Professional Documents
Culture Documents
Worksheet 4 Selecting Controls
Worksheet 4 Selecting Controls
Tasks:
1. Define system requirements (Tab 2).
2. Select controls (Tab 3).
m Worksheets 2 and 3.
Guidance:
Using your preferred prioritization method from Worksheet 3, select the data actions and associated proble
to mitigate or list data actions and their associated problems in order of highest to lowest priority. List poten
the identified risks. System requirements can be technical or policy measures or a combination of both.
In the considerations column, review the benefits or limitations of these potential system privacy requireme
performance, cost, interaction with other system requirements, user experience, problem mitigation, etc. C
requirements help to meet the organizational privacy requirements or privacy capabilities captured in Work
references to security risk assessments and security risks that could be mitigated by the system privacy re
should contain enough information to compare the potential system requirements, and make decisions abo
Example:
quirements
hod from Worksheet 3, select the data actions and associated problems that are creating the privacy risks that you p
r associated problems in order of highest to lowest priority. List potential system requirements that will be used to mi
nts can be technical or policy measures or a combination of both.
he benefits or limitations of these potential system privacy requirements with respect to relevant factors such as syst
her system requirements, user experience, problem mitigation, etc. Considerations may also include how system priv
zational privacy requirements or privacy capabilities captured in Worksheet 1. Considerations may also include cross
ts and security risks that could be mitigated by the system privacy requirements (or vice versa). The considerations
compare the potential system requirements, and make decisions about which ones will be selected.
ems that are creating the privacy risks that you plan
ntial system requirements that will be used to mitigate
Considerations
Considerations
Guidance:
1. List data actions and their associated problems from Tab 2: Define System Requirements with requirem
2. List privacy controls selected for implementation. References for consideration: NIST Special Publication
Organizations (available here: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final).
3. Describe the rationale for selecting the controls or leaving the risk unmitigated.
4. List the associated system requirements from Tab 2: Define System Requirements that are met by the s
5. Populate the residual risks column with unmitigated summary issues or adjusted summary issues based
6. Implement, assess and monitor the selected controls for effectiveness in managing the identified privacy
on the worksheets as changes to the system/product/service occur.
ed problems from Tab 2: Define System Requirements with requirements that will be met.
plementation. References for consideration: NIST Special Publication 800-53, Security and Privacy Controls for Fed
csrc.nist.gov/publications/detail/sp/800-53/rev-4/final).
the controls or leaving the risk unmitigated.
ments from Tab 2: Define System Requirements that are met by the selected controls.
with unmitigated summary issues or adjusted summary issues based on the controls selected.
selected controls for effectiveness in managing the identified privacy risks. Reassess the residual risk acceptance d
system/product/service occur.
.
dual risk acceptance determination as needed. Iterate
System Requirements
Residual Risks
Met