In April, I presented at and attended the NIST Privacy Engineering Workshop on behalf of ISACA.
Throughout two days of sessions, attendees explored the Fair Information Practice Principles, privacy/technology research efforts, and the need to address privacy risks—to consider privacy from the planning stage of projects and close the longstanding communications gap between legal and engineering areas.
We joined breakout sessions to discuss the frameworks engineers use, explore privacy case studies, and determine ways in which engineering methods can address privacy risks. On day two of the event we focused on drone use, which prompted some lively, thought-provoking discussions.
My takeaways from the workshop:
- Huge gaps in communication between the engineering areas and legal/policy areas need to be closed. Each group needs to listen to the other when it comes to privacy discussions. Each side has much to learn from the experiences of the other.
- Privacy engineering is much more than a policy issue and much more than just getting software or systems to meet existing legal requirements for data protection. Because those laws/regulations were created in a reactionary atmosphere, they will always lag behind a significant number of new and emerging privacy risks. Engineers will be key in mitigating those privacy risks through the use of an effective privacy-engineering framework, and through the use of a catalog of vetted and reasonable privacy-use cases.
- Engineers already have frameworks they have used for many years to build software and systems. Instead of trying to get them to use something completely different, efforts should be made to establish privacy standards that are integrated within these established frameworks, written in language appropriate for engineers.
- Privacy engineering is not just for large organizations. There are many small and mid-size organizations that create software and systems; they must also know how to engineer privacy into their products. Often there is an even greater need for such organizations to practice privacy engineering for all the software and systems they create.
I found this workshop beneficial—an important first step toward identifying actionable privacy standards to include within the Cybersecurity Framework, which engineers will be able to effectively utilitize within their current frameworks to help build in the (currently missing) controls that are needed to help to protect privacy.
Rebecca Herold, CISM, CISA, CISSP, CIPP/US, CIPP/IT, CIPM, FLMI
CEO, The Privacy Professor®