The National Institute of Standards and Technology (“NIST”)1 has released the fourth revision of its standard-setting computer security guide, and this marks a very important release in the world of data privacy controls and standards. Taking “a more holistic approach to information security and risk management,5” the new revision includes, for the first time, offers guidance in the selection, implementation, assessment, and ongoing monitoring of the privacy information systems, programs, and organizations.6 The Privacy Controls are a structured set of standardized administrative, technical, and physical safeguards, based on best practices, for the protection of the privacy of both paper and electronic information. These Privacy Controls can also be used by your business to mitigate risks.
What You Need to Know
The Privacy Appendix is based upon best practices developed under current law, regulations, policies, and guidance applicable to federal information systems, programs, and organizations, and by implication, to their third-party contractors. If you provide services to the federal government, work on government contracts, or are the recipient of certain grants that may require compliance with federal information system security practices, you should already be sitting up and paying attention. This revision puts privacy up front with security and will be looked at as an industry standard for best practices that will help protect your business.
Endnotes
1 The National Institute of Standards and Technology is a non-regulatory agency within the U.S. Department of Commerce, which, among other things, develops information security standards and guidelines, including minimum requirements for federal information systems to assist federal agencies in implementing the Federal Information Security Management Act of 2002.
2 See Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.