Privacy Engineering Tools and Professional Practice - E  Privacy Engineering...

download Privacy Engineering Tools and Professional Practice - E  Privacy Engineering – Tools and Professional

of 27

  • date post

    30-Aug-2018
  • Category

    Documents

  • view

    215
  • download

    0

Embed Size (px)

Transcript of Privacy Engineering Tools and Professional Practice - E  Privacy Engineering...

  • Privacy Engineering Tools and Professional Practice

    John Sabo, Chair OASIS IDTrust Member

    Section and Chair, PMRM Technical Committee

    John.sabo711@yahoo.com

  • Privacy, the Global Ba3lefield and Privacy Engineering

    It is time to take the next steps towards privacy engineering standards and automated tools

    Privacy practitioners have been using stone age tools - there is no formal Privacy Engineering discipline!

    The privacy professional/engineer must be able to understand, analyze, visualize, document and implement technical solutions for data protection requirements o principles and regulations and organizational policies o In the context of a rigorous privacy management analysis o translated into privacy controls o defined in required services and functions o implemented in technical and procedural mechanisms and o reported using tools that allow a privacy engineer to demonstrate compliance

    While this is no easy task, it is essential

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 2

  • Building a Privacy Engineering Discipline: Managing the Complexity of Data Protection

    A system is a combination of interacting elements organized to achieve one or more stated purposes. The interacting elements that compose a system include hardware, software, data, humans, processes, procedures, facilities, materials, and naturally occurring entities [ISO/IEC/IEEE 15288]

    To deliver privacy in IT systems - which include security -

    privacy control requirements must be functionally built into the interacting elements that compose a system.

    Analogy? - NISTs SP 800-160 (November 2016), Systems

    Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 3

  • NISTs Systems Security Engineering Project

    SSE Project Mission Statement... o To provide a basis to formalize a discipline for systems security engineering in

    terms of its principles, concepts, and activities. o To foster a common mindset to deliver security for any system, regardless of its

    scope, size, complexity, or stage of the system life cycle. o To provide considerations and to demonstrate how systems security engineering

    principles, concepts, and activities can be effectively applied to systems engineering activities.

    o To advance the field of systems security engineering by promulgating it as a discipline that can be applied and studied.

    o To serve as a basis for the development of educational and training programs, including the development of individual certifications and other professional assessment criteria.

    A similar approach is needed to develop a data privacy engineering discipline to support the GDPR and other data protection mandates

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 4

  • Insights on Privacy Engineering Requires

    o a disciplined approach from beginning to end o rigorous oversight over the level of detail to ensure all tasks are performed o an automated tool that retains detail/linkages to minimize manual work o use of subject matter experts and their disciplines and tools o interfaces with other automated tools (e.g. DPIAs/PIAs) for efficiency and

    accuracy

    Is most effective when o a privacy engineer can integrate all of the tasks (end to end), resulting in a

    comprehensive engineered design o As each task is executed to capture the detail, group the detail into higher level

    categories and annotate key issues, et. al. for later use o Moving from task to task being able to update previous tasks with new

    categories, detail and annotations - reusability o Being able to demonstrate how a given mechanism meets its control requirement

    and is able to demonstrate accountability. Note this can only be achieved by maintaining the linkages end to end and

    having the accountability reporting as well o Standards assist in reducing risks!

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 5

  • Industry, Standards and Academic Work Today An Overview

    Official Standards Privacy Engineering Publications Risk Management Privacy Engineering

    Methodologies Privacy Engineering Automated Tools Privacy Controls Design Strategies, Patterns Libraries Privacy Engineering Education Privacy Engineering Conferences and Workshops Privacy Engineering Models/Methodologies

    Source Privacy EngineeringIts Time to Take the Next Steps towards Standards and Automated Tools by Gail Magnuson, LLC - https://www.oasis-open.org/committees/documents.php?wg_abbrev=pmrm&show_descriptions=yes

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 6

  • Privacy Engineering Standards in Progress

    OASIS PMRM a Committee Specification - http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html

