Scribd Logo
Upload

Welcome to Scribd!

  • Sp800 53r4 Appj To r5 Comparison

    Uploaded by

    Bagus Rosihan Irkham Fitroh
    26 views5 pages
    This document compares the privacy controls from NIST SP 800-53 Revision 4 Appendix J to the integrated security and privacy controls in Revision 5. It shows that most of the Appendix J controls were distributed among multiple Revision 5 controls to improve integration of privacy considerations. The document is intended to help organizations transition from using the separate Appendix J controls to the integrated catalog in Revision 5.

    Original Description:

    Original Title

    Sp800 53r4 Appj to r5 Comparison

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document compares the privacy controls from NIST SP 800-53 Revision 4 Appendix J to the integrated security and privacy controls in Revision 5. It shows that most of the Appendix J controls were distributed among multiple Revision 5 controls to improve integration of privacy considerations. The document is intended to help organizations transition from using the separate Appendix J controls to the integrated catalog in Revision 5.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    26 views5 pages

    Sp800 53r4 Appj To r5 Comparison

    Uploaded by

    Bagus Rosihan Irkham Fitroh
    This document compares the privacy controls from NIST SP 800-53 Revision 4 Appendix J to the integrated security and privacy controls in Revision 5. It shows that most of the Appendix J controls were distributed among multiple Revision 5 controls to improve integration of privacy considerations. The document is intended to help organizations transition from using the separate Appendix J controls to the integrated catalog in Revision 5.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    800-53 Rev.

    4 (Appendix J) Control
    AP-1: Authority to Collect

    AP-2: Purpose Specification


    AR-1: Governance and Privacy Program

    AR-2: Privacy Impact and Risk Assessment

    AR-3: Privacy Requirements for Contractors


    and Service Providers

    AR-4: Privacy Monitoring and Auditing


    AR-5: Privacy Awareness and Training

    AR-6: Privacy Reporting


    AR-7: Privacy-Enhanced System Design and
    Development

    AR-8: Accounting of Disclosures


    DI-1: Data Quality

    DI-2: Data Integrity and Data Integrity Board

    DM-1: Minimization of Personally


    Identifiable Information

    DM-2: Data Retention and Disposal

    DM-3: Minimization of PII used in Testing,


    Training, and Research
    IP-1: Consent
    IP-2: Individual Access

    IP-3: Redress

    IP-4: Complaint Management


    SE-1: Inventory of Personally Identifiable
    Information
    SE-2: Privacy Incident Response

    TR-1: Privacy Notice

    TR-2: System of Records Notices and Privacy


    Act Statements
    TR-3: Dissemination of Privacy Program
    Information
    UL-1: Internal Use

    UL-2: Information Sharing with Third Parties


    800-53 Rev. 5 Controls
    PT-2: Authority to Process Personally Identifiable
    Information

    PT-3: Personally Identifiable Information Processing


    Purposes
    PM-3: Information Security and Privacy Resources
    PM-18: Privacy Program Plan
    PM-19: Privacy Program Leadership Role

    RA-3: Risk Assessment


    RA-8: Privacy Impact Assessment
    SA-1: Policies and Procedures
    SA-4: Acquisition Process
    SA-9: External System Services

    CA-2: Control Assessments


    AT-1: Policies and Procedures
    AT-2: Literacy Training and Awareness
    AT-3: Role-based Training
    PL-4: Rules of Behavior

    PM-27: Privacy Reporting


    No specific control reflects AR-7, but there are
    discretionary control enhancements that relate to
    automation.

    PM-21: Accounting of Disclosures


    PM-22: Personally Identifiable Information Quality
    Management
    SI-18: Personally Identifiable Information Quality
    PM-24: Data Integrity Board
    SI-1: Policies and Procedures
    SA-8(33): Security and Privacy Engineering Principles |
    Minimization
    PM-5(1): System Inventory | Inventory of Personally
    Identifiable Information
    SI-12(1): Information Management and Retention | Limit
    Personally Identifiable Information Elements
    MP-6: Media Sanitization
    SI-12: Information Management and Retention
    SI-12(3): Information Management and Retention |
    Information Disposal

    PM-25: Minimization of Personally Identifiable Information


    used in Testing, Training, and Research
    SI-12(2): Information Management and Retention |
    Minimize Personally Identifiable Information in Testing,
    Training and Research
    PT-4: Consent
    AC-1: Policies and Procedures
    AC-3(14): Access Enforcement | Individual Access
    PM-20: Dissemination of Privacy Program Information
    PT-5: Privacy Notice
    PT-6: System of Records Notice

    PM-22: Personally Identifiable Information Quality


    Management
    SI-18: Personally Identifiable Information Quality
    Operations
    SI-18(4): Personally Identifiable Information Quality
    Operations | Individual Requests
    SI-18(5): Personally Identifiable Information Quality
    Operations | Notice of Correction or Deletion

    PM-26: Complaint Management


    PM-5(1): System Inventory | Inventory of Personally
    Identifiable Information
    IR-8: Incident Response Plan
    IR-8(1): Incident Response Plan | Breaches
    PT-5: Privacy Notice
    PT-5(1): Privacy Notice | Just-In-Time Notice
    PT-5(2): Privacy Notice | Privacy Act Statements
    PT-6: System of Records Notice
    PM-20: Dissemination of Privacy Program Information

    PT-3: Personally Identifiable Information Processing


    Purposes
    AC-21: Information Sharing
    AT-3(5): Role-based Training | Processing Personally
    Identifiable Information
    AU-2: Event Logging
    PT-2: Authority to Process Personally Identifiable
    Information
    PT-3: Personally Identifiable Information Processing
    Purposes
    NIST SP 800-53, Revision 4 (Appendix J) Privacy Controls Comparison to Revision 5

    This document is intended to support organizations who have been using the privacy controls in Appendix J in NIST
    Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 4, to tran
    the integrated control catalog in Revision 5. The Revision 5 column indicates the controls that in NIST's determinatio
    directly address the elements of Appendix J controls. Very few of the Appendix J controls were transferred to Revisi
    their entirety. In most cases, elements of Appendix J controls were distributed among multiple Revision 5 controls t
    improve the integration and the text was changed to conform to the standardized control format or to enable the co
    to be more usable within a risk management program. Organizations can use the Related Controls section for each R
    5 control to identify other controls that may also support the transition.

    Note: This document is only intended to provide pointers to how Appendix J controls evolved in the integrated cata
    security and privacy controls for Revision 5. It is not intended to provide an example of a complete control selection
    a privacy program. More information on selecting controls can be found in NIST SP 800-37, Risk Management Fram
    for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy; SP 800-53; and SP
    53B, Control Baselines for Information Systems and Organizations.

    You might also like