For info, contact: kkw”at”mit.edu K. Krasnow Waterman 1 Accountable Systems: Fusion Center Prototype Spring 2010.

Slides:



Advertisements
Similar presentations
Red Flag Rules: What they are? & What you need to do
Advertisements

Confidentiality and HIPAA
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Local Coordinator Screening and Training Elizabeth Dickerson, Sr. Compliance Officer James Alexander, Program Analyst U.S. Department of State Bureau of.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
K. Krasnow Waterman LawTechIntersect, LLC Presented to TTI/Vanguard February 20, 2014.
1 Office of the General Counsel FERPA  Family Educational Rights and Privacy Act (20 U.S.C § 1232g)
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
PA/FOIA INTERFACE OSD/JS Privacy Office (703)
Project COUNTER Trends in Statistical Standards for E- Resource Management March 2005 Oliver Pesch Chief Strategist, E-Resources EBSCO Information Services.
Refunds More Hassle Than They’re Worth Utility Payment Conference.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
S.R.F.E.R.S. State, Regional, and Federal Enterprise Retrieval System Inter-Agency & Inter-State Integration Using GJXML.
Chapter 9 Describing Process Specifications and Structured Decisions
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
Internal Auditing and Outsourcing
1 1 Interoperating: MIT’s Fusion Center Prototype & JHU/APL’s Back End Attribute Exchange (Identity Management Testbed) January 2013.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc Lightfall Court Columbia, MD A Blumberg Capital, Valley Ventures and Intel Capital Funded.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Electronic Records Management: What Management Needs to Know May 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
Headquarters U. S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e Headquarters Air Force FOIA Exemptions Brief Della Macias HAF/IMII.
Cost Principles – 2 CFR Part 200 Subpart E U.S. Department of Education.
Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.
1 DataSpace MIT Decentralized Information Group Tim Berners-LeeDanny Weitzner Lalana KagalGerry Sussman Hal Abelson Visitors: Joe Pato (HP)Latanya Sweeney.
HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 15,
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Using Publicly Available Data 20 th Meeting Course Name: Business Intelligence Year: 2009.
Methods of Administration MOA Element 1 Designation of State and Sub-State Level Equal Opportunity (EO) Officer.
Microsoft Office Outlook 2013 Microsoft Office Outlook 2013 Courseware # 3252 Lesson 6: Organizing Information.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
IPortal Bringing your company and your business partners together through customized WEB-based portal software. SanSueB Software Presents iPortal.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
DOC Web Policies & Best Practices Jennifer Hammond NOAA Research WebShop 2002 August 7, 2002.
National Information Exchange Model (NIEM) Executive Introduction November 29, 2006 Thomas O’Reilly NIEM Program Management Office.
Semantic Clipboard User Interface is integrated in the Browser Architecture of the Semantic Clipboard Illustration of a license incompliant content reuse.
Publication Schemes Natasha Bodden Freedom of Information Unit November, 2009.
When Can You Redact Information Without Requesting an Attorney General Decision? Karen Hattaway Assistant Attorney General Open Records Division Views.
Is Your Background Check Process Compliant?. 2 © Copyright 2015 ADP, LLC. Proprietary and Confidential Information. Agenda Privileged & Confidential.
1 Designing a Privacy Management System International Security Trust & Privacy Alliance.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.
1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Wisconsin Department of Health Services Purchase of Services Contract Guide Julie Anstett and Lucinda Champion Friday, May 6, 2016 Wisconsin Department.
Anupam Joshi University of Maryland, Baltimore County Joint work with Tim Finin and several students Computational/Declarative Policies.
UW-Madison Guidelines for Managing the Records of Departing Employees*
INTERCONNECTION GUIDELINES
Using Semantic Web Data: Proof
General Data Protection Regulation
An Introduction to Public Records Office of the General Counsel
Case Management Module 2
Red Flags Rule An Introduction County College of Morris
Policy reasoning A policy is a set of norms that define optimal behavior of agents in a system What does policy reasoning usually entail ? Proving that.
Analysis of Privacy and Data Protection Laws and Directives
Chapter 11 Describing Process Specifications and Structured Decisions
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Student Data Privacy: National Trends and Wyoming’s Role
Presentation transcript:

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 1 Accountable Systems: Fusion Center Prototype Spring 2010

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 2 About DIG The Decentralized Information Group explores technical, institutional, and public policy questions necessary to advance the development of global, decentralized information environments.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 3 Agenda Challenge of Accountability Prototyping Fusion Center information sharing Scenarios 1.2 parties, 1 document, 1 policy 2.Policy calls 1.Another policy (understanding definitions & cross-ontology reasoning) 2.Another fact (drawing from additional resources) 3.Pre-processing for subjective judgments 4.Modeling – substituting parties or policies 5.Validating – ensuring a hard result 6.Scaling – modeling the Privacy Act 1.Adding to the cross-ontology knowledge base 7.Future possibilities Future work Technical Notes Team

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 4 Challenge Organizations have obligations regarding the collection, use, and sharing of information.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 5 Examples Law –HIPAA –SOX –Privacy Act Regulation –Know Your Customer –Suspicious Activity Reporting Contract –Business partners –Vendors Policy –Corporate –Association

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 6 Accountability How should organizations ensure that they meet those obligations? How should they prove to others that they are meeting those obligations?

