The privacy controls included in this section are based on those identified in the Security and Privacy Controls for Federal Information Systems and Organizations.
Table 4.5 provides a description of each of the privacy control families. These pri-vacy controls provide the safeguards (i.e., administrative, technical, and physical) to be implemented by the CSP or within the public cloud service when it has been determined PII is being collected and stored.
31From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publica-tion (SP) 800-53 Revision 4 (Initial Public Draft), Security and Privacy Controls for Federal Infor-mation System and Organizations. Maryland: National Institute of Standards and Technology; 2011.
The privacy controls are based on the Fair Information Practice Principles (FIPPs) embodied in the Privacy Act of 1974, Section 208 of the E- Government Act of 2002 and related Office of Management and Budget (OMB) guidance.
32From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Publica-tion (SP) 800-53 Revision 4 (Initial Public Draft), Security and Privacy Controls for Federal Informa-tion System and OrganizaInforma-tions. Maryland: NaInforma-tional Institute of Standards and Technology; 2012. “The Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP) also provided information and materials in development of the privacy controls.”
33From Federal Chief Information Officers Council, Privacy Committee, Web 2.0/Cloud Computing Subcommittee. Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Washington, DC: Executive Office of the President, Office of Management and Budget;
2010. In August of 2010, the Federal CIO published as a framework that addresses privacy consid-erations posed by moving computer systems that contain PII to a Cloud Computing Provider (CCP).
85 Safeguarding Privacy Information
Table 4.5 Summary of Privacy Control Families [16]
Control Family Description Authority and
Pur-pose (AP) This family furthers compliance with the Privacy Act by ensuring that organizations: (i) identify the legal bases that authorize a particular PII collection or activity that impacts privacy; and (ii) specify in their notices, the purpose(s) for which PII is collected Accountability,
Audit, and Risk Management (AR)
This family enhances public confidence through effective controls for governance, monitoring, risk management, and assessment to demonstrate that organizations are complying with applicable privacy protection requirements and minimizing overall privacy risk Data Quality and
Integrity (DI) This family ensures compliance with Section 552a (e)(2) of the Privacy Act of 1974 and enhances public confidence that any PII collected and maintained by organizations is accurate, relevant, timely, and complete for the purpose for which it is to be used, as specified in public notices
Data Minimization
and Retention (DM) This family helps organizations implement the data minimization and retention elements of the Privacy Act, which requires organizations to collect, use, and retain only PII that is relevant and necessary for the specified purpose for which it was originally collected. Organizations retain PII for only as long as necessary to fulfill the specified purpose(s) and in accordance with a National Archives and Records Administration (NARA)-approved record retention schedule
Individual Participation and Redress (IP)
This family addresses the need to make individuals active
participants in the decision-making process regarding the collection and use of their PII, as required by the Privacy Act. By
providing individuals with access to PII and the ability to have their PII corrected or amended, as appropriate, the controls in this family enhance public confidence in organizational decisions made based on the PII
Security (SE) This family supplements the security controls in Appendix F to ensure administrative, technical, and physical safeguards are in place to protect PII collected or maintained by organizations against loss, unauthorized access, or disclosure, as required by the Privacy Act, and to ensure that organizational planning and responses to privacy incidents comply with OMB policies and guidance. The controls in this family are implemented in
coordination with information security personnel and in accordance with the existing NIST Risk Management Framework
Transparency (TR) This family implements Sections 552a (e)(3) and (e)(4) of the Privacy Act and Section 208 of the E-Government Act, which require public notice of an organization’s information practices and the privacy impact of government programs and activities
Use Limitation (UL) This family helps organizations comply with the Privacy Act, which prohibits the use of PII that is either not specified in notices, incompatible with the specified purposes, or not otherwise permitted by law. Implementation of the controls in this family will ensure that the scope of PII use is limited accordingly
86 CHAPTER 4 Security and Privacy in Public Cloud Computing
Authority and Purpose (AP)
AP-1 Authority to Collect
Control Requirement: The organization determines the legal authority that permits the collection, use, maintenance, and sharing of personally identifi-able information (PII), either generally or in support of a specific program or information system need.
References: • The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3)(A) Section 208(c).
• E-Government Act of 2002 (P.L. 107-347).
AP-2 Purpose Specification
Control Requirement: The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices.
References: • The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3)(A)-(B);
Sections 208(b), (c).
• E-Government Act of 2002 (P.L. 107-347).
