Thanks John (all),
Gail sent a great write up, and I like her input format, so I used that for my enclosed inputs.
RE: Introduction, our view of the privacy state, the need for “your pet thing” and overall comments section, then answer each of the specific questions…
(Seems it will make your consolidation of inputs easier too)
I of course do reserve the right to change my views / update the key point that the group may want to use as I see the other inputs.. AND I get corrected were needed…;-))
(BTW.. I sent a previous email input, this is an updated version.. and I tend to be ‘high-level’ focused, so there is a LOT of that to start… 2.5 pages…. and as an SysEngr at heart, I’m quite process centric, so…)
Ciao
Mike
Cyber security is serious business for us all – so ACT accordingly!
http://www.linkedin.com/in/mikedavissd
http://www.sciap.org/blog1/wp-content/uploads/CISO-Fundamentals.pdf
From: pbd-se@lists.oasis-open.org [mailto:pbd-se@lists.oasis-open.org] On Behalf Of John Sabo
Sent: Thursday, June 18, 2015 9:59 AM
To: pmrm@lists.oasis-open.org; pbd-se@lists.oasis-open.org
Subject: [pbd-se] Seeking Additional Comments on the NIST Draft NISTR by Friday June 19
PMRM and PbD-SE TC Members,
As you know we are looking for input in order to develop comments on the draft NIST document, "Privacy Risk Management
for Federal Information Systems" (NISTR 8062 DRAFT).
Rick Grow of VHA will not be able to coordinate compilation of comments because of his workload, but we appreciate Rick's help in bringing this to our attention and with last week's special meeting.
I will try to put together the compilation in advance of our 10AM EDT June 23 special meeting, so if you have any written comments on the draft, please email them to the list by COB Friday, and I'll put together a discussion document in advance of the meeting.
As a reminder, here is the overview of the review we are doing:
NIST has issued a call for comments on draft report NISTIR 8062, Privacy Risk Management for Federal Information Systemswhich introduces a privacy risk management framework for anticipating and addressing risks to individuals’ privacy. Specifically, NIST is requesting public comments on this draft to gather further input on the proposed privacy risk management framework, and expects to publish a final report based on this additional feedback. The deadline to submit comments is Monday, July 13. Here is a link to the announcement: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8062.
NIST specifically wants responses to the following questions:
• Privacy Risk Management Framework:
1. Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy?
2. Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel?
3. Are there any gaps in the framework?
• Privacy Engineering Objectives:
1. Do these objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies’ privacy goals and requirements?
2. Are there properties or capabilities that systems should have that these objectives do not cover?
• Privacy Risk Model:
1. Does the equation seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks?
2. Can data actions be evaluated as the document proposes?
3. Is the approach of identifying and assessing problematic data actions usable and actionable?
4. Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?
5. The NISTIR describes the difficulty of assessing the impact of problematic data actions on individuals alone, and incorporates organizational impact into the risk assessment. Is this appropriate or should impact be assessed for individuals alone? If so, what would be the factors in such an assessment?
John Sabo, CISSP
Chair, OASIS IDtrust Member Section