1 1 00:00:00,090 --> 00:00:01,020 In this lesson 2 2 00:00:01,020 --> 00:00:04,230 we're going to talk about information security and privacy. 3 3 00:00:04,230 --> 00:00:06,750 Now, when it comes to information security and privacy, 4 4 00:00:06,750 --> 00:00:08,430 for a long time these were treated 5 5 00:00:08,430 --> 00:00:11,790 as two separate things and they weren't integrated together. 6 6 00:00:11,790 --> 00:00:14,010 But with the latest version of RMF 7 7 00:00:14,010 --> 00:00:15,930 we actually integrate both of these together 8 8 00:00:15,930 --> 00:00:18,270 underneath the Risk Management Framework. 9 9 00:00:18,270 --> 00:00:20,700 Now, the first place where we see information security 10 10 00:00:20,700 --> 00:00:22,980 and privacy explicitly linked together 11 11 00:00:22,980 --> 00:00:24,240 was inside of a document 12 12 00:00:24,240 --> 00:00:27,810 known as the OMB Circular A-130. 13 13 00:00:27,810 --> 00:00:30,060 Now, OMB is the United States Office 14 14 00:00:30,060 --> 00:00:31,680 of Management and Budget. 15 15 00:00:31,680 --> 00:00:33,150 And these circulars that they put out 16 16 00:00:33,150 --> 00:00:34,320 are essentially memos 17 17 00:00:34,320 --> 00:00:37,680 that tell other federal organizations what they have to do. 18 18 00:00:37,680 --> 00:00:39,120 Inside these circulars 19 19 00:00:39,120 --> 00:00:40,650 there's going to be detailed instructions 20 20 00:00:40,650 --> 00:00:42,480 and information that is specifically sent 21 21 00:00:42,480 --> 00:00:44,160 to these federal agencies 22 22 00:00:44,160 --> 00:00:45,960 and it implements a standard guidance 23 23 00:00:45,960 --> 00:00:47,730 for all the federal agencies 24 24 00:00:47,730 --> 00:00:49,680 across an array of policy areas. 25 25 00:00:49,680 --> 00:00:51,870 So when the OMB puts out a circular 26 26 00:00:51,870 --> 00:00:53,790 and they say everybody must follow this, 27 27 00:00:53,790 --> 00:00:56,220 they mean everybody inside of the government. 28 28 00:00:56,220 --> 00:00:58,620 So whether you're working for the United States Treasury 29 29 00:00:58,620 --> 00:01:00,690 or the United States Department of Defense, 30 30 00:01:00,690 --> 00:01:03,150 those rules will still apply to you. 31 31 00:01:03,150 --> 00:01:05,070 And back in 2016 32 32 00:01:05,070 --> 00:01:08,550 the OMB revised their circular, A-130, 33 33 00:01:08,550 --> 00:01:11,970 to include the use of RMF for all federal agencies, 34 34 00:01:11,970 --> 00:01:14,070 and this linking of information security 35 35 00:01:14,070 --> 00:01:15,540 and privacy together. 36 36 00:01:15,540 --> 00:01:19,657 In fact, inside of OMB A130, you'll find that it says, 37 37 00:01:19,657 --> 00:01:22,050 "While security and privacy are independent 38 38 00:01:22,050 --> 00:01:24,960 and separate disciplines, they are closely related, 39 39 00:01:24,960 --> 00:01:26,820 and it is essential for agencies to take 40 40 00:01:26,820 --> 00:01:28,950 a coordinated approach to identifying 41 41 00:01:28,950 --> 00:01:30,990 and managing security and privacy risks 42 42 00:01:30,990 --> 00:01:33,900 and complying with the applicable requirements." 43 43 00:01:33,900 --> 00:01:37,440 So because of this, OMB had required organizations 44 44 00:01:37,440 --> 00:01:39,780 to start using the Risk Management Framework 45 45 00:01:39,780 --> 00:01:41,970 in order for them to manage their privacy risk 46 46 00:01:41,970 --> 00:01:43,980 beyond those that are typically included 47 47 00:01:43,980 --> 00:01:46,560 underneath the confidentiality objectives 48 48 00:01:46,560 --> 00:01:48,840 inside of the NIS Cybersecurity Framework 49 49 00:01:48,840 --> 00:01:52,920 and other versions of the RMF or Risk Management Framework. 50 50 00:01:52,920 --> 00:01:55,260 When you look at the term information security, 51 51 00:01:55,260 --> 00:01:58,020 there is a section under there for confidentiality. 