Scribd Logo
Upload

Welcome to Scribd!

  • Worksheet 4 Selecting Controls

    Uploaded by

    rahul244
    5 views12 pages
    This document provides guidance on selecting controls to mitigate privacy risks identified in a previous risk assessment. It outlines a three-task process: 1) Define system requirements to address priority data actions and problems, 2) Select potential controls and consider their benefits/limitations, and 3) Formally select controls and describe how they address risks and requirements. The guidance includes examples and prompts the user to list data actions, problems, potential controls and their rationale, associated requirements, and any remaining residual risks.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides guidance on selecting controls to mitigate privacy risks identified in a previous risk assessment. It outlines a three-task process: 1) Define system requirements to address priority data actions and problems, 2) Select potential controls and consider their benefits/limitations, and 3) Formally select controls and describe how they address risks and requirements. The guidance includes examples and prompts the user to list data actions, problems, potential controls and their rationale, associated requirements, and any remaining residual risks.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views12 pages

    Worksheet 4 Selecting Controls

    Uploaded by

    rahul244
    This document provides guidance on selecting controls to mitigate privacy risks identified in a previous risk assessment. It outlines a three-task process: 1) Define system requirements to address priority data actions and problems, 2) Select potential controls and consider their benefits/limitations, and 3) Formally select controls and describe how they address risks and requirements. The guidance includes examples and prompts the user to list data actions, problems, potential controls and their rationale, associated requirements, and any remaining residual risks.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Classification - Restricted #_x000D_Introduction

    NIST Privacy Risk Assessment Methodology


    Version: February 2019

    Worksheet 4: Selecting Controls


    Purpose:
    This worksheet supports the selection of controls to mitigate privacy risks identified in

    Tasks:
    1. Define system requirements (Tab 2).
    2. Select controls (Tab 3).

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_Introduction

    o mitigate privacy risks identified in Worksheet 3. It requires inputs from Worksheets 2

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_Introduction

    m Worksheets 2 and 3.

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    Task 2: Define System Requirements

    Guidance:
    Using your preferred prioritization method from Worksheet 3, select the data actions and associated proble
    to mitigate or list data actions and their associated problems in order of highest to lowest priority. List poten
    the identified risks. System requirements can be technical or policy measures or a combination of both.

    In the considerations column, review the benefits or limitations of these potential system privacy requireme
    performance, cost, interaction with other system requirements, user experience, problem mitigation, etc. C
    requirements help to meet the organizational privacy requirements or privacy capabilities captured in Work
    references to security risk assessments and security risks that could be mitigated by the system privacy re
    should contain enough information to compare the potential system requirements, and make decisions abo

    Example:

    Data Actions Problems for Individuals

    Dignity Loss: Information is


    revealed about the
    individual that they would
    prefer not to disclose.

    Loss of Autonomy: People


    must provide extensive
    Collection from the
    information, giving the
    Social Media Site
    acquirer an unfair
    advantage.

    Loss of Trust: Individuals


    lose trust in ACME due to
    a breach in expectations
    about the handling of
    personal information.

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    Potential Problems for


    Problems
    Individuals

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    quirements

    hod from Worksheet 3, select the data actions and associated problems that are creating the privacy risks that you p
    r associated problems in order of highest to lowest priority. List potential system requirements that will be used to mi
    nts can be technical or policy measures or a combination of both.

    he benefits or limitations of these potential system privacy requirements with respect to relevant factors such as syst
    her system requirements, user experience, problem mitigation, etc. Considerations may also include how system priv
    zational privacy requirements or privacy capabilities captured in Worksheet 1. Considerations may also include cross
    ts and security risks that could be mitigated by the system privacy requirements (or vice versa). The considerations
    compare the potential system requirements, and make decisions about which ones will be selected.

    Potential System Requirements

    1. Configure API to enable more granular retrieval of information,


    pull full name and email only; enable capability to pull profile
    photograph if future proofing requires it.
    2. Inform users of collection.
    3. Delete unneeded information after collection.

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    Potential System Requirements

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    ems that are creating the privacy risks that you plan
    ntial system requirements that will be used to mitigate

    nts with respect to relevant factors such as system


    onsiderations may also include how system privacy
    sheet 1. Considerations may also include cross-
    quirements (or vice versa). The considerations
    out which ones will be selected.

    Considerations

    1. Significantly reduces collection of


    information, possibly decreasing risk
    across the system. Would potentially lower
    risk of dignity loss, loss of autonomy, and
    loss of trust problems.
    2. Users may be informed of specific
    information collected in this data action,
    but that may not improve risk across the
    system as they are unable to prevent the
    revelation of information.
    3. Social Media site may refuse to
    reconfigure API. Unclear how users will
    understand the process. Leverages
    appropriate disposal controls. Decreases
    risk of dignity loss, but not necessarily loss
    of autonomy or loss of trust. Compare
    potential failure rate for API configuration
    to pull specified data correctly to potential
    failure rate of disposing of information after
    collection.

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    Considerations

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    Task 3: Select Controls

    Guidance:
    1. List data actions and their associated problems from Tab 2: Define System Requirements with requirem
    2. List privacy controls selected for implementation. References for consideration: NIST Special Publication
    Organizations (available here: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final).
    3. Describe the rationale for selecting the controls or leaving the risk unmitigated.
    4. List the associated system requirements from Tab 2: Define System Requirements that are met by the s
    5. Populate the residual risks column with unmitigated summary issues or adjusted summary issues based
    6. Implement, assess and monitor the selected controls for effectiveness in managing the identified privacy
    on the worksheets as changes to the system/product/service occur.

    Potential Problems for


    Data Actions
    Individuals

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    ed problems from Tab 2: Define System Requirements with requirements that will be met.
    plementation. References for consideration: NIST Special Publication 800-53, Security and Privacy Controls for Fed
    csrc.nist.gov/publications/detail/sp/800-53/rev-4/final).
    the controls or leaving the risk unmitigated.
    ments from Tab 2: Define System Requirements that are met by the selected controls.
    with unmitigated summary issues or adjusted summary issues based on the controls selected.
    selected controls for effectiveness in managing the identified privacy risks. Reassess the residual risk acceptance d
    system/product/service occur.

    Selected Controls Rationale

    _x000D_ Classification - Restricted


    #
    Classification - Restricted #_x000D_

    rivacy Controls for Federal Information Systems and

    .
    dual risk acceptance determination as needed. Iterate

    System Requirements
    Residual Risks
    Met

    _x000D_ Classification - Restricted


    #

    You might also like