RE: [pbd-se] Ad Hoc Meeting to Discuss Comments on NISTIR 8062

["Notario McDonnell, Nicolas" <nicolas.notario@atos.net>]

I tried to join but I’m just hearing music… Do I have the wrong conference info?

 

Best regards

 

 

 

From: pbd-se@lists.oasis-open.org [mailto:pbd-se@lists.oasis-open.org] On Behalf Of Gail Magnuson
Sent: Tuesday, June 16, 2015 3:04 PM
To: Grow, Richard C.(Technatomy)
Cc: pbd-se@lists.oasis-open.org
Subject: Re: [pbd-se] Ad Hoc Meeting to Discuss Comments on NISTIR 8062

 

Hi, Is there a call now? I am on Gershon's line, but there is no one there.

 

Best, Gail

 

On Thu, Jun 11, 2015 at 8:24 AM, Grow, Richard C.(Technatomy) <Richard.Grow@va.gov> wrote:

Hi All,

 

As mentioned on Wednesday’s PbD TC meeting, we will be holding an initial ad hoc meeting next Tuesday, June 16 at 10 a.m. EDT to discuss comments that the PMRM and PbD TCs would like to submit to NIST regarding its draft report NISTIR 8062, Privacy Risk Management for Federal Information Systems. The phone information for this ad hoc meeting will be sent out soon.

 

Here is a link to the NIST announcement on the public comment period for this report: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8062.

 

Please review the attached document (NISTIR 8062), use the attached matrix to add comments, and be prepared to discuss responses to the comments at the meeting.

 

NIST specifically wants responses to the following questions:

 

• Privacy Risk Management Framework:

1.       Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy?

2.       Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel?

3.       Are there any gaps in the framework?

 

• Privacy Engineering Objectives:

1.       Do these objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies’ privacy goals and requirements?

2.       Are there properties or capabilities that systems should have that these objectives do not cover?

 

• Privacy Risk Model:

1.       Does the equation seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks?

2.       Can data actions be evaluated as the document proposes?

3.       Is the approach of identifying and assessing problematic data actions usable and actionable?

4.       Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?

5.       The NISTIR describes the difficulty of assessing the impact of problematic data actions on individuals alone, and incorporates organizational impact into the risk assessment. Is this appropriate or should impact be assessed for individuals alone? If so, what would be the factors in such an assessment?

 

We will have a second ad hoc meeting on the following Tuesday, June 23 to hold further discussions and finalize the comments before the comment submission deadline of Monday, July 13 at 5 p.m. EDT.

 

Thanks,

 

Rick Grow

Veterans Health Administration

(Technatomy)

240-682-9994

rgrow@technatomy.com

richard.grow@va.gov

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

 

--

Gail Ann Magnuson
Mobile: 1.704.232.5648
Residence: Ponce Inlet, FL

Mailing Address
4624 Harbour Village Boulevard #4406
Ponce Inlet, FL 32127

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.

Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes.
Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus.