Systems, which identifies the objectives of privacy risk as predictability, manageability and "disassociability." It's designed to be used by designers and engineers in building information systems that implement an organization's privacy goals and support the management of privacy risk.
"We wanted to be able to build a distinct but complementary framework that would provide some of those tools to help understand where the overlap and distinctions are between security and privacy risk," says NIST Senior Adviser Naomi Lefkovitz, who worked on the report.
Defining Disassociability, Other Traits
According to the report:
- Predictability enables reliable assumptions by individuals, owners and operators about personal information and its processing by an information system.
- Manageability provides capability for granular administration of personal information, including alteration, deletion and selective disclosure.
- Disassociability allows the processing of personal information or events without association to individuals or devices beyond the operational requirements of the system.
How Security, Privacy Risks Differ
Designers think of security risks as threats and vulnerabilities, and design systems to address them. But Lefkovitz points out that privacy risks are often caused by the way designers architect systems, even secure ones. Operations that process personally identifiable information could pose privacy threats. "When security people think about threats, they think of bad actors or events out of their control, such as natural disasters," Lefkovitz says. "But [in regards to privacy], it's the operation of the system that's giving rise to the risk."
As an example, Lefkovitz points to smart metering of electricity. The systems can be built securely to protect the private information collected, but the data itself can reveal people's behavior inside their homes. In addition, the report says, security tools designed to safeguard PII from malicious actors, such as persistent activity monitoring, could reveal information about individuals that is unrelated to cybersecurity.
The privacy framework NIST is developing also is creating a common vocabulary for privacy risk. "Privacy principles are these general, high-level terms, and it's hard for engineers and designers to translate them into specific requirements for the system," Lefkovitz says.
As the draft report states, risk is often expressed as a function of the likelihood that an adverse outcome occurs multiplied by the magnitude of the adverse outcome should it occur. The draft examines this concept of risk and how it can be expressed in terms that facilitate improved identification and management of privacy risk.
To aid agencies in using the privacy risk management framework and to apply the privacy risk model, NIST has developed an initial set of worksheets, collectively referred to as the Privacy Risk Assessment Methodology, or PRAM. This document describes the inputs to the PRAM, and provides examples for organizations to follow when applying the privacy risk management framework to their own systems.
Privacy Risk Assessment Methodology
Though NIST is developing the privacy framework for U.S. federal agencies, Lefkovitz says it could easily be adopted by other governmental and nongovernmental organizations, including entities in the private sector. Several organizations that are piloting authentication and identity systems for NIST's National Strategy for Trusted Identifies in Cyberspace have used worksheets in the privacy framework to help develop their projects.
NIST is seeking feedback on the privacy framework that could be incorporated when the final version of the report is issued. NIST does not provide a firm date fir when it issues final versions of its publications, but publication often occurs within three to six months after releasing a draft. Comments should be sent to PrivacyEng@NIST.gov by 5 p.m. EDT, July 13 by using this comment form.