52 52 00:01:58,020 --> 00:01:59,670 And normally this was focused on things 53 53 00:01:59,670 --> 00:02:02,670 like encryption and secrecy and things like that. 54 54 00:02:02,670 --> 00:02:04,680 But as of this new revision 55 55 00:02:04,680 --> 00:02:08,220 we now include things for privacy underneath this term too. 56 56 00:02:08,220 --> 00:02:10,830 Now this is because there are many different privacy risks 57 57 00:02:10,830 --> 00:02:12,930 that relate to other unauthorized access 58 58 00:02:12,930 --> 00:02:15,540 or disclosure of personal identifiable information, 59 59 00:02:15,540 --> 00:02:18,240 privacy risks that can also result from other activities, 60 60 00:02:18,240 --> 00:02:20,550 including the creation, collection, use 61 61 00:02:20,550 --> 00:02:22,560 and retention of PII, 62 62 00:02:22,560 --> 00:02:26,610 and having an inadequate quality or integrity of that PII, 63 63 00:02:26,610 --> 00:02:28,440 and all of this can give you a lack 64 64 00:02:28,440 --> 00:02:31,800 of appropriate notice transparency or participation. 65 65 00:02:31,800 --> 00:02:33,480 So as they started looking 66 66 00:02:33,480 --> 00:02:35,460 at all these data breaches that were going on, 67 67 00:02:35,460 --> 00:02:36,720 they said, you know what, 68 68 00:02:36,720 --> 00:02:39,120 it's not just an information security problem 69 69 00:02:39,120 --> 00:02:41,280 but it's also a privacy concern area. 70 70 00:02:41,280 --> 00:02:42,870 And that's why they started implementing 71 71 00:02:42,870 --> 00:02:45,930 privacy control officers inside the different agencies 72 72 00:02:45,930 --> 00:02:47,100 to look at this problem. 73 73 00:02:47,100 --> 00:02:48,720 And they included it inside 74 74 00:02:48,720 --> 00:02:50,190 of the Risk Management Framework. 75 75 00:02:50,190 --> 00:02:51,840 And so as you're going through RMF 76 76 00:02:51,840 --> 00:02:54,120 and your seven steps, part of what you're looking at 77 77 00:02:54,120 --> 00:02:57,120 is not just the information systems, but also the privacy 78 78 00:02:57,120 --> 00:02:59,580 of the data that's being processed, transmitted, 79 79 00:02:59,580 --> 00:03:02,550 or stored on those information systems. 80 80 00:03:02,550 --> 00:03:05,250 Now, when you're executing the Risk Management Framework, 81 81 00:03:05,250 --> 00:03:07,350 it's important that you have close collaboration 82 82 00:03:07,350 --> 00:03:09,600 between your information security programs 83 83 00:03:09,600 --> 00:03:11,070 and your privacy programs 84 84 00:03:11,070 --> 00:03:13,020 because they are intricately linked 85 85 00:03:13,020 --> 00:03:15,390 by this new OMB circular. 86 86 00:03:15,390 --> 00:03:17,670 Now, even though your information security programs 87 87 00:03:17,670 --> 00:03:20,760 and your privacy programs do have different objectives, 88 88 00:03:20,760 --> 00:03:23,400 those objectives are considered complimentary 89 89 00:03:23,400 --> 00:03:26,070 and many times they overlap as well. 90 90 00:03:26,070 --> 00:03:28,620 So as you're putting in place one control 91 91 00:03:28,620 --> 00:03:30,690 that gives you better information security 92 92 00:03:30,690 --> 00:03:33,660 that same control may also give you better privacy. 93 93 00:03:33,660 --> 00:03:36,480 And by working together between our information security 94 94 00:03:36,480 --> 00:03:39,630 and cybersecurity teams as well as our privacy teams, 95 95 00:03:39,630 --> 00:03:41,160 we're going to be able to take advantage 96 96 00:03:41,160 --> 00:03:42,390 of those different controls 97 97 00:03:42,390 --> 00:03:43,560 and be able to meet the requirements 98 98 00:03:43,560 --> 00:03:46,290 for both of these areas of concern. 99 99 00:03:46,290 --> 00:03:47,880 For example, if you look at 100 100 00:03:47,880 --> 00:03:49,680 your information security program, 101 101 00:03:49,680 --> 00:03:51,120 it's normally going to be responsible 102 102 00:03:51,120 --> 00:03:52,500 for protecting information 103 103 00:03:52,500 --> 00:03:55,530 and information systems from unauthorized access, 104 104 00:03:55,530 --> 00:04:00,060 use, disclosure, disruption, modification or destruction. 105 105 00:04:00,060 --> 00:04:01,650 For example, we want to make sure 106 106 00:04:01,650 --> 00:04:03,390 there's no unauthorized system activity 107 107 00:04:03,390 --> 00:04:05,940 or behavior happening on those systems. 108 108 00:04:05,940 --> 00:04:09,240 We do this in order to achieve three main things, 109 109 00:04:09,240 --> 00:04:12,000 confidentiality, integrity, and availability. 110 110 00:04:12,000 --> 00:04:14,820 And we call this the CIA Triad. 