Presentation is loading. Please wait.

Presentation is loading. Please wait.

Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:

Published byBrooke Carr Modified over 8 years ago

Similar presentations

Presentation on theme: "Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:"— Presentation transcript:

1 Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair: ISTPA Framework Project Personal Information Privacy Michael Willett: (Assume the listener is familiar with the overall ISTPA mission, projects, and objectives) The objective of the Framework Project is to develop an analytic framework for privacy services that “implement” the privacy fair information practices and privacy principles. The Framework can serve as both an operational model for evolving implementations and as a tool for assessing the completeness of solutions. Michael Willett: (Assume the listener is familiar with the overall ISTPA mission, projects, and objectives) The objective of the Framework Project is to develop an analytic framework for privacy services that “implement” the privacy fair information practices and privacy principles. The Framework can serve as both an operational model for evolving implementations and as a tool for assessing the completeness of solutions.

2 Confidential2 Security: locks, guards, passwords, cryptography, digital signatures, … establishment and maintenance of measures to protect a system. Privacy: proper handling and use of personal information (PI) throughout its life cycle, consistent with the preferences of the subject. Confidence/trust: freedom from worry; a feeling. Security + Privacy Confidence/Trust VALUE Definitions Michael Willett: Security deals with PROTECTION of a system, whereas privacy deals with the USE of personal information (PI). Security is an essential element of privacy, but even in a secure environment, PI can be misused (ie, inconsistent with the preferences of the PI subject). Trust is not a technology or even a process; rather, trust is a feeling. By implementing security and privacy and adding customer value, we strive to engender trust in the customer/consumer. Michael Willett: Security deals with PROTECTION of a system, whereas privacy deals with the USE of personal information (PI). Security is an essential element of privacy, but even in a secure environment, PI can be misused (ie, inconsistent with the preferences of the PI subject). Trust is not a technology or even a process; rather, trust is a feeling. By implementing security and privacy and adding customer value, we strive to engender trust in the customer/consumer.

3 Confidential3 Fair Information Practices Notice and Awareness Choice and Consent Individual Access Information Quality and Integrity Update and Correction Enforcement and Recourse Michael Willett: These fair information practices are more “operational” than the principles, but are still missing the procedural and functional “glue” to tie them together into a system. The names of the practices are self- explanatory as to the desired behavior. For example, Choice and Consent means that the subject of the requested PI can exercise choice over the types of PI collected and can consent to that collection (either opt-out or opt- in) and the subsequent use of the PI by the requestor. Michael Willett: These fair information practices are more “operational” than the principles, but are still missing the procedural and functional “glue” to tie them together into a system. The names of the practices are self- explanatory as to the desired behavior. For example, Choice and Consent means that the subject of the requested PI can exercise choice over the types of PI collected and can consent to that collection (either opt-out or opt- in) and the subsequent use of the PI by the requestor.

4 Confidential4 Life Cycle Management of PI Source/Subject IntermediaryRepository/Custodian Requestor/ Receiver Touch Points Michael Willett: If PI never left the immediate control of the subject, then privacy would not be a problem. Issues arise when PI leaves the immediate control of the subject and moves through/to various touch points, where others may be able to “touch” and see the PI. Privacy is a PI life cycle issue. Michael Willett: If PI never left the immediate control of the subject, then privacy would not be a problem. Issues arise when PI leaves the immediate control of the subject and moves through/to various touch points, where others may be able to “touch” and see the PI. Privacy is a PI life cycle issue.

5 Confidential5 Subject “Permission” Bound to PI BINDING PERMISSION PERSONAL INFORMATION LIFE CYCLE CONTAINER Michael Willett: In order for the PI subject to exercise vicarious control over the PI as it travels beyond the immediate control of the subject, the ‘permissions’ (allowable uses) granted by the PI subject must be bound in some way to the PI. Further, the binding mechanism must be robust enough and respected by subsequent touch points in the PI life cycle so as to faithfully support the usage desires of the subject. Depending on local or jurisdictional requirements, the binding mechanism could range from simple pointers to robust cryptography. The Framework does not mandate a particular binding, but rather treats the binding selection as a configuration parameter to the Framework. Michael Willett: In order for the PI subject to exercise vicarious control over the PI as it travels beyond the immediate control of the subject, the ‘permissions’ (allowable uses) granted by the PI subject must be bound in some way to the PI. Further, the binding mechanism must be robust enough and respected by subsequent touch points in the PI life cycle so as to faithfully support the usage desires of the subject. Depending on local or jurisdictional requirements, the binding mechanism could range from simple pointers to robust cryptography. The Framework does not mandate a particular binding, but rather treats the binding selection as a configuration parameter to the Framework.

