Privacy Engineering Tools and Professional Practice … - E… · Privacy Engineering – Tools and...

Privacy Engineering – Tools and Professional Practice

John Sabo, Chair OASIS IDTrust Member

Section and Chair, PMRM Technical Committee

[email protected]

Privacy, the Global Ba3lefield and Privacy Engineering

•  It is time to take the next steps towards privacy engineering standards and automated tools

•  Privacy practitioners have been using stone age tools - there is no formal Privacy Engineering discipline!

•  The privacy professional/engineer must be able to understand, analyze, visualize, document and implement technical solutions for data protection requirements o  principles and regulations and organizational policies o  In the context of a rigorous privacy management analysis o  translated into privacy controls o  defined in required services and functions o  implemented in technical and procedural mechanisms and o  reported using tools that allow a privacy engineer to demonstrate compliance

•  While this is no easy task, it is essential

OASIS Privacy Engineering Workshop EIC 2017 -John Sabo 2

Building a Privacy Engineering Discipline: Managing the Complexity of Data Protection

•  A system is a combination of interacting elements organized to achieve one or more stated purposes. The interacting elements that compose a system include hardware, software, data, humans, processes, procedures, facilities, materials, and naturally occurring entities [ISO/IEC/IEEE 15288]

•  To deliver privacy in IT systems - which include security -

privacy control requirements must be functionally built into the “interacting elements that compose a system.”

•  Analogy? - NIST’s SP 800-160 (November 2016), “Systems

Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf


NIST’s Systems Security Engineering Project –

•  SSE Project Mission Statement... o  To provide a basis to formalize a discipline for systems security engineering in

terms of its principles, concepts, and activities. o  To foster a common mindset to deliver security for any system, regardless of its

scope, size, complexity, or stage of the system life cycle. o  To provide considerations and to demonstrate how systems security engineering

principles, concepts, and activities can be effectively applied to systems engineering activities.

o  To advance the field of systems security engineering by promulgating it as a discipline that can be applied and studied.

o  To serve as a basis for the development of educational and training programs, including the development of individual certifications and other professional assessment criteria.

•  A similar approach is needed to develop a data privacy engineering discipline to support the GDPR and other data protection mandates


Insights on Privacy Engineering•  Requires

o  a disciplined approach from beginning to end o  rigorous oversight over the level of detail to ensure all tasks are performed o  an automated tool that retains detail/linkages to minimize manual work o  use of subject matter experts and their disciplines and tools o  interfaces with other automated tools (e.g. DPIAs/PIAs) for efficiency and

accuracy

•  Is most effective when o  a privacy engineer can integrate all of the tasks (end to end), resulting in a

comprehensive engineered design o  As each task is executed to capture the detail, group the detail into higher level

categories and annotate key issues, et. al. for later use o  Moving from task to task being able to update previous tasks with new

categories, detail and annotations - reusability o  Being able to demonstrate how a given mechanism meets its control requirement

and is able to demonstrate accountability. •  Note this can only be achieved by maintaining the linkages end to end and

having the accountability reporting as well o  Standards assist in reducing risks!


Industry, Standards and Academic Work Today An Overview

•  Official Standards •  Privacy Engineering Publications •  Risk Management Privacy Engineering

Methodologies •  Privacy Engineering Automated Tools •  Privacy Controls Design Strategies, Patterns Libraries •  Privacy Engineering Education •  Privacy Engineering Conferences and Workshops •  Privacy Engineering Models/Methodologies

Source Privacy Engineering…Its Time to Take the Next Steps towards Standards and Automated Tools by Gail Magnuson, LLC - https://www.oasis-open.org/committees/documents.php?wg_abbrev=pmrm&show_descriptions=yes


Privacy Engineering Standards in Progress

•  OASIS PMRM – a Committee Specification - http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html

•  OASIS PbD-SE - a Committee Specification and Annex- http://docs.oasis-open.org/pbd-se/pbd-se/v1.0/csd01/pbd-se-v1.0-csd01.html

•  http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.html

•  ISO 27550 Privacy Engineering - https://www.iso.org/standard/72024.html


Privacy Engineering Publications

•  The Privacy Engineer’s Manifesto Getting from Policy to Code to QA to Value (Dennedy, Fox, Finneran) - https://www.amazon.com/Privacy-Engineers-Manifesto-Getting-Policy/dp/1430263555/ref=sr_1_1?ie=UTF8&qid=1485540649&sr=8-1&keywords=privacy+engineering+manifesto

•  Achieving Digital Trust The New Rules for Business at the

Speed of Light (Ritter) - https://www.amazon.com/Achieving-Digital-Trust-Rules-Business/dp/0996599002