    OASIS PbD-SE - a Committee Specification and Annex- http://docs.oasis-open.org/pbd-se/pbd-se/v1.0/csd01/pbd-se-v1.0-csd01.html

    http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.html

    ISO 27550 Privacy Engineering - https://www.iso.org/standard/72024.html

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 7

  • Privacy Engineering Publications

    The Privacy Engineers Manifesto Getting from Policy to Code to QA to Value (Dennedy, Fox, Finneran) - https://www.amazon.com/Privacy-Engineers-Manifesto-Getting-Policy/dp/1430263555/ref=sr_1_1?ie=UTF8&qid=1485540649&sr=8-1&keywords=privacy+engineering+manifesto

    Achieving Digital Trust The New Rules for Business at the

    Speed of Light (Ritter) - https://www.amazon.com/Achieving-Digital-Trust-Rules-Business/dp/0996599002

    Jeffrey Ritters public patent US 7240213 B1 System

    trustworthiness tool and methodology - https://www.google.com/patents/US7240213

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 8

  • Risk Management Privacy Engineering Methodologies

    Linddun: A privacy threat analysis threat analysis framework - https://linddun.org/

    NISTIR 8062 Introduction to Privacy Engineering and Risk Management - http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

    MITRE Privacy Engineering Framework - https://www.mitre.org/publications/technical-papers/privacy-engineering-framework

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 9

  • Privacy Engineering Automated Tools and Solutions

    OASIS PMRM-based Open Source Privacy Management Analysis Tool under development

    Nymity Smart PIA (e.g., tools facilitating DPIAs and

    data inventory)- https://www.nymity.com/products/smartpia.aspx

    OneTrust (e.g., tools such as Record Keeping Compliance Article 30, GDPR) - https://onetrust.com/

    Prifender (e.g., tools such as automated discovery and mapping of PI) http://www.prifender.com/

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 10

  • Other Major Contributions to Privacy Engineering

    Privacy Controls Design Strategies, Patterns Libraries o NIST SP 800-53 - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/

    NIST.SP.800-53r4.pdf o PRIPARE Annex B - http://pripareproject.eu/wp-content/uploads/

    2013/11/PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf o AICPA/CICA - http://www.aicpa.org/Pages/default.aspx o UC Berkeley School of Information http:// privacypatterns.org

    Privacy Engineering Education o Carnegie Mellons Master of Science in Information Technology Privacy

    Engineering - http://privacy.cs.cmu.edu/ o Johns Hopkins University Privacy Engineering Course - https://

    apps.ep.jhu.edu/course-homepages/3505-635.472-privacy-engineering-ritter

    Privacy Engineering Conferences and Workshops o IAPP workshops on privacy engineering - https://iapp.org o IEEEs International Workshops on Privacy Engineering IWPE15 - IWPE17) -

    http://www.ieee-security.org/TC/SP2016/index.html

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 11

  • Privacy Engineering Models/Methodologies

    The OASIS Privacy Management Reference Model and Methodology (PMRM) v1.0 CS02 provides a comprehensive approach to privacy engineering - http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html

    The PRIPARE (Preparing Industry to Privacy-by-Design by

    supporting its Application Research) integrates the PMRM and other techniques into IT development processes - http://pripareproject.eu/wp-content/uploads/2013/11/PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 12

  • What is the PMRM and How Can it Support a Privacy Engineering Discipline?

    The PMRM V1.0 CS02 - A methodology and analytic tool developed to: ! enable the structured analysis of use cases in which personal

    information (PI) and PII are used, generated, communicated, processed and stored and erased ! Support for applications, IoT, Cloud, complex hyper-connected

    systems, as well as smaller components of a system ! show the linkages among data, data flows, PI, privacy [including

    security] policies, privacy controls, privacy-enabling Services/functionality, and risk

    ! Integrate with and support existing privacy standards ! achieve data protection by design requirements and compliance

    across policy and system boundaries ! support multiple stakeholders

    http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html

    OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 1