Privacy controls (draft of SP800-53 Appendix J)
“Strong normalized privacy controls are an essential component in the ongoing effort to build measurable privacy compliance,” said NIST Senior Internet Policy Advisor Ari Schwartz. “Certainty in controls and measures can help promote privacy, trust and greater confidence in new standards.”
This addition to the security control catalogue of SP800-53r3 (as Appendix J) puts focus on the life cycle of PII: Personally Identifiable Information. The controls are divided into 8 categories:
- Transparency, about the privacy-impacting activities of the service organisation.
- Individual Participation and Redress, providing means for individuals to access and altering PII.
- Authority and Purpose, on legal compliance by specifying what is stored.
- Data Minimization and Retention – defining controls on retention-periods and disposal
- Use Limitation, about using data internally and with 3rd parties
- Data Quality and Integrity
- Security: administrative, technical and physical security measures including privacy incident response handling.
- Accountability, Audit and Risk Management: on the monitoring, management and assessment of the controls
The privacy controls are based on the Fair Information Practice Principles (FIPPs) embodied in the Privacy Act of 1974 and the EGovernment Act of 2002 (Section 208). The draft of Appendix J is currently open for comments and will be formalised into NIST SP800-53 revision 4 as of December 2011.
This draft publication is no longer available as a seperate download as it has been included in the final version of NIST SP800-53 revision 4.