•  Jeffrey Ritter’s public patent US 7240213 B1 System

trustworthiness tool and methodology - https://www.google.com/patents/US7240213


Risk Management Privacy Engineering Methodologies

•  Linddun: A privacy threat analysis threat analysis framework - https://linddun.org/

•  NISTIR 8062 Introduction to Privacy Engineering and Risk Management - http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

•  MITRE Privacy Engineering Framework - https://www.mitre.org/publications/technical-papers/privacy-engineering-framework


Privacy Engineering Automated Tools and Solutions

•  OASIS PMRM-based Open Source Privacy Management Analysis Tool – under development

•  Nymity Smart PIA (e.g., tools facilitating DPIA’s and

data inventory)- https://www.nymity.com/products/smartpia.aspx

•  OneTrust (e.g., tools such as Record Keeping Compliance Article 30, GDPR) - https://onetrust.com/

•  Prifender – (e.g., tools such as automated discovery and mapping of PI) http://www.prifender.com/


Other Major Contributions to Privacy Engineering

•  Privacy Controls Design Strategies, Patterns Libraries o  NIST SP 800-53 - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/

NIST.SP.800-53r4.pdf o  PRIPARE Annex B - http://pripareproject.eu/wp-content/uploads/

2013/11/PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf o  AICPA/CICA - http://www.aicpa.org/Pages/default.aspx o  UC Berkeley School of Information – http:// privacypatterns.org

•  Privacy Engineering Education o  Carnegie Mellon’s Master of Science in Information Technology – Privacy

Engineering - http://privacy.cs.cmu.edu/ o  Johns Hopkins University Privacy Engineering Course - https://

apps.ep.jhu.edu/course-homepages/3505-635.472-privacy-engineering-ritter

•  Privacy Engineering Conferences and Workshops o  IAPP workshops on privacy engineering - https://iapp.org o  IEEE’s International Workshops on Privacy Engineering IWPE’15 - IWPE’17) -

http://www.ieee-security.org/TC/SP2016/index.html


Privacy Engineering Models/Methodologies

•  The OASIS Privacy Management Reference Model and Methodology (PMRM) v1.0 CS02 provides a comprehensive approach to privacy engineering - http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html

•  The PRIPARE (Preparing Industry to Privacy-by-Design by

supporting its Application Research) integrates the PMRM and other techniques into IT development processes - http://pripareproject.eu/wp-content/uploads/2013/11/PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf


What is the PMRM and How Can it Support a Privacy Engineering Discipline?

The PMRM V1.0 CS02 - A methodology and analytic tool developed to: !  enable the structured analysis of “use cases” in which personal

information (PI) and PII are used, generated, communicated, processed and stored and erased !  Support for applications, IoT, Cloud, complex hyper-connected

systems, as well as smaller components of a system !  show the linkages among data, data flows, PI, privacy [including

security] policies, privacy controls, privacy-enabling Services/functionality, and risk

!  Integrate with and support existing privacy standards !  achieve data protection by design requirements and compliance

across policy and system boundaries !  support multiple stakeholders

http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html


The PMRM Model Reflects the Complexity of Data Protection/Privacy


The PMRM Privacy Management Analysis Methodology is the Analytic Tool Supporting Privacy Engineering


GDPR Principles

Use Case

High Level Analysis

Detailed Analysis

Control Requirements

Services and Functionality

Implementing Mechanisms/

Code

Iterative Analysis

Regulator

Business Owner

Privacy Engineer-Generalist

Software Engineer

Risk Officer

Privacy Management Analysisis complicated-  Multiple Stakeholders -  Iterative Roles-  Policy-  Procedural-  Technical-  Risk Management-  SDLC Issues-  Iterative analysis

Privacy Officer

OASIS Privacy Engineering Workshop EIC 2017 -John Sabo

16

Privacy Engineer Specialist

PI in Use Case SystemsSystem 1• Incoming/Internally Generated/

Outgoing

System …nIncoming/Internally Generated/Outgoing

Detailed Privacy Use Case AnalysisDomains

and Owners

Risks - Responsibilities

Data Flows and Touch

Points

Systems

and Subsystems

]

Actors

High Level Privacy Use Case Analysis

Services/Applications Privacy Requirements

Impact/Other Assessments

PMRM – Privacy Engineering Methodology

Privacy Engineering Generalists


Risk Assessment

Technical and Process Functionality and Mechanisms

Services Required for Operationalized ControlsAgreement Usage Validation Certification Enforcement Security Interaction Access

Operational Privacy Control RequirementsInherited Internal Exported

PrivacyEngineeringSpecialists

IterativeProcessOASIS Privacy Engineering Workshop

EIC 2017 -John Sabo 18

PMRM Services


From “Principles” to Technical Solutions GDPR Principles Require that Personal Data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those … ('purpose limitation'); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'); (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation'); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').


