Thursday, November 17, 2011
The US government recently took a noteworthy step toward strengthening security and privacy, issuing a roadmap for how to make such improvements real and achievable.
The US government recently took a noteworthy step toward strengthening security and privacy, issuing a roadmap for how to make such improvements real and achievable.


Security and privacy are often viewed as competing values, where more security means more surveillance and intrusion on individual freedoms. But in fact this is a false dichotomy; when security and privacy are designed into systems up front, they can serve both to protect people against unwarranted intrusions and also guard against other risks.

Recently, the National Institute of Standards and Technology (NIST) released a policy document that when finalized will help incorporate privacy-sensitive practices more pervasively throughout US government. NIST’s new “Privacy Appendix” is a noteworthy example of privacy (and security) by design.

The Privacy Appendix will help promote privacy and security as two design elements that should be optimized within the context of the most effective and efficient system or process. (IBM’s version of this approach for privacy is captured in the “Privacy by Design” framework; similar approaches exist elsewhere.) Ron Ross, an internationally prominent cybersecurity leader and NIST Fellow, is leading the Privacy Appendix work and recently briefed the US Government’s Information Security and Privacy Advisory Board (ISPAB) about the initiative (note: I serve as Chair of the ISPAB).

The Privacy Appendix outlines a disciplined approach to incorporating privacy and security concepts into an organization’s “enterprise architecture” as well as the “systems development lifecycle.” Via this approach, an organization can evaluate security and privacy risks alongside prevention and response strategies in a way that is linked to their business objectives and overall information and IT processes, making it easier to implement risk management across all “life cycles” (system, security, programmatic, budget, etc).

The document relies heavily on the “Fair Information Privacy Principles,” a set of practices introduced in the 1970s that have become generally accepted among privacy professionals and governments around the world. There are different variations of the FIPPs – NIST’s list draws on the US Government official version as framed by the Department of Homeland Security, as follows:


  • Transparency – provide notice about how personally identifiable information (PII) is collected and used
  • Individual Participation and Redress – where possible, allow consent and the ability to correct and petition if PII is inaccurate
  • Purpose Specification – state why the PII is needed
  • Data Minimization and Retention – Only collect and hold PII needed for a specific purpose
  • Use Specification – Use PII for the original purpose, do not use for a second purpose without going through the previous steps
  • Data Quality and Integrity – Ensure appropriate accuracy and completeness of PII.
  • Security – Protect information in all media
  • Accountability and Auditing – Providing training on and measure effectiveness of compliance with the above principles


NIST’s Privacy Appendix offers government agencies specific steps and actions that they can take to operationalize these principles.

In my view, this is positive step forward toward stronger and more cost-effective compliance with government’s privacy obligations. As a taxpayer, I’d emphasize the cost-effectiveness aspect in particular:  the protections will be less expensive than would be the case if they were bolted on afterward; anyone who’s done a construction project knows that it’s easier to design a room when the house is built than to tear down old walls and make new systems conform.

NIST will release the Privacy Appendix for a final round of comment soon. Government managers, privacy experts, and companies of all kinds would do well to read the document, make suggestions for how to improve it, and as appropriate consider implementing its tenets into their programs and systems.