RE: RFC 6973: Privacy Considerations for Internet Protocols

Hei Bob

<snip/>

All good points, but I especially support your 3rd bullet ... on making Privacy Considerations coverage mandatory ... and would prefer the combined option ("Security and Privacy Considerations") to promote consolidation (where appropriate) of the Confidentiality leg of the security controls "CIA" triad with closely associated Privacy controls.  (This is something that, in my judgment, the recent and otherwise excellent rev 4 update of NIST's SP 800-53 (now with "Security and Privacy Controls" in the title did not get as right as it could have, since the Privacy controls are in a separate Appendix J).

I am okay with privacy controls in the NIST SP being in a separate annex. They should be separate. Privacy controls are safeguarding privacy requirements based on privacy principles. Security controls are safeguarding infosec requirements based on CIA, STRIDE or whatever infosec ISMS you are following. Risk in privacy is about harm to the individual natural person, whereas risk in security is about harm to the owner of the computer and digital assets. Even the risks are different.

E.G.,

Security: Unauthorized access threat could lead to data theft risk

Privacy: Unauthorized access threat could lead to identity theft or misrepresentation or loss of confidentiality

Some parties what to take a Information Security Management System like ISO 27001 and use it like a hammer because they see the world as a bunch of nails. Privacy requires its own Privacy Management System. I am okay if it is fashioned after ISO's 27001, ISF's SGOP or COBIT or another ISMS framework, but it needs to be repurposed for privacy which may mean changing its processes and activities.

On the matter of NIST SP 800-53 Appendix J, I would like to see a lower level set of controls that are more technical and relate to web and internet apps and services, maybe looking at what OWASP has done.

Frank/