NIST (National Institute of Standards and Technology), USA is the repository of open source standards pertaining to various Information Security standards including the Privacy Risk Management standards. For all organizations who are not bound by other regulatory standards, NIST is the best source of guidance.
NIST has issued a draft Privacy Risk Management Framework (PRMF) in 2015 to address the Privacy Risks in an organization. Though NIST guidelines can be considered as mandatory for the US Federal agencies they are good enough to be followed by even private sector subject to minor modifications that may be required.
The PRMF is composed of the following six processes:
- Framing business objectives
- Framing organizational privacy governance
- Assessing system design
- Assessing privacy risk
- Designing privacy controls
- Monitoring change
NIST first released SP 800-53 in 2005 to provide guidance to agencies on applying a catalog of controls to manage information security risks in accordance with the requirements of the Federal Information Security Management Act (FISMA).
As part of the fourth revision of SP 800-53 in 2013, NIST added an Appendix J, which comprises a set of privacy controls drafted by an interagency working group of privacy officers.
Further revisions and improvements are underway. OMB (Us Office of Management and Budget) update in July 2016 to Circular A-130 clarified that federal agencies’ obligations with respect to managing privacy risk and information resources extends beyond compliance with privacy laws, regulations, and policies, and that agencies must apply the NIST Risk Management Framework (NIST RMF) to their privacy programs and Information Systems.
NIST Special Publication (SP) 800-53 Security and Privacy Controls for Federal Information Systems and Organizations is scheduled to be updated in 2017. The draft document (NISTIR 802) on a revised Privacy Risk Management system for Federal Information Systems has been issued by NIST for which public comments have been collected. This is now under process and should reflect in any revised document that may come forth.
The emerging guidelines may particularly address the Privacy concerns that may arise out of IoT, Big Data, Smart Cities etc.
P.S: This page may be updated from time to time with additional information. Discussions on this may also be covered in the articles on the site.