6 Confidential6 PI Container (PIC) PI Contract PI Intended Use Credentials Policies Conditions Permissions Identity Credentials Signature BINDING Michael Willett: In order to transport the PI bound to the permissions throughout its life cycle, a “PI Container” is used. The binding mechanism is a configuration parameter, from simple pointers to full cryptographic binding. Included in the container are the Contract (including the negotiated Permissions) and the Credentials for the subject. Michael Willett: In order to transport the PI bound to the permissions throughout its life cycle, a “PI Container” is used. The binding mechanism is a configuration parameter, from simple pointers to full cryptographic binding. Included in the container are the Contract (including the negotiated Permissions) and the Credentials for the subject.

7 Confidential7 Privacy Services/Capabilities (©)  Interaction  Agent ©  Validation  Negotiation  Enforcement  Control  Audit (Log)  Certification  Usage ©  Access © Michael Willett: After several iterative rounds, the Framework Project team has evolved the following operational Services: SERVICE DESCRIPTION Agent A software process acting on behalf of a data subject or a requestor to engage with one or more of the other Services defined in this Framework. Agent also refers to the human data subject in the case of a manual process. Interaction Handles presentation of proposed agreements from a data collection entity to a data subject; input of the subject’s personal information, preferences, and actions; and confirmation of actions. To the extent the data subject is represented by an Agent, this service comprises the interface to the Agent. Control Handles the role of “repository gatekeeper” to ensure that access to personal information stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations. Validation Handles checking for correctness of personal information at any point in its life cycle. Negotiation Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Negotiation can be handled by humans, by agents, or any combination. Usage Handles the role of “processing monitor” to ensure that active use of personal information outside of the Control Service complies with the terms and policies of an agreement and any applicable regulations. Such uses include derivation, aggregation, anonymization, linking, and inference of data. Audit Handles the recording and maintenance of events in any Service to capture the data necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations. Certification Handles validation of the credentials of any party involved in processing of a personal information transaction. Enforcement Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations. Michael Willett: After several iterative rounds, the Framework Project team has evolved the following operational Services: SERVICE DESCRIPTION Agent A software process acting on behalf of a data subject or a requestor to engage with one or more of the other Services defined in this Framework. Agent also refers to the human data subject in the case of a manual process. Interaction Handles presentation of proposed agreements from a data collection entity to a data subject; input of the subject’s personal information, preferences, and actions; and confirmation of actions. To the extent the data subject is represented by an Agent, this service comprises the interface to the Agent. Control Handles the role of “repository gatekeeper” to ensure that access to personal information stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations. Validation Handles checking for correctness of personal information at any point in its life cycle. Negotiation Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Negotiation can be handled by humans, by agents, or any combination. Usage Handles the role of “processing monitor” to ensure that active use of personal information outside of the Control Service complies with the terms and policies of an agreement and any applicable regulations. Such uses include derivation, aggregation, anonymization, linking, and inference of data. Audit Handles the recording and maintenance of events in any Service to capture the data necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations. Certification Handles validation of the credentials of any party involved in processing of a personal information transaction. Enforcement Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations.

8 Confidential8 Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation Data SubjectData Requestor Usage PI, Preferences & PIC Repository Agent Control Interaction Negotiation PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Privacy SERVICES/CAPABILITIES Assurance Services Access Michael Willett: Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor. The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer. Michael Willett: Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor. The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer.

9 Confidential9 Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation Data SubjectData Requestor Usage PI, Preferences & PIC Repository Agent Control Interaction Negotiation PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Privacy Practices Assurance Services Notice Awareness Choice Consent Quality/Integrity Access Update Correction Enforcement Recourse Michael Willett: The original fair information practices are overlaid on the Privacy Framework, showing the operational “implementation” of the practices. Note that Individual Access is a “use case” application of the Framework, exploiting Negotiation. Michael Willett: The original fair information practices are overlaid on the Privacy Framework, showing the operational “implementation” of the practices. Note that Individual Access is a “use case” application of the Framework, exploiting Negotiation.

