An Introduction to Privacy Engineering and Risk …

1 NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems Sean Brooks Michael Garcia Naomi Lefkovitz Suzanne Lightman Ellen Nadeau This publication is available free of charge from: NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems Sean Brooks Michael Garcia Naomi Lefkovitz Suzanne Lightman Ellen Nadeau Information Technology Laboratory This publication is available free of charge from: January 2017 of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director National Institute of Standards and Technology Internal Report 806249 pages (January 2017) This publication is available free of charge from: Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.

2 Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.

3 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Applied Cybersecurity Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 2000) Gaithersburg, MD 20899-2000 Email: All comments are subject to release under the Freedom of Information Act (FOIA). NISTIR 8062 Privacy Engineering AND RISK MANAGEMENT Reports on Computer Systems Technology This publication is available free of charge from: The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the economy and public welfare by providing technical leadership for the Nation s measurement and standards infrastructure.

4 ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and Privacy of other than national security-related information in federal systems. Abstract This document provides an Introduction to the concepts of Privacy Engineering and risk management for federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of Privacy risk within federal systems, and the effective implementation of Privacy principles. This publication introduces two key components to support the application of Privacy Engineering and risk management: Privacy Engineering objectives and a Privacy risk model.

5 Keywords Computer security; cybersecurity; information security; Privacy ; risk management; systemsengineering ii NISTIR 8062 Privacy Engineering AND RISK MANAGEMENT Acknowledgements The authors wish to thank the following individuals for participating in the preparation of this document: Jeremy Berkowitz, James Dever, Simson Garfinkel, Meredith Jankowski, and Colin Soutar. They d also like to recognize Kelley Dempsey, Marc Groman, Mat Heyman, Kat Megas, Rebecca Richards, and Ron Ross for their role in the review process. The authors are particularly grateful to Simson Garfinkel, who was so generous with his time and thoughtful feedback. A special note of thanks goes to Kaitlin Boeckl, who developed the graphics found herein. And finally, in developing the Privacy risk model, the authors greatly appreciate the insights from the pilot programs funded by NIST pursuant to the National Strategy for Trusted Identities in Cyberspace (NSTIC).

6 This publication is available free of charge from: iii NISTIR 8062 Privacy Engineering AND RISK MANAGEMENT Executive Summary This publication is available free of charge from: NIST research in information technology including cybersecurity, cloud computing, big data, and the Smart Grid and other cyber-physical systems aims to improve the innovation and competitiveness that bring great advancements to national and economic security and quality of life. Much of this research pertains to the trustworthiness of these information technologies and the systems in which they are incorporated. Given concerns about how information technologies may affect Privacy at individual and societal levels, the purpose of this publication is to provide an Introduction to how systems Engineering and risk management could be used to develop more trustworthy systems that include Privacy as an integral attribute.

7 In addition, the Office of Management and Budget s recent update to Circular No. A-130 includes a new emphasis on managing Privacy risk. Federal agencies will need guidance on repeatable and measurable approaches to bridge the distance between Privacy principles and their effective implementation in systems. Extensive guidance already exists for information security. In developing an Engineering approach to Privacy , it is important to understand the relationship and particularly the distinctions between information security and Privacy . Doing so will improve understanding of how to apply established systems Engineering and risk management processes to addressing Privacy concerns. Although unauthorized access to personally identifiable information (PII) is a subset of information security and a critical aspect of Privacy , there is a far less developed understanding of how to identify and address the risks to individuals Privacy that extend beyond unauthorized access to PII.

8 For purposes of this publication, Privacy Engineering means a specialty discipline of systems Engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII. This definition provides a frame of reference for identifying a Privacy -positive outcome for federal systems and a basis for Privacy risk analysis that has been lacking in the Privacy field. To support agencies ability to conduct Privacy Engineering , this publication introduces a set of Privacy Engineering objectives predictability, manageability, and disassociability to help system engineers focus on the types of capabilities the system needs in order to demonstrate how an agency s Privacy policies and system Privacy requirements have been implemented.

9 In addition, this report introduces a Privacy risk model to enable agencies to conduct more consistent Privacy risk assessments based on the likelihood that an operation performed by a system would create a problem for individuals when processing PII a problematic data action and the impact of the problematic data action should it occur. This report concludes with a general roadmap for evolving these preliminary concepts into actionable guidance complementary to existing NIST guidance for information security risk management so that agencies may more effectively meet their obligations under Circular A-130 and other relevant policies. iv NISTIR 8062 Privacy Engineering AND RISK MANAGEMENT Table of Contents This publication is available free of charge from: Executive Summary.

10 Iv 1 Introduction .. 1 Purpose and 3 Audience .. 4 Organization of this 4 2 An Engineering Approach to The Relationship Between Information Security and 6 Privacy Problems and 9 Defining Privacy Engineering .. 10 The Applicability of Systems Engineering .. 12 The Utility of Risk 13 3 Components for Privacy Engineering in Federal Systems .. 15 Introducing Privacy Engineering 16 Privacy Engineering Objectives and the FIPPs .. 17 18 Manageability .. 19 20 Introducing a Privacy Risk Model .. 20 Privacy Risk 21 Risk Characteristics .. 23 Data 23 23 23 4 Roadmap for Federal Guidance for Privacy Engineering and Risk Management .. 24 v NISTIR 8062 Privacy Engineering AND RISK MANAGEMENT List of Appendices This publication is available free of charge from: Appendix A: NIST Development 26 Appendix B: 28 Appendix C: 30 Appendix D: References.