it breakout: a holistic approach to data ......take a serious path towards data governance. the u.s....

IT BREAKOUT:A HOLISTIC APPROACH TO DATA GOVERNANCE

Kathleen Crook, Senior Consultant, Privacy Risk Group

MAY 2019

DATA PRIVACY - IT BREAKOUT

9Booz Allen Hamilton

Compliance and privacy are perhaps fraternal twins; whereas, security is their

cousin.

A Holistic Approach to Data Governance

NIST 8062

DATA PRIVACY - IT BREAKOUT: DATA PRIVACY GOVERNANCE

Privacy trends toward enforcement are leading organizations to take a serious path towards data governance.

The U.S. Department of Commerce, National Institutes for Standards and Technology (NIST) provide guidance on how to implement a holistic approach to security and privacy governance.

• NIST 800-53 Rev 5 • NIST Privacy Framework


DATA PRIVACY - IT BREAKOUT: PRIVACY CONTROLS NIST 800-53 REV 5

The Rev 5 Control Rational

• OMB updated Circular A-130, “Managing Information as a Strategic Resource,” in 2106 to provide a coordinated approach to identifying and managing security and privacy risks.

• NIST revised SP 800-53 Rev 4 (now draft Rev 5), “Security and Privacy Controls for Information Systems and Organizations” to ensure consistency with OMB’s coordinated approach.

• NIST reorganized the control families to addresses security and privacy from a functionality and an assurance perspective.

• NIST wants to facilitate collaboration with the systems engineering and acquisition communities by providing an adaptable structure and content in security and privacy controls that can be used by systems and product developers, systems integrators, procurement officials, and information security personnel.



The Major Changes in Rev 5

• Making the security and privacy controls more outcome-based by changing the structure of the controls

• Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations

• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks

• Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.



13Booz Allen Hamilton Internal

Incident Response Controls: Implementing the Controls within your Organizational Structure

Examples:

• IR-1 – Incident Response Policy and Procedures

• IR-8 – Incident Response Plan


14Booz Allen Hamilton Internal

Rev 5 Incident Response (IR) Control Table

SEE HANDOUTDR AFT NISf SP 8 00-53, REVISION 5 SECURITY AND PRIVACY CONTROLS FOR

INFOR MA TION SYSTEM S AND ORG ANIZATIONS

TABLE E-9: INCIDENT RESPONSE FAMILY

WITHDRAW

N

PRIVACY RELATED

IMPLEMENTED BY

ASSURANCE

CONTROL BASELINES

CONTROL

NUMBER

CONTROL NAME

CONTROL ENHANCEMENT NAME

LOW

MOD

HIGH

IR- 1 Incident Response Policy and Procedures p 0 A X X X

IR- 2 Incident Response Training p 0 A X X X

IR- 2(1) SIMULATED EVENTS

p 0 A

X

IR-2( 2) AUTOMATED TRAINING ENVIRONMENTS

p 0 A

X

IR-3 Incident Response Testing

p 0 A

X X

IR-3(2) COORDINATION WITH RELATED PLANS

p 0 A

X X

IR- 3(3) CONTINUOUS IMPROVEMENT

0 A

IR-4 Incident Hand ling p 0

X X X

IR-5 Incident Monitoring

p 0 A X X X

IR-S(l l AUTOMATED TRACKING, DATA COLLECTION, ANALYSIS p 0 A

X

IR-6 Incident Reporting

p 0

X X X

IR-6(1) AUTOMATED REPORTING

0

X X

IR-6( 2) VULNERABILITIES RELATED TO INCIDENTS

0

IR-6(3) SUPPLY CHAIN COORDINATION

0

X X

IR-7 Incident Response Assistance p 0

X X X

IR- 7(2) COORDINATION WITH EXTERNAL PROVIDERS

0

IR-8 Incident Response Plan p 0

X X X

IR- 8(1) PERSONALLY IDENTIFIABLE INFORMATION PROCESSES

p 0

IR-9 Information Spillage Response p 0

APPENDIX E PAGE 339



IR-1: Incident Response Policies and Proceduresa. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:

1. An incident response policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and

2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;

b. Designate an [Assignment: organization-defined senior management official] to manage the incident response policy and procedures;

c. Review and update the current incident response: 1. Policy [Assignment: organization-defined frequency]; and 2. Procedures [Assignment: organization-defined frequency];

d. Ensure that the incident response procedures implement the incident response policy and controls; and

e. Develop, document, and implement remediation actions for violations of the incident response policy.

RELATED CONTROLS: PM-9, PS-8, SI-12

IR-1: INCIDENT RESPONSE POLICIES AND PROCEDURES

IR-1

Incident Response Policy and

Procedures

RISK MANAGEMENT STRATEGY

PM-9

Policies and procedures should include a risk management strategy to assist in framing how to handle incident response within the organizational structure

PERSONNEL SANCTIONS

PS-8

Policies and procedures should include personnel sanctions for violations

INFORMATION MANAGEMENT AND RETENTION

SI-12

Policies and procedures should address information lifecycle management and retention practice to reduce possible harm following an incident

IMPLEMENTATION GUIDANCERELATED CONTROLS



IR-8: Incident Response Plan

a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and 9. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles].

b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];

c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;

d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and

e. Protect the incident response plan from unauthorized disclosure and modification

Related Controls: AC-2, CP-2, CP-4, IR-4, IR-7, IR-9, PE-6, PL-2, SA-12, SA-15, SI-12

IR-8: INCIDENT RESPONSE

IR-8Incident

Response Plan

CP-2: CONTINGENCY PLANThe incident response plan must take a coordinated approach to include the contingency plan

CP-4: CONTINGENCY PLAN TESTING

The overall incident response plan includes contingency plan testing

IR-4: PRIVACY NOTICEPrivacy notices should mention incident response plan the organization has in place

IR-7: INCIDENT RESPONSE ASSISTANCE

The incident response plan defines how incident response assistance resources are utilized

PL-2: SECURITY AND PRIVACY PLANS

The incident response plan must be consistent with the organization’s security and privacy plans and requirements

SI-12: INFORMATION MANAGEMENT & RETENTION

The incident response plan must take into account the organization’s data retention policies on how & what to safeguard during an incident

RELATED CONTROLS IMPLEMENTATION GUIDANCE

OPEN DISCUSSION

THOUGHTS? QUESTIONS? CONCERNS?


it breakout: a holistic approach to data ......take a serious path towards data governance. the u.s....

Documents