On November 9, 2018, Electrosoft president and CEO Sarbari Gupta spoke at NIST’s 2018 Cybersecurity Risk Management Conference. She addressed the timely topic “A Structured Approach for Privacy Risk Assessments of Federal Organizations.”
In today’s world, the privacy risks attached to Personally Identifiable Information (PII) are real – and the potential misuses of illegally obtained PII can be profound. Thus, protecting PII is critical, especially within those federal agencies that require PII to achieve their missions. Such agencies are required to identify the risks of collecting and handling PII and assess the impact on the privacy of individuals. However, identifying a process for doing so presents a major challenge for most agencies.
Dr. Gupta proposed a two-level Privacy Risk Assessment (PRA) methodology based on an adaptation of NIST SP 800-30 r1. The first, an organizational-level PRA, identifies and categorizes risks to the privacy of individuals that can best be mitigated at the organizational level. The second, a system-level PRA for each information system, identifies and categorizes risks to the privacy of individuals that can best be addressed by the information system handling the PII. The results of these PRAs can then be used to categorize privacy risks and identify ways to mitigate or eliminate risks starting with the highest category risks.
Dr. Gupta’s complete presentation can be found here.