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 7 7 The Goal – Accountable Systems System, system on the wall… Is this fair use after all? Ability for systems to determine whether each use of data is/was permitted by the relevant rules for the particular data, party, and circumstance and make that decision available to access control, audit, and other technology for real-time enforcement, retrospective reporting, redress, and risk modeling.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 8 About this Project Sponsor: Department of Homeland Security Modeling Fusion Centers –Information sharing –Privacy rules Creating a prototype Accountable System

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 9 Assumptions Web-based –All users and files on internet or intranet Semantic Web –Greater interoperability, reusability, and extensibility Security & Authentication –Enhancement not replacement Enhancing Accountability & Transparency –NOT replacing lawyers

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 10 Scenarios Scenario 1 –Massachusetts analyst (Mia) sends Request for Information (RFI) to Department of Homeland Security agent (Feddy). –RFI contains criminal history info about a specific person (RBGuy); regulated by Massachusetts General Law RFI re:RBGuy MGL Mia Feddy

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 11 Transaction Simulator Links to real files - user profiles, the memo, and the relevant policy - that the reasoner will use.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 12 Rule: Mass. General Law § (Privacy of Criminal Records) Applies to –Criminal Justice Agencies –Agencies given statutory permission E.g., military recruiting –Agencies determined to be appropriate recipients in the public interest –Requests by the general public

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 13 MGL MA DHS User Profiles User Docs Policies Mia MGL Ontology RFI Reasoner Feddy RBGuy What the Reasoner Knows

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 14 Simple Compliance Answer “Transaction is compliant with Massachusetts General Law, Part I, Title II, Chapter 6, Section 172.”

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 15 Detailed Explanation “[Recipient,] Fred Agenti, is a member of a Criminal Justice Agency…”

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 16 Accomplishment Reasoner received –Mia’s user profile (27 facts) –Feddy’s user profile (25 facts) –Mia’s document (6 facts) –MGL § (35 sub-rules) Produced correct result!

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 17 Scenarios Scenario 2 –Baltimore police detective, Maury, does a federated search query across multiple systems; Mia’s memo is responsive. –The Massachusetts system will decide whether Maury can access the document. RFI re:RBGuy MGL Maury ?

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 18 The rule calls another rule: Comparing definitions MGL § –requires recipient be a “Criminal Justice Agency” But, having the label “Criminal Justice Agency” is not sufficient Different jurisdictions have different definitions MGL § 66A-1 (defines “CJA”) – “… an agency at any level of government which performs as its principal function activity relating to (a) the apprehension, prosecution, defense, adjudication, incarceration, or rehabilitation of criminal offenders; or (b) the collection, storage, dissemination, or usage of criminal offender record information.” Maury’s MD user profile –“…exercise the power of arrest”

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 19 Cross-Ontology KB MDCCL (Definitions) MGL MD MA User Profiles User Docs Policies Mia MGL 66A-1 (Definitions) MGL Ontology RFI Reasoner Maury RBGuy MDCCL Ontology What the Reasoner Knows New input

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 20 Cross-ontology Knowledge Base “authorized by law to exercise power of arrest…” is “sameAs” “apprehension”

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 21

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 22 Determines that Maury’s MD function of “…arrest” meets the MA definition of Criminal Justice Agency

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 23 Adding additional fact requirements MGL § –Requires that the requestor be a CJA –AND certified by a Board In writing No access until after that certification

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 24 Cross-Ontology KB MDCCL (Definitions) MGL MD MA User Profiles User Docs Policies Mia MGL 66A-1 (Definitions) MGL Ontology RFI Reasoner Maury RBGuy MDCCL Ontology What the Reasoner Knows New input Org. Admin. Certified List MGL 6-172

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 25 Determines that Maury is a member of an organization “which is certified by the board…”

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 26 Addressing subjective rules: In the Result In Scenario 1 (Mia to Feddy), the reasoner listed subjective requirements as conditions to the finding of compliance

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 27 Result Conditional on Subjective Compliance “additionally requires” that recipient “is performing Criminal Justice Duties” and the “Request…is limited to data necessary for [those] duties”

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 28 Next: Pre-processing subjective requirements

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 29 Scenarios Scenario 3 –Baltimore detective (Maury) is sending a response to the Massachusetts analyst’s (Mia’s) Request for Information (RFI). –Response contains detailed criminal history info about a specific person (RBGuy); regulated by MD Code of …. Law Maury Response re:RBGuy MDCCL Requests Subjective Assertions Mia

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 30 Query for Subjective Assertions

