US government agencies are facing a number of challenges when it comes to data privacy and cybersecurity. For example, government use of “smart city” technology is on the rise across the country, raising public concern regarding the vulnerability of such technology and the risks to individual privacy. Federal information technology (IT) systems are also experiencing a significant increase in cyber attacks, with news recently breaking of a massive hack into US government systems that possibly exposed up to 4 million current and former federal employees’ personal information.
Just days before the recent breach, the National Institute of Standards and Technology (NIST) issued a draft privacy risk management framework for federal IT systems. Although NIST has already developed a framework for improving cybersecurity, this new framework takes a step toward addressing the privacy risks for individuals resulting from federal agencies’ use of technologies and services that generate, collect, process, and/or store personal data, such as smart grid technology.
These new NIST guidelines make an important distinction between external threats to IT systems and the risks inherent in the operations of the systems themselves.
Highlights of the NIST Framework
The purpose of the NIST guidelines is to introduce “a privacy risk management framework (PRMF) for anticipating and addressing privacy risk that results from the processing of personal information” in federal IT systems. NIST points out that privacy challenges are “cross-organizational,” and a sound approach to addressing such challenges requires a common language for all organizational positions involved in the process of evaluating and managing privacy risk in IT systems.
According to NIST, the PRMF enables a government agency to “identify its goals and obligations for privacy protection, assess its systems against these governing requirements, prioritize mitigation mechanisms, and monitor for changes.” The PRMF builds on existing risk frameworks and is composed of the following six processes:
- Framing business objectives
- Framing organizational privacy governance
- Assessing system design
- Assessing privacy risk
- Designing privacy controls
- Monitoring change
The Privacy Risk Model—Operations vs. Vulnerabilities
A key component of the PRMF is the privacy risk model. NIST emphasizes the difference between privacy risk and security risk by noting that, aside from the problem of unauthorized access and disclosure of personal information that may result from a security breach, privacy risk for individuals is different from security risk in that “the adverse outcomes, or problems for individuals, can arise from the operations of the system itself, regardless of external factors.”
With this focus on a system’s operations, NIST defines a system’s privacy risk to individuals as “a function of the likelihood that a data action (a system operation processing personal information) causes problems for individuals, and the impact of the problematic data action should it occur.”
The NIST guidelines go into greater detail about how organizations can measure the “likelihood” and “impact” of such data actions and what a “data action” means in this context. Using this model and the various inputs to the broader privacy risk management framework, NIST hopes to inform federal agencies about the evaluation, prioritization, management, and mitigation of privacy risks in the design and operations of systems in the same way that agencies have begun to understand how to assess and manage external security risks to those systems.
Although directed at federal agencies, the PRMF is a useful tool for many organizations. The full draft can be accessed here. The public comment period closes on July 13.