Accountability, Audit, and Risk Management (AR)
AR-1 Governance and Privacy Program Control Requirement: The organization:
a. Appoints a Senior Agency Official for Privacy (SAOP)/
Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide
governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems;
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
c. Allocates [Assignment: organization-defined allocation of budget and staffing resources] to implement and operate the organization-wide privacy program;
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and
f. Updates privacy plan, policies, and procedures [Assignment:
organization-defined frequency, at least biennially].
Table 4.5 Summary of Privacy Control Families [16] (Continued)
87 Safeguarding Privacy Information
AR-1 Governance and Privacy Program References: • The Privacy Act of 1974, 5 U.S.C. § 552a.
• E-Government Act of 2002 (P.L. 107-347).
• Federal Information Security Management Act of 2002 (FISMA) 44 U.S.C. § 3541.
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
• OMB Memorandum 05-08, Designation of Senior Agency Officials for Privacy.
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
• OMB Circular A-130, Management of Federal Information Resources.
• Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP).
AR-2 Privacy Impact and Risk Assessment Control Requirement: The organization:
a. Establishes a privacy risk assessment process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, and use of personally identifiable information (PII);
b. Conducts a Privacy Impact Assessment (PIA) for information systems and programs in accordance with applicable law, OMB policy, and any existing organizational policies and procedures; and
c. Follows a documented, repeatable process for conducting, reviewing, and approving PIAs.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208.
• E-Government Act of 2002 (P.L. 107-347)
• Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541;
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
• OMB Memorandum 05-08, Designation of Senior Agency Officials for Privacy.
Table 4.5 Summary of Privacy Control Families [16] (Continued)
88 CHAPTER 4 Security and Privacy in Public Cloud Computing
AR-3 Privacy Requirements for Contractors and Service Providers Control
Requirement: The organization:
a. Establishes privacy roles and responsibilities for contractors and service providers; and
b. Includes privacy requirements in contracts and other acquisition-related documents.
References:
• OMB Circular A-130, Management of Federal Information Resources.
AR-4 Privacy Monitoring and Auditing Control
Requirement: The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation.
References: • Section 208, E-Government Act of 2002 (P.L. 107-347); Federal Information Security.
• Management Act of 2002 (FISMA), 44 U.S.C. § 3541
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
• OMB Memorandum 05-08, Designation of Senior Agency Officials for Privacy.
AR-5 Privacy Awareness and Training Control
Requirement: The organization:
a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII
[Assignment: organization-defined frequency, at least annually]; and c. Ensures that personnel certify (manually or electronically)
acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208.
• E-Government Act of 2002 (P.L. 107-347).
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
Table 4.5 Summary of Privacy Control Families [16] (Continued)
89 Safeguarding Privacy Information
AR-6 Privacy Reporting
Control
Requirement: The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB) and Congress to demon-strate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other person-nel with responsibility for monitoring privacy program progress and compliance.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208.
• E-Government Act of 2002 (P.L. 107-347).
• Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541; Section 803.
• 9/11 Commission Act, 42 U.S.C. § 2000ee-1; Section 804.
• 9/11 Commission Act, 42 U.S.C. § 2000ee-3; Section 52.
• Consolidated Appropriations Act of 2005 (P.L. 108-447).
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
• OMB Circular A-130, Management of Federal Information Resources.
AR-7 Privacy-Enhanced System Design and Development Control
Requirement: The organization designs information systems to enhance privacy by automating privacy controls.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208 (b) and (c).
• E-Government Act of 2002 (P.L. 107-347).
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
AR-8 Accounting of Disclosures Control
Requirement: The organization, consistent with, and subject to exceptions in, the Privacy Act:
a. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
– Date, nature, and purpose of each disclosure of a record; and
– Name and address of the person or agency to which the disclosure was made;
b. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and c. Makes the accounting of disclosures available to the person
named in the record upon request.
References: • The Privacy Act of 1974, 5 U.S.C. § 552a (c).
Table 4.5 Summary of Privacy Control Families [16] (Continued)
90 CHAPTER 4 Security and Privacy in Public Cloud Computing
Data Quality and Integrity (DI)
DI-1 Data Quality
Control Requirement: The organization:
a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that information;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and d. Issues guidelines ensuring and maximizing the
quality, utility, objectivity, and integrity of disseminated information.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (e)(5).
• Treasury and General Government Appropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4.
• Paperwork Reduction Act, 44 U.S.C. § 3501.
• OMB Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (October 2001).
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
DI-2 Data Integrity and Data Integrity Board Control Requirement: The organization:
a. Documents processes to ensure the integrity of personally identifiable information (PII) through existing security controls; and
b. Establishes a Data Integrity Board when appropriate to oversee organizational Computer Matching Agreements and to ensure that those agreements comply with the computer matching provisions of the Privacy Act.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (u).
