nist_privacy_risk_workshop_6.5.17.pptx

•Download as PPTX, PDF•

0 likes•21 views

The document discusses the need for privacy risk assessments and management frameworks similar to those that exist for security risks. It notes that NIST has published guidance on privacy risk assessments and references NIST publications on risk management frameworks. The document seeks input on how organizations can effectively conduct privacy risk assessments, whether privacy risk models differ from security risk models, and what the key factors for privacy risk analysis should be. It outlines NIST's plan to develop additional guidance tools to help organizations with privacy risk management.

Technology

Privacy Risk Assessments:
A Prerequisite to Privacy Risk Management

Trustworthy Systems: Foundational to a
Digital Society
What makes systems trustworthy?
• Multiple attributes of trustworthiness include security, safety, reliability, etc.
• Privacy must be considered one of the attributes
How can we know if systems are trustworthy?
• Repeatable and measurable approaches help provide a sufficient base of
evidence
• Privacy needs a body of guidance for repeatable and measurable approaches
similar to other attributes of trustworthiness

Friction in Our Digital World
45% of online households reported that privacy or security
concerns stopped them from:*
• Conducting financial transactions;
• Buying goods or services;
• Posting on social networks; or
• Expressing opinions on controversial or political issues via the Internet.
*July 2015 data collected for NTIA at https://www.ntia.doc.gov/blog/2016/first-look-internet-use-2015

Primary Federal Driver
OMB July 2016 update to Circular A-130 clarified that:
• Agencies’ obligations with respect to managing privacy risk and
information resources extends beyond compliance with privacy
laws, regulations, and policies
• Agencies must apply the NIST Risk Management Framework in
their privacy programs

NISTIR 8062
An Introduction to Privacy Engineering and
Risk Management in Federal Systems

NIST Risk Management Framework
Security Life Cycle
SP 800-30
SP 800-37
SP 800-39
SP 800-53A
ASSESS
Security Controls
FIPS 199/SP 800-60
CATEGORIZE
Information System
Starting Point
SP 800-137/SP 800-53A
MONITOR
Security State
SP 800-37
AUTHORIZE
Information System
IMPLEMENT
Security Controls
FIPS 200/SP 800-53
SELECT
Security Controls
Many SPs

Risk is a function of:
• Likelihood of occurrence of adverse event
• Impact from the occurrence
Risk Analysis

Information Security and Privacy:
Boundaries and Overlap

Processing PII Can Create Problems for
Individuals

NIST Special Publication 800-30
Risk Assessment Components

Risk Model
Risk models define the
risk factors to be assessed
and the relationships
among those factors.
Risk factors are
inputs to
determining levels
of risk.

Risk factors:
Likelihood |Vulnerability | Threat | Impact
Security Risk Model

NIST Working Model for System Privacy Risk
Privacy Risk Factors: Likelihood |Problematic Data Action |Impact
Likelihood is a contextual
analysis that a data action is
likely to create a problem for a
representative set of individuals
Note: Contextual analysis is based on the data action performed by the system, the
PII being processed, and a set of contextual considerations
Impact is an analysis of the costs
should the problem occur

Discussion for the Breakouts
• How can organizations effectively do risk assessments for
privacy?
• Does a risk model for privacy differ from other risk models?
• What should be the factors for analysis?

What Should NIST Do Next?
• Which (if any) security-focused RMF documents require
privacy parallels or additions?
• What other tools are needed for organizations to effectively
do privacy risk management?
• What should be the prioritization?

NIST Privacy Risk Assessment
Methodology (PRAM)
Frame
Business
Objectives
Frame Org
Privacy
Governance
Assess
System
Design
Assess
Privacy Risk
Select
Privacy
Controls
Monitor
Change

Since Syncsort's acquisition of security products from Cilasoft, Enforcive, Townsend Security and Trader's - we've been working hard to blend best-of-breed technology and create a powerful, integrated solution. We're happy to announce that the wait is almost over! In just a few short weeks, Syncsort will announce the first release of this new security solution. We want partners like you on-board with all the latest information on how this great new product will meet your customers' needs to: • Identify security vulnerabilities • Pass audits for industry, state or governmental security regulations • Detect and report on compliance deviations and security incidents • Lock down access to systems and databases • Ensure the privacy of sensitive data - both at rest and in motion

Cloud Cybersecurity: Strategies for Managing Vendor Risk

Health Catalyst

As more organizations shift away from on-premise architectures toward the cloud or hybrid hosting models, critical cybersecurity concerns emerge. Organizations, especially health systems, should carefully examine the shared responsibility model in partnership with their cloud vendor. Kevin Scharnhorst, Health Catalyst Chief Information Security Officer, shares perspectives on how your organization’s security program, through adherence to standards-based policy and procedures, can align with your cloud vendor on reduced organizational risk.