GDPR Requires Consent - Article 7

1.  The controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2.  The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

3.  The data subject shall have the right to withdraw his or her consent at any time. Prior to giving consent, the data subject shall be informed thereof.

4.  When assessing whether consent is freely given, utmost account

shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.


ICO’s Draft Guidance On Consent•  Unbundled: consent requests must be separate from other terms and conditions. •  Active opt-in: pre-ticked opt-in boxes are invalid

•  Granular: give granular options to consent separately to different types of processing wherever appropriate.

•  Named: name your organisation and any third parties who will be relying on consent

•  Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented

•  Easy to withdraw: tell people they have the right to withdraw their consent at any time,

and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

•  No imbalance in the relationship: consent will not be freely given if there is imbalance in

the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis. https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

From a Privacy Engineering point of view – at what levels in a system or application is consent implemented – and what functionality/technical mechanisms make it happen?


23

PMRM SERVICE SERVICE FUNCTIONALITY INFORMAL

DEFINITION

AGREEMENT Defines and documents permissions and rules for the handling of PI based on applicable policies, data subject preferences, and other relevant factors; provides relevant Actors with a mechanism to negotiate, change or establish new permissions and rules; expresses the agreements such that they can be used by other Services

Manage and negotiate permissions and rules

USAGE Ensures that the use of PI complies with the terms of permissions, policies, laws, and regulations, including PI subjected to information minimization, linking, integration, inference, transfer, derivation, aggregation, anonymization and disposal over the lifecycle of the PI

Control PI use

VALIDATION Evaluates and ensures the information quality of PI in terms of accuracy, completeness, relevance, timeliness, provenance, appropriateness for use and other relevant qualitative factors Ensure PI Quality

CERTIFICATION Ensures that the credentials of any Actor, Domain, System, or system component are compatible with their assigned roles in processing PI and verifies their capability to support required Privacy Controls in compliance with defined policies and assigned roles.

Ensure appropriate privacy management credentials

ENFORCEMENT Initiates monitoring capabilities to ensure the effective operation of all Services. Initiates response actions, policy execution, and recourse when audit controls and monitoring indicate operational faults and failures. Records and reports evidence of compliance to Stakeholders and/or regulators. Provides evidence necessary for Accountability.

Monitor proper operation, respond to exception conditions and report evidence of compliance where required for accountability

SECURITY Provides the procedural and technical mechanisms necessary to ensure the confidentiality, integrity, and availability of PI; makes possible the trustworthy processing, communication, storage and disposition of PI; safeguards privacy operations

Safeguard privacy information and operations

INTERACTION Provides generalized interfaces necessary for presentation, communication, and interaction of PI and relevant information associated with PI, encompassing functionality such as user interfaces, system-to-system information exchanges, and agents

information presentation and communication

ACCESS Enables Data Subjects, as required and/or allowed by permission, policy, or regulation, to review their PI that is held within a Domain and propose changes, corrections or deletion for their PI View and propose

changes to PI OASIS Privacy Engineering Workshop EIC 2017 -John Sabo

So…Privacy Engineers will Ensure that Consent Requirements are Built into Specific Applications

and Systems


The GDPR and Privacy Engineering: Article 25 1.  Taking into account the state of the art, the cost of

implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2.  The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.


A Software Solution for Privacy Engineering - the OASIS Open Source Privacy Management Analysis Tool Project

•  Objective: Design and develop an Open Source Privacy Management Analysis (PMRM-PMA) tool for the OASIS-Open Repository using the PMRM methodology to help engineer the delivery of data protection/privacy in systems and application -https://www.oasis-open.org/resources/open-repositories

•  OASIS Open Repository contents are created through public contributions under a designated open source license, and community participants establish development priorities for assets maintained in the repository.

•  The OASIS PMRM TC will initiate the creation of an Open Repository to enable community development of additional material and technical tools. Open Repositories are set up as GitHub projects under the GitHub organization "oasis-open" at https://github.com/oasis-open/.

•  OASIS Open Repositories use the familiar fork-and-pull collaboration model which allows anyone, whether an OASIS/TC member or not, to submit a pull request. All contributions to an Open Repository are governed by a written purpose statement for the project, a designated open source license, a policy document, and by Contributor License Agreements submitted by contributors.

To Participate - Please contact [email protected]


Thank You

[email protected]

www.oasis-open.org


Privacy Engineering Tools and Professional Practice … - E… · Privacy Engineering – Tools and...

Documents

Transcript of Privacy Engineering Tools and Professional Practice … - E… · Privacy Engineering – Tools and...