Sunday, March 18, 2012

FYI: NIST: Revision of SP 800-53 Addresses Current Cybersecurity Threats, Adds Privacy Controls

I often reference NIST 800-53. Not because I am USA centric, but because this is the most readable and comprehensive catalog of security and now privacy controls. There are plenty of standards that try to address security and privacy functionality, and they are all good. I just like this one because it is both comprehensive and readable.  This is not just a catalog, but also a process for determining what should be done, and for analysis of if you are complete. It really is a total package.

I would like to see more references made to core functional specifications like this one, with just the healthcare specifics added. This is my approach in my efforts with ISO 14441 and EHR Functional Model.
Revision of SP 800-53 Addresses Current Cybersecurity Threats, Adds Privacy Controls
A major revision of a Federal Information Security Management Act (FISMA) publication released today by the National Institute of Standards and Technology (NIST) adds guidance for combating new information security threats and incorporates new privacy controls to the framework that federal agencies use to protect their information and information systems.  
.... 
The public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP) 800-53, Revision 4 may be found at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Rev.%204. Comments on SP 800-53, Revision 4 are requested by April 6, 2012. 

The way they handle Privacy Controls is very good. They have created a new Appendix "J".
PRIVACY CONTROLS 
PROVIDING PRIVACY PROTECTION FOR FEDERAL INFORMATION 
Appendix J, Privacy Control Catalog , is a new addition to NIST Special Publication 800-53. It is intended to address the privacy needs of federal agencies. The objective of  the Privacy Appendix is fourfold:
•   Provide a structured set of privacy controls, based on international standards and best practices,  that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance;
•   Establish a linkage and relationship between privacy and security controls for purposes of
enforcing respective privacy and security requirements which may overlap in concept and in
implementation within federal information systems, programs, and organizations;
•   Demonstrate the applicability of the NIST Risk  Management Framework in the selection,
implementation, assessment, and monitoring of privacy controls deployed in federal
information systems, programs, and organizations; and
•   Promote closer cooperation between privacy an d security officials within the federal
government to help achieve the objectives of  senior leaders/executiv es in enforcing the
requirements in federal privacy legislation, po licies, regulations, directives, standards, and
guidance.  
There is a strong similarity in the structure of the privacy controls in Appendix J and the security
controls in Appendices F and G. Moreover, the us e of privacy plans in conjunction with security plans provides an opportunity for organizations to select the appropriate set of security and privacy controls in accordance with organizational mission/business requirements and the environments in which the organizations operate. Incorporating the same concepts used in managing information security risk, helps organizations implement privacy controls in a more cost-effective, risked-based manner while simultaneously protecting individual privacy and meeting compliance requirements. Standardized privacy controls provide a more disciplined and structured approach for satisfying federal privacy requirements and demonstrating compliance to those requirements.