Final presentation january iia cybersecurity securing your 2016 audit plan

Cameron Forbes Over

Final presentation january iia cybersecurity securing your 2016 audit plan

Cameron Forbes Over

mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...

Levi Shapiro

Presentation by Mary Alice Annecharico, former CIO, Henry Ford Health System: Cyber Risk in Healthcare. Some of the issues discussed include Building a Culture of Confidentiality, Executive leadership engagement, Board of Director sponsorship, Institutional Stressors that encircle all cyber-risk issues, the Clinical mission, CMS cuts, Revenue downturns, budget cuts, availability of funding for priorities. Assessing and Managing Cyber-risk, etc.

Risk Management Approach to Cyber Security

Ernest Staats

Resume: The Complete Guide to Cybersecurity Risks and Controls

Rd. R. Agung Trimanda

Risk Based Security and Self Protection Powerpoint

randalje86

Don’t you wish you had the right culture, resources and best practices to protect customer information and effectively respond when incidents occur? Increasing risk of financial and healthcare data breaches and fines, coupled with the complexities of complying with a patchwork of state and federal laws, is fueling the need for strong leadership, collaboration, innovative thinking and tools for incident response management. In this web conference, CNO Financial Group Chief Privacy Officer Lisa Copp and Henry Ford Health System Chief Information Privacy and Security Officer Meredith Phillips, describe their governance structure as well as insights and risk-based practices that have made them successful in establishing a culture of compliance and strong collaboration among security and privacy teams. To view the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/privacy-and-security-teamwork-required-to-tackle-incident-response/r-general

2015 IA survey - Protiviti

Simone Luca Giargia

IT Risk assessment and Audit Planning

goreankush1

Overcoming Hidden Risks in a Shared Security Model

OnRamp

Risk management, compliance, and security are a shared burden between your organization and your vendors. Standards such as NIST (Publication 500-292) and regulations like HIPAA and PCI-DSS provide considerations for compliance and security but do not account for the nuances of your unique business or your infrastructure. Guidelines are written as though one party is responsible for compliance and security, but you rely on multiple vendors. Outsourcing can lead to ambiguous delegation of compliance responsibilities, lack of data governance and security practices, and difficulty in achieving data protection—ultimately risking non-compliance and leaving your infrastructure vulnerable. Join our expert panel as they share insights into closing the gap on who’s responsible for what in data security and best practices for improving your security posture. Takeaways: Who owns the responsibility of compliance and security? How to find and mitigate hidden risks in a 3rd party ecosystem How to map your requirements to owners, policies, and controls Expert recommendations for PCI, HIPAA, FERPA, FISMA and more.

Ch 3a: Risk Management Concepts

Sam Bowne

Security metrics

PRAYAGRAJ11

Broadening Your Cybersecurity Mindset

CSI Solutions

IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE

360 BSI

Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information? Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units? With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to? The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission. Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks. BENEFITS OF ATTENDING THIS WORKSHOP Identify common IT project risks Learn how to assess threats and vulnerabilities to create a risk response strategy Understand what qualifies as risk with IT projects Understand the most common IT risk sources Qualify and quantify IT risks Learn the difference between negative and positive IT risks Develop an IT risk management plan Plan risk response methods for IT risks Create risk mitigation and contingency plans Monitor and control project risks Overcome resistance from stakeholders and team members WHO SHOULD ATTEND THIS WORKSHOP IT risk managers IT security managers Compliance officers Program and project managers IT project managers IT operation manager Contact Kris at kris@360bsi.com to register.

EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt

PreethamS41

Role of The Board In IT Governance & Cyber Security-Steve Howse

CGTI

Cybersecurity: How To Protect Your Law Firm Data

Rocket Matter, LLC

Data security, privacy protection, and information governance are inextricably linked to the attorney-client relationship. Lawyers must overcome their aversion to technology and understand that protecting data is not just the IT department’s responsibility, but theirs as well, as lawyers are stewards of their own, their clients’, and their firms’ data. Learn insights and tips on how to better understand the data security environment from a lawyers’ perspective and how you can best communicate to clients the need for secure information governance. You’ll be prepared to answer the following questions that are being asked by corporate counsel and other prospective clients: Is your firm positioned to handle my data securely? What are your firm’s protocols?