111 111 00:04:14,820 --> 00:04:16,830 Now, privacy programs, on the other hand 112 112 00:04:16,830 --> 00:04:18,930 are going to be responsible for ensuring compliance 113 113 00:04:18,930 --> 00:04:21,060 with the applicable privacy requirements 114 114 00:04:21,060 --> 00:04:23,010 and for managing the risk to individuals 115 115 00:04:23,010 --> 00:04:26,910 associated with the creation, collection, use, processing, 116 116 00:04:26,910 --> 00:04:30,360 dissemination, storage, maintenance, disclosure 117 117 00:04:30,360 --> 00:04:32,580 or disposal of PII, 118 118 00:04:32,580 --> 00:04:35,820 which is known as Personally Identifiable Information. 119 119 00:04:35,820 --> 00:04:39,210 As you can see, information security is really focused 120 120 00:04:39,210 --> 00:04:43,710 on CIA, or confidentiality, integrity and availability, 121 121 00:04:43,710 --> 00:04:45,840 whereas privacy programs are really focused 122 122 00:04:45,840 --> 00:04:49,500 on personally identifiable information known as PII. 123 123 00:04:49,500 --> 00:04:52,800 This PII though, when it's stored on an information system 124 124 00:04:52,800 --> 00:04:54,030 is going to have to be protected 125 125 00:04:54,030 --> 00:04:56,550 underneath confidentiality and integrity, 126 126 00:04:56,550 --> 00:04:58,320 and this is why information security 127 127 00:04:58,320 --> 00:05:00,780 and privacy really go hand in hand 128 128 00:05:00,780 --> 00:05:03,360 underneath the Risk Management Framework. 129 129 00:05:03,360 --> 00:05:05,160 So now that you have a better understanding 130 130 00:05:05,160 --> 00:05:07,680 of why we're going to be talking about information security 131 131 00:05:07,680 --> 00:05:10,380 and privacy together, it's important to realize 132 132 00:05:10,380 --> 00:05:12,720 that there are different controls that can apply 133 133 00:05:12,720 --> 00:05:14,430 to each of these things. 134 134 00:05:14,430 --> 00:05:17,550 For example, if you're going to be using a privacy control, 135 135 00:05:17,550 --> 00:05:19,410 this is usually going to be an administrative, 136 136 00:05:19,410 --> 00:05:22,320 technical or physical safeguard that's going to be employed 137 137 00:05:22,320 --> 00:05:24,270 within an agency to ensure compliance 138 138 00:05:24,270 --> 00:05:26,340 with the applicable privacy requirements, 139 139 00:05:26,340 --> 00:05:28,410 and to manage privacy risks. 140 140 00:05:28,410 --> 00:05:30,420 On the other hand, a security control 141 141 00:05:30,420 --> 00:05:32,580 is considered a safeguard or countermeasure, 142 142 00:05:32,580 --> 00:05:36,120 prescribed for an information system or for an organization 143 143 00:05:36,120 --> 00:05:38,340 to protect the confidentiality, integrity 144 144 00:05:38,340 --> 00:05:41,790 and availability of the system and it's information. 145 145 00:05:41,790 --> 00:05:43,590 Now, there is a small difference here, 146 146 00:05:43,590 --> 00:05:47,040 but you'll see often that RMF will use the same word control 147 147 00:05:47,040 --> 00:05:49,380 to refer to both types simultaneously. 148 148 00:05:49,380 --> 00:05:50,880 And this can be a little bit confusing 149 149 00:05:50,880 --> 00:05:53,130 when you first start working out with RMF, 150 150 00:05:53,130 --> 00:05:54,870 but it's important for you to remember 151 151 00:05:54,870 --> 00:05:57,270 that in RMF when we talk about a control, 152 152 00:05:57,270 --> 00:06:01,260 this control can be a security control or a privacy control 153 153 00:06:01,260 --> 00:06:04,140 or sometimes you'll have a single control that will work 154 154 00:06:04,140 --> 00:06:06,570 and give you protections in both areas. 155 155 00:06:06,570 --> 00:06:09,540 Because of this, RMF will usually only differentiate 156 156 00:06:09,540 --> 00:06:12,570 a control by its type if a situation requires it, 157 157 00:06:12,570 --> 00:06:15,600 because like I said, you can often use a privacy control 158 158 00:06:15,600 --> 00:06:17,370 to give you better confidentiality, 159 159 00:06:17,370 --> 00:06:19,710 or you can use an information security control 160 160 00:06:19,710 --> 00:06:21,030 to give you better privacy. 161 161 00:06:21,030 --> 00:06:22,560 And so they do work together, 162 162 00:06:22,560 --> 00:06:24,150 and this is why we have this linkage 163 163 00:06:24,150 --> 00:06:26,820 between information security and privacy controls. 164 164 00:06:26,820 --> 00:06:28,530 And this is why inside of RMF, 165 165 00:06:28,530 --> 00:06:31,080 they'll often treat it just as a control instead of saying 166 166 00:06:31,080 --> 00:06:32,910 this is an information security control 167 167 00:06:32,910 --> 00:06:35,220 or a privacy control.