RE: RFC 6973: Privacy Considerations for Internet Protocols

Hi Frank,

Here is the definition of Confidentiality used in SP800-53:

"Confidentiality

[44 U.S.C., Sec. 3542]

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information."



I have a hard time not interpreting "including the means for protecting personal privacy" as both what we commonly mean by "privacy controls" and also circular with your inclusion of "loss of confidentiality" in your definition of privacy below.

Furthermore, I do not share your enthusiasm for separating these concepts - or, more importantly, their instantiations in practice and operations - as the mad rush to hyper-fractionalization of such closely interrelated concerns (in the real world of individuals and organizations) has led to unsustainable costs and reduced overall effectiveness ... IMHO, at least.

Avanti,
BobN

From: Frank.Dawson@nokia.com [mailto:Frank.Dawson@nokia.com]
Sent: Wednesday, August 07, 2013 6:10 PM
To: Natale, Bob; joe@cdt.org
Cc: public-privacy@w3.org
Subject: RE: RFC 6973: Privacy Considerations for Internet Protocols

Hei Bob

<snip/>

All good points, but I especially support your 3rd bullet ... on making Privacy Considerations coverage mandatory ... and would prefer the combined option ("Security and Privacy Considerations") to promote consolidation (where appropriate) of the Confidentiality leg of the security controls "CIA" triad with closely associated Privacy controls.  (This is something that, in my judgment, the recent and otherwise excellent rev 4 update of NIST's SP 800-53 (now with "Security and Privacy Controls" in the title did not get as right as it could have, since the Privacy controls are in a separate Appendix J).

I am okay with privacy controls in the NIST SP being in a separate annex. They should be separate. Privacy controls are safeguarding privacy requirements based on privacy principles. Security controls are safeguarding infosec requirements based on CIA, STRIDE or whatever infosec ISMS you are following. Risk in privacy is about harm to the individual natural person, whereas risk in security is about harm to the owner of the computer and digital assets. Even the risks are different.

E.G.,

Security: Unauthorized access threat could lead to data theft risk

Privacy: Unauthorized access threat could lead to identity theft or misrepresentation or loss of confidentiality

Some parties what to take a Information Security Management System like ISO 27001 and use it like a hammer because they see the world as a bunch of nails. Privacy requires its own Privacy Management System. I am okay if it is fashioned after ISO's 27001, ISF's SGOP or COBIT or another ISMS framework, but it needs to be repurposed for privacy which may mean changing its processes and activities.

On the matter of NIST SP 800-53 Appendix J, I would like to see a lower level set of controls that are more technical and relate to web and internet apps and services, maybe looking at what OWASP has done.

Frank/

Received on Thursday, 8 August 2013 03:35:50 UTC