10 Confidential10 Scenario (Use Case) Preferences Web Browsing Product WebSite Discount Offer IF Name/Age/Income: PI Agree: No Resell Offers Discount Receives PI Later, Resells PI ALARM! Authority/Recourse Michael Willett: This is the user view of a typical use case scenario. At the end of the presentation, we return to this use case, but look at a “solution” from the Framework perspective; that is, from “under the covers”. The consumer is browsing, finds a desirable product at a Web site, is offered a discount in exchange for some PI, but insists on no third- party transfer of the PI. Later, the Web-based merchant does re-sell the PI, which raises an alarm, that alerts the appropriate authorities. The consumer wants the confidence that the distributed system will honor the preferences related to PI, specified by the consumer. Michael Willett: This is the user view of a typical use case scenario. At the end of the presentation, we return to this use case, but look at a “solution” from the Framework perspective; that is, from “under the covers”. The consumer is browsing, finds a desirable product at a Web site, is offered a discount in exchange for some PI, but insists on no third- party transfer of the PI. Later, the Web-based merchant does re-sell the PI, which raises an alarm, that alerts the appropriate authorities. The consumer wants the confidence that the distributed system will honor the preferences related to PI, specified by the consumer.

11 Confidential11 Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation Data SubjectData Requestor Usage PI, Preferences & PIC Repository Agent Control Interaction Negotiation PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Use Case Scenario (Re-Visited) Assurance Services AUTHORITY Michael Willett: Re-visit the use case scenario at the beginning of the presentation. Notice what goes on “under the covers” of the privacy Framework: - Interaction: Consumer determines/configures shopping Preferences - Validation: checks preferences - Control: stores preferences in Repository - Consumer browses the Web, finds vendor/retail site and desirable product - Negotiation: Vendor site offers product discount, if PI = name/age/income is provided - Negotiation (consumer) through Control matches offer with User preferences - Agreement reached, but with the additional “permission” of “No third party transfer of PI” - Control: stores PI contract, binds permissions+PI, transfers PI contract to vendor - Product purchase completed - Vendor side: - Contact with consumer - Negotiation: Offers discount - Reach agreement - PI contract transferred; stored under Control (permissions + PI) - Later, PI “sold” to a third party - Usage (vendor): detects violation of permissions (contract) - ALARM sent to Audit - Audit: exception condition results, Enforcement contacted - Enforcement: Notice sent to designated external Authority Authority initiates recourse actions Michael Willett: Re-visit the use case scenario at the beginning of the presentation. Notice what goes on “under the covers” of the privacy Framework: - Interaction: Consumer determines/configures shopping Preferences - Validation: checks preferences - Control: stores preferences in Repository - Consumer browses the Web, finds vendor/retail site and desirable product - Negotiation: Vendor site offers product discount, if PI = name/age/income is provided - Negotiation (consumer) through Control matches offer with User preferences - Agreement reached, but with the additional “permission” of “No third party transfer of PI” - Control: stores PI contract, binds permissions+PI, transfers PI contract to vendor - Product purchase completed - Vendor side: - Contact with consumer - Negotiation: Offers discount - Reach agreement - PI contract transferred; stored under Control (permissions + PI) - Later, PI “sold” to a third party - Usage (vendor): detects violation of permissions (contract) - ALARM sent to Audit - Audit: exception condition results, Enforcement contacted - Enforcement: Notice sent to designated external Authority Authority initiates recourse actions

12 Confidential12 Summary - ISTPA: “… admin/technical/legal framework…” - Privacy = proper handling...consistent…preferences - Operational privacy principles/practices: SERVICES - Combine with Security Services (eg, OpenGroup) - Privacy Framework V1.1 available (comments!) - Seeking partnerships with companies/universities - Use Case development - Vertical Industry profiling re: privacy Michael Willett: The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases. Michael Willett: The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.

Download ppt "Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Privacy By Design Sample Use Case

Privacy By Design Sample Use Case
Configuration Management

Configuration Management
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Security Controls – What Works

Security Controls – What Works
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Chapter 8 Web Security.

Chapter 8 Web Security.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Per Anders Eriksson

Per Anders Eriksson
Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.

Pay As You Go – Associating Costs with Jini Leases By: Peer Hasselmeyer and Markus Schumacher Presented By: Nathan Balon.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Similar presentations

Ads by Google