it breakout: a holistic approach to data ......take a serious path towards data governance. the u.s....
TRANSCRIPT
IT BREAKOUT:A HOLISTIC APPROACH TO DATA GOVERNANCE
Kathleen Crook, Senior Consultant, Privacy Risk Group
MAY 2019
DATA PRIVACY - IT BREAKOUT
9Booz Allen Hamilton
Compliance and privacy are perhaps fraternal twins; whereas, security is their
cousin.
A Holistic Approach to Data Governance
NIST 8062
DATA PRIVACY - IT BREAKOUT: DATA PRIVACY GOVERNANCE
Privacy trends toward enforcement are leading organizations to take a serious path towards data governance.
The U.S. Department of Commerce, National Institutes for Standards and Technology (NIST) provide guidance on how to implement a holistic approach to security and privacy governance.
• NIST 800-53 Rev 5 • NIST Privacy Framework
10Booz Allen Hamilton
DATA PRIVACY - IT BREAKOUT: PRIVACY CONTROLS NIST 800-53 REV 5
The Rev 5 Control Rational
• OMB updated Circular A-130, “Managing Information as a Strategic Resource,” in 2106 to provide a coordinated approach to identifying and managing security and privacy risks.
• NIST revised SP 800-53 Rev 4 (now draft Rev 5), “Security and Privacy Controls for Information Systems and Organizations” to ensure consistency with OMB’s coordinated approach.
• NIST reorganized the control families to addresses security and privacy from a functionality and an assurance perspective.
• NIST wants to facilitate collaboration with the systems engineering and acquisition communities by providing an adaptable structure and content in security and privacy controls that can be used by systems and product developers, systems integrators, procurement officials, and information security personnel.
11Booz Allen Hamilton
DATA PRIVACY - IT BREAKOUT: PRIVACY CONTROLS NIST 800-53 REV 5
The Major Changes in Rev 5
• Making the security and privacy controls more outcome-based by changing the structure of the controls
• Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks
• Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.
12Booz Allen Hamilton
DATA PRIVACY - IT BREAKOUT: PRIVACY CONTROLS NIST 800-53 REV 5
13Booz Allen Hamilton Internal
Incident Response Controls: Implementing the Controls within your Organizational Structure
Examples:
• IR-1 – Incident Response Policy and Procedures
• IR-8 – Incident Response Plan
DATA PRIVACY - IT BREAKOUT: PRIVACY CONTROLS NIST 800-53 REV 5
14Booz Allen Hamilton Internal
Rev 5 Incident Response (IR) Control Table
SEE HANDOUTDR AFT NISf SP 8 00-53, REVISION 5 SECURITY AND PRIVACY CONTROLS FOR
INFOR MA TION SYSTEM S AND ORG ANIZATIONS
TABLE E-9: INCIDENT RESPONSE FAMILY
WITHDRAW
N
PRIVACY RELATED
IMPLEMENTED BY
ASSURANCE
CONTROL BASELINES
CONTROL
NUMBER
CONTROL NAME
CONTROL ENHANCEMENT NAME
LOW
MOD
HIGH
IR- 1 Incident Response Policy and Procedures p 0 A X X X
IR- 2 Incident Response Training p 0 A X X X
IR- 2(1) SIMULATED EVENTS
p 0 A
X
IR-2( 2) AUTOMATED TRAINING ENVIRONMENTS
p 0 A
X
IR-3 Incident Response Testing
p 0 A
X X
IR-3(2) COORDINATION WITH RELATED PLANS
p 0 A
X X
IR- 3(3) CONTINUOUS IMPROVEMENT
0 A
IR-4 Incident Hand ling p 0
X X X
IR-5 Incident Monitoring
p 0 A X X X
IR-S(l l AUTOMATED TRACKING, DATA COLLECTION, ANALYSIS p 0 A
X
IR-6 Incident Reporting
p 0
X X X
IR-6(1) AUTOMATED REPORTING
0
X X
IR-6( 2) VULNERABILITIES RELATED TO INCIDENTS
0
IR-6(3) SUPPLY CHAIN COORDINATION
0
X X
IR-7 Incident Response Assistance p 0
X X X
IR- 7(2) COORDINATION WITH EXTERNAL PROVIDERS
0
IR-8 Incident Response Plan p 0
X X X
IR- 8(1) PERSONALLY IDENTIFIABLE INFORMATION PROCESSES
p 0
IR-9 Information Spillage Response p 0
APPENDIX E PAGE 339
DATA PRIVACY - IT BREAKOUT: PRIVACY CONTROLS NIST 800-53 REV 5
15Booz Allen Hamilton
IR-1: Incident Response Policies and Proceduresa. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
b. Designate an [Assignment: organization-defined senior management official] to manage the incident response policy and procedures;
c. Review and update the current incident response: 1. Policy [Assignment: organization-defined frequency]; and 2. Procedures [Assignment: organization-defined frequency];
d. Ensure that the incident response procedures implement the incident response policy and controls; and
e. Develop, document, and implement remediation actions for violations of the incident response policy.
RELATED CONTROLS: PM-9, PS-8, SI-12
IR-1: INCIDENT RESPONSE POLICIES AND PROCEDURES
IR-1
Incident Response Policy and
Procedures
RISK MANAGEMENT STRATEGY
PM-9
Policies and procedures should include a risk management strategy to assist in framing how to handle incident response within the organizational structure
PERSONNEL SANCTIONS
PS-8
Policies and procedures should include personnel sanctions for violations
INFORMATION MANAGEMENT AND RETENTION
SI-12
Policies and procedures should address information lifecycle management and retention practice to reduce possible harm following an incident
IMPLEMENTATION GUIDANCERELATED CONTROLS
DATA PRIVACY - IT BREAKOUT: PRIVACY CONTROLS NIST 800-53 REV 5
17Booz Allen Hamilton
IR-8: Incident Response Plan
a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and 9. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles].
b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
e. Protect the incident response plan from unauthorized disclosure and modification
Related Controls: AC-2, CP-2, CP-4, IR-4, IR-7, IR-9, PE-6, PL-2, SA-12, SA-15, SI-12
IR-8: INCIDENT RESPONSE
IR-8Incident
Response Plan
CP-2: CONTINGENCY PLANThe incident response plan must take a coordinated approach to include the contingency plan
CP-4: CONTINGENCY PLAN TESTING
The overall incident response plan includes contingency plan testing
IR-4: PRIVACY NOTICEPrivacy notices should mention incident response plan the organization has in place
IR-7: INCIDENT RESPONSE ASSISTANCE
The incident response plan defines how incident response assistance resources are utilized
PL-2: SECURITY AND PRIVACY PLANS
The incident response plan must be consistent with the organization’s security and privacy plans and requirements
SI-12: INFORMATION MANAGEMENT & RETENTION
The incident response plan must take into account the organization’s data retention policies on how & what to safeguard during an incident
RELATED CONTROLS IMPLEMENTATION GUIDANCE
OPEN DISCUSSION
THOUGHTS? QUESTIONS? CONCERNS?
19Booz Allen Hamilton