How to Make Your Enterprise Cyber Resilient

Accenture Operations

Banks and other financial services firms need to recognize the threats of cyber risk in a different way. Many have put in place thick walls to protect themselves. But firms cannot be protected at all times from a cyber-related incident. So putting in place structures, technologies and processes to ensure resilience—or fast recovery—is as much or more important than simply putting more locks on the doors or building stronger walls. See www.accenture.com/CyberRisk for more.

Cyber Attack Survival

Skoda Minotti

How can i find my security blind spots ulf mattsson - aug 2016

Ulf Mattsson

Security Blind Spots We need to automatically detect and report on security blind spots, including Sensitive Data that was not found in our initial Discovery and failures of deployed security control systems. Without formal and automated processes to detect and alert to new data discovery findings and critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data. This can also impact our real compliance posture.

CNIT 160 3a Information Risk Management

Sam Bowne

Complying with Cybersecurity Regulations for IBM i Servers and Data

Precisely

Multiple security regulations became effective across the globe in 2018, most notably the European Union’s General Data Protection Regulation (GDPR), and additional regulations are on their heels. The California Consumer Privacy Act, with its GDPR-like requirements, is just one of the regulations that requires planning and preparation today. If you need to implement security policies for IBM i systems and data that will meet today’s compliance requirements and prepare you for those that are on the way, this webinar will help you get on the right track.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Similar to nist_privacy_risk_workshop_6.5.17.pptx

Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx

AkramAlqadasi1

Enabling Science with Trust and Security – Guest Keynote

Globus

Trust, Context and, Regulation: Achieving More Explainable AI in Financial Se...

Databricks

New Ohio Cybersecurity Law Requirements

Skoda Minotti

Privacy and Security: Teamwork Required to Tackle Incident Response

ID Experts

2015 IA survey - Protiviti

Simone Luca Giargia

IT Risk assessment and Audit Planning

goreankush1

Overcoming Hidden Risks in a Shared Security Model

OnRamp

Ch 3a: Risk Management Concepts

Sam Bowne

Security metrics

PRAYAGRAJ11

Broadening Your Cybersecurity Mindset

CSI Solutions

IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE

360 BSI

EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt

PreethamS41

Role of The Board In IT Governance & Cyber Security-Steve Howse

CGTI

Cybersecurity: How To Protect Your Law Firm Data

Rocket Matter, LLC

How to Make Your Enterprise Cyber Resilient

Accenture Operations

Cyber Attack Survival

Skoda Minotti

How can i find my security blind spots ulf mattsson - aug 2016

Ulf Mattsson

CNIT 160 3a Information Risk Management

Sam Bowne

Complying with Cybersecurity Regulations for IBM i Servers and Data

Precisely

Similar to nist_privacy_risk_workshop_6.5.17.pptx (20)

Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx

Enabling Science with Trust and Security – Guest Keynote

Trust, Context and, Regulation: Achieving More Explainable AI in Financial Se...

New Ohio Cybersecurity Law Requirements

Privacy and Security: Teamwork Required to Tackle Incident Response

2015 IA survey - Protiviti

IT Risk assessment and Audit Planning

Overcoming Hidden Risks in a Shared Security Model

Ch 3a: Risk Management Concepts

Security metrics

Broadening Your Cybersecurity Mindset

IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE

EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt

Role of The Board In IT Governance & Cyber Security-Steve Howse

Cybersecurity: How To Protect Your Law Firm Data

How to Make Your Enterprise Cyber Resilient

Cyber Attack Survival

How can i find my security blind spots ulf mattsson - aug 2016

CNIT 160 3a Information Risk Management

Complying with Cybersecurity Regulations for IBM i Servers and Data

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

UiPath Community Day Dubai: AI at Work..

UiPathCommunity

Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking. 📕 Curious on our agenda? Wait no more! 10:00 Welcome note - UiPath Community in Dubai Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank 10:20 A UiPath cross-region MEA overview Ashraf El Zarka, VP and Managing Director MEA, UiPath 10:35: Customer Success Journey Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank 11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more Boris Krumrey, Global VP, Automation Innovation, UiPath 12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services. Brendan Lingam, Director of Sales and Business Development, Marc Ellis

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Accelerate your Kubernetes clusters with Varnish Caching

Thijs Feryn

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Assure Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™

UiPathCommunity

In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni. 📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath: Autopilot per Studio Web Autopilot per Studio Autopilot per Apps Clipboard AI GenAI applicata alla Document Understanding 👨‍🏫👨‍💻 Speakers: Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath Andrei Tasca, RPA Solutions Team Lead @NTT Data

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

Free Complete Python - A step towards Data Science

RinaMondal9

Enhancing Performance with Globus and the Science DMZ

Globus

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

UiPath Community Day Dubai: AI at Work..

