Thursday, July 21, 2011

800-53 Appendix J - Privacy Controls

I feel like I need to say something about the latest addition to my favorite document.

Redundant and unnecessary springs to mind. While new words may be used to talk about the same things, the bottom line is the same as it always is: limit what you collect and then protect it with in the budget constraints you have.

Below is the text of an email I have sent to a number of my customers (as they pay my opinion on such things).

Subject: NIST 800-53 Rev 4
NIST is projecting a release of an updated 800-53 in December. At this time, the only thing that is changing is the addition of Appendix J. Appendix J provide 23 new controls related privacy data protection.

After a quick review, I do not believe that we are in any danger of having to implement something new as far as technology. However, we may need to go through the exercise of updating our documentation to add these new controls (should decide to adopt them).

Attached is the draft of Appendix J for your review. Let me know if you have any questions.

-C

Of course, I attached the PDF for them - you can look at here: http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf

I know that some organizations feel they need these new controls. The ones I work with are not those. If I am totally cynical about the whole thing; I think that this is a way for some people to check more boxes to say how awesome they are OR for someone to justify spending more money on technology that should already be in place.