• OMB Circular A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals.
Table 4.5 Summary of Privacy Control Families [16] (Continued)
91 Safeguarding Privacy Information
Data Minimization and Retention (DM)
DM-1 Minimization of Personally Identifiable Information Control
Requirement: The organization:
a. Identifies the minimum personally identifiable information (PII) elements (e.g., name, address, date of birth) that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually]
to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (e)(1), (e)(2); Section 208(b).
• E-Government Act of 2002 (P.L. 107-347)
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
DM-2 Data Retention and Disposal Control
Requirement: The organization:
a. Retains personally identifiable information (PII) for [Assignment:
organization-defined time period ] to fulfill the purpose(s) identified in the notice or as required by law;
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and c. Uses [Assignment: organization-defined techniques or methods]
to ensure secure deletion or destruction of PII (including originals, copies, and archived records).
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3)(A); Section 208(c).
• E-Government Act of 2002 (P.L. 107-347).
Table 4.5 Summary of Privacy Control Families [16] (Continued)
92 CHAPTER 4 Security and Privacy in Public Cloud Computing
DM-3 Minimization of PII Used in Testing, Training, and Research
Control Requirement: The organization:
a. Develops policies and procedures for the use of personally identifiable information (PII) for testing, training, and research; and
b. Implements controls to protect PII used for testing, training, and research.
References:
• NIST Special Publications 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).
Individual Participation and Redress (IP)
IP-1 Consent
Control Requirement: The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII.
References: • The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3)(A);
Section 208(c).
• E-Government Act of 2002 (P.L. 107-347).
• NIST Special Publications 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).
Table 4.5 Summary of Privacy Control Families [16] (Continued)
93 Safeguarding Privacy Information
IP-2 Individual Access Control
Requirement: The organization, consistent with, and subject to exceptions in, the Privacy Act:
a. Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records in order to determine whether to have the PII corrected or amended, as appropriate;
b. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;
c. Publishes access procedures in System of Records Notices (SORNs);
and
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (d).
• OMB Circular A-130, Management of Federal Information Resources.
IP-3 Redress
Control
Requirement: The organization:
a. Provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate; and
b. Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information sharing partners and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (d).
• OMB Circular A-130, Management of Federal Information Resources.
IP-4 Complaint Management
Control
Requirement: The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organiza-tional privacy practices.
References: • OMB Circular A-130, Management of Federal Information Resource.
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
• OMB Memorandum 08-09, New FISMA Privacy Reporting Requirements for FY 2008.
Table 4.5 Summary of Privacy Control Families [16] (Continued)
94 CHAPTER 4 Security and Privacy in Public Cloud Computing
Security (SE)
SE-1 Authority to Collect Control
Requirement: The organization:
a. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII); and
b. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (e) (10); Section 208(b)(2).
• E-Government Act of 2002 (P.L. 107-347).
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
• OMB Circular A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals.
• FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems.
• NIST Special Publications 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
• NIST Special Publications 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).
SE-2 Privacy Incident Response Control
Requirement: The organization:
a. Develops and implements a Privacy Incident Response Plan; and b. Provides an organized and effective response to privacy incidents in
accordance with the organizational Privacy Incident Response Plan.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (e), (i)(1), and (m).
• Federal Information Security Management Act of 2002 (FISMA) 44 U.S.C. § 3541.
• OMB Memorandum 06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments.
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
• NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
Table 4.5 Summary of Privacy Control Families [16] (Continued)
95 Safeguarding Privacy Information
Transparency (TR)
TR-1 Privacy Notice
Control Requirement: The organization:
a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII);
(ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent;
(v) how individuals may obtain access to PII for the purpose of having it amended or corrected, where appropriate; and (vi) how the PII will be protected; and
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.
References:
• The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3), (e)(4);
Section 208(b).
• E-Government Act of 2002 (P.L. 107-347).
• OMB Memorandum 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
• OMB Memorandum 10-22, Guidance for Online Use of Web Measurement and Customization Technologies.
• OMB Memorandum 10-23, Guidance for Agency Use of Third-Party Websites and Applications.
• ISE Privacy Guidelinesa
aISE Privacy Guidelines. Available from: http://ise.gov/ise-privacy-guidelines
Table 4.5 Summary of Privacy Control Families [16] (Continued)
96 CHAPTER 4 Security and Privacy in Public Cloud Computing
TR-2 Authority to Collect
Control Requirement: The organization, consistent with the Privacy Act:
a. Publishes in the Federal Register, System of Records
a. Publishes in the Federal Register, System of Records