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

Accelerate your Kubernetes clusters with Varnish Caching

By Design, not by Accident - Agile Venture Bolzano 2024

Elevating Tactical DDD Patterns Through Object Calisthenics

Assure Contact Center Experiences for Your Customers With ThousandEyes

Leading Change strategies and insights for effective change management pdf 1.pdf

Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™

Epistemic Interaction - tuning interfaces to provide information for AI support

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Pushing the limits of ePRTC: 100ns holdover for 100 days

Free Complete Python - A step towards Data Science

Enhancing Performance with Globus and the Science DMZ

UiPath Test Automation using UiPath Test Suite series, part 4

Essentials of Automations: The Art of Triggers and Actions in FME

nist_privacy_risk_workshop_6.5.17.pptx

1. Privacy Risk Assessments: A Prerequisite to Privacy Risk Management

2. Trustworthy Systems: Foundational to a Digital Society What makes systems trustworthy? • Multiple attributes of trustworthiness include security, safety, reliability, etc. • Privacy must be considered one of the attributes How can we know if systems are trustworthy? • Repeatable and measurable approaches help provide a sufficient base of evidence • Privacy needs a body of guidance for repeatable and measurable approaches similar to other attributes of trustworthiness

3. Friction in Our Digital World 45% of online households reported that privacy or security concerns stopped them from:* • Conducting financial transactions; • Buying goods or services; • Posting on social networks; or • Expressing opinions on controversial or political issues via the Internet. *July 2015 data collected for NTIA at https://www.ntia.doc.gov/blog/2016/first-look-internet-use-2015

4. Primary Federal Driver OMB July 2016 update to Circular A-130 clarified that: • Agencies’ obligations with respect to managing privacy risk and information resources extends beyond compliance with privacy laws, regulations, and policies • Agencies must apply the NIST Risk Management Framework in their privacy programs

5. NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems

6. NIST Risk Management Framework Security Life Cycle SP 800-30 SP 800-37 SP 800-39 SP 800-53A ASSESS Security Controls FIPS 199/SP 800-60 CATEGORIZE Information System Starting Point SP 800-137/SP 800-53A MONITOR Security State SP 800-37 AUTHORIZE Information System IMPLEMENT Security Controls FIPS 200/SP 800-53 SELECT Security Controls Many SPs

7. What is privacy risk?

8. Risk is a function of: • Likelihood of occurrence of adverse event • Impact from the occurrence Risk Analysis

9. Information Security and Privacy: Boundaries and Overlap

10. Processing PII Can Create Problems for Individuals

11. NIST Special Publication 800-30 Risk Assessment Components

12. Risk Model Risk models define the risk factors to be assessed and the relationships among those factors. Risk factors are inputs to determining levels of risk.

13. Risk factors: Likelihood |Vulnerability | Threat | Impact Security Risk Model

14. NIST Working Model for System Privacy Risk Privacy Risk Factors: Likelihood |Problematic Data Action |Impact Likelihood is a contextual analysis that a data action is likely to create a problem for a representative set of individuals Note: Contextual analysis is based on the data action performed by the system, the PII being processed, and a set of contextual considerations Impact is an analysis of the costs should the problem occur

15. Discussion for the Breakouts • How can organizations effectively do risk assessments for privacy? • Does a risk model for privacy differ from other risk models? • What should be the factors for analysis?

16. Guidance Roadmap

17. What Should NIST Do Next? • Which (if any) security-focused RMF documents require privacy parallels or additions? • What other tools are needed for organizations to effectively do privacy risk management? • What should be the prioritization?

18. NIST Privacy Risk Assessment Methodology (PRAM) Frame Business Objectives Frame Org Privacy Governance Assess System Design Assess Privacy Risk Select Privacy Controls Monitor Change

nist_privacy_risk_workshop_6.5.17.pptx

Recommended

Recommended

More Related Content

Similar to nist_privacy_risk_workshop_6.5.17.pptx

Similar to nist_privacy_risk_workshop_6.5.17.pptx (20)

Recently uploaded

Recently uploaded (20)

nist_privacy_risk_workshop_6.5.17.pptx