The National Institute of Standards and Technology (NIST) will hold its second Privacy Engineering Workshop in San Jose, Calif., Sept. 15 and 16, 2014. The event is co-sponsored by the International Association of Privacy Professionals (IAPP) and is part of NIST's efforts to address the lack of well-developed models, technical standards and best practices in privacy risk management.
The workshop will focus on a set of draft privacy engineering objectives and a risk model that were developed by NIST using input from its first workshop on the subject, held in April 2014. That initial meeting attracted participants from a broad array of companies, advocacy groups, associations, government agencies and universities, among others. It explored the idea that dealing with privacy issues needed a framework for analysis analogous to those used in other fields.
"The first workshop revealed a communication gap between the legal and policy experts and the design and engineering teams that makes it difficult for organizations to manage privacy concerns effectively, understand risks and implement mitigating controls," says Naomi Lefkovitz, senior privacy policy advisor at NIST. "The NIST privacy engineering work is an effort to bridge this gap. We want to help develop a privacy risk management framework that can help organizations get consistent and measurable results in privacy protection, and can help with the implementation of privacy principles such as the Fair Information Practice Principles."
NIST's draft privacy engineering objectives are predictability, manageability and confidentiality. They're meant to be used in much the same way that cybersecurity experts design for the trio of confidentiality, integrity and availability. An analysis framework helps organizations manage risk, design system requirements, and evaluate their effectiveness at achieving these objectives.
The draft system privacy risk management model provides a proposed method for organizations to allocate resources and make informed choices about privacy in systems. It is intended to help them identify where controls can most effectively be implemented and facilitate steps to mitigate privacy risks.
"Finding a common set of terms and definitions is key to improving the maturity of the privacy conversation, the same way as it was to improving security," says Suzanne Lightman, a senior information security advisor at NIST. "And while there are many sets of principles that address handling personal information, organizations and individuals still struggle to effectively communicate about privacy in the face of rapidly evolving technologies."
The September workshop participants will consider these draft concepts and their input will help NIST develop a report on privacy engineering that the organizers hope will guide users, owners, developers and designers of information systems that handle personal information so they can make purposeful decisions about resource allocation and effective implementation of controls to decrease risks to privacy.
Access the privacy engineering objectives and risk model draft and register for the September workshop online.