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 31 Decision incorporates Subjective Assertions Data is “required in the performance of Mia’s function as a criminal justice agency.” Recipient’s “identity has been verified by” sender.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 32 What if? Applying a different rule Scenario 4 –Maury is cautious. Before giving his information to Mia, he wants to understand what she can do with his information. –Maury compares: Scenario 4a - Maury seeking to share his Response with Florida Dept of Law Enforcement (FDLE) under MD law Scenario 4b - Mia seeking to share Maury’s Response with FDLE under MA law Maury Response re:RBGuy MDCCL Mia Response re:RBGuy MGL MDCCL XX

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 33 Risk Modeling with a Different Party &/or Policy

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 34 Cross-Ontology KB MGL MA User Profiles Policies Mia MGL 66A-1 (Definitions) MGL Ontology Reasoner Org. Admin. Certified List MGL MDCCL (Definitions) MD User Profiles User Docs Policies Reasoner Maury Responses ToMia MDCCL MDCCL Ontology Cross-Ontology KB FDL E User ProfilesPolicies FDLE FL Ontology What the Reasoner Knows

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 35

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 36 Testing the policy expression Scenario 5 –Under the MA law, the public can have access to some criminal history info If there was a conviction If the possible sentence was greater than 5 years If the subject is still in jail or on parole Maury’s Response re:RBGuy MGL John Q. PublicMia

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 37 Testing with “John Q. Public”.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 38

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 39 Accomplishment Recognizes that John Q. Public doesn’t meet any of the criteria in paragraph 1. Finds the match in sub-rules from paragraph 7. Reads the tags from the document to match with the requirements –there was a conviction –the possible sentence was greater than 5 years –the subject is still in jail or on parole

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 40 Scenarios: Increasing Rule Complexity Scenario 6 –Feddy from DHS wants to respond to Mia. –His response will be regulated by the Privacy Act and its 135 sub-rules (1200 lines of code) Feddy Response re:RBGuy 5 USC 552a Mia

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 41 MA User Profiles Policies Mia MGL Ontology Reasoner What the Reasoner Doesn’t Know 5 USC 552a (Privacy Act) DHS User Profiles User Docs Policies Reasoner Responses FeddyToMia Priv Act Ontology Cross-Ontology KB Routine Uses X Other Policies Other Policies Other Policies Other Policies Other Policies Other Policies X There is a Routine Use notice that would permit the sharing The law requires each agency to create 40 other policies

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 42 Non-compliant for Many Reasons

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 43 Adding to Cross-Ontology Knowledge - Feddy notices something not quite right. - He knows* he can treat Mia as “head of” her agency for this purpose because the head of her organization delegated the record requesting authority to “section chiefs”. - The system will let him add that equivalency to the cross-ontology knowledge base. * DOJ says ( Record-requesting authority may be delegated down to lower-level agency officials when necessary, but not below the "section chief" level. See OMB Guidelines, 40 Fed. Reg. at 28,955; see also 120 Cong. Rec. 36,967 (1974), reprinted in Source Book at 958, available at Requestor: Mia Analysa job title section head does not match head ofMia Analysasection headhead of as required by The_Privacy_Act_of_1974_552a_b7.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 44 Knowledge Base Editor Feddy tells his system that “section chief” and “head of” are equivalent in this context by cutting and pasting their link addresses into the blanks.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 45 –Feddy runs his request again (after adding the “same as” information to the cross-ontology knowledge base) Feddy Response re:RBGuy 5 USC 552a Mia Cross-Ontology KB “section chief” same as “head of”

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 46 “…compliant with… a Federal Statute The Privacy Act of 1974, 5 U.S.C. 552a (b)(7)a Federal Statute The Privacy Act of 1974, 5 U.S.C. 552a (b)(7)”

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 47 Possible Future Scenarios Hand-shake –Recipient is permitted to accept –Sender is permitted to send Applying multiple rules Potentially conflicting rules Recognizing compliant pattern and applying it to large volume transactions

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 48 Future Research Scalability –Goal-directed reasoning Transparency –Permanent store for TMS –Aggregate reporting Validation –Policy expression –Results Flexibility –Handling incomplete information –Propagation

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 49 Technology Notes

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 50 MGL MA DHS User Profiles User Docs Policies Mia MGL Ontology RFI Reasoner Feddy RBGuy What the Reasoner Knows: n3 & RDF User profiles adapted from FOAF Memos in pdf with xmp Policies expressed in AIR

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 51 User Profile: rdf

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 52 User Profile: Tabulator

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 53 User Document: pdf

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 54 User Document: embedded xmp

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 55 Policy: English

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 56 Policy: AIR Each policy is represented as rules and patterns in a policy file definitions and classifications in an ontology file.

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 57 Policy: Tabulator

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 58 Simple Compliance Answer Can use address line commands Running cwm Forward chaining reasoner Written in python

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 59 Truth Maintenance System (TMS) Tracks dependencies Retains premises leading to conclusion Retains logical structure of a derivation Permits automatically generated explanations Pressing the “Why?” button reveals each dependency & all associated premises Detailed Justification

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 60 “Lawyer Pane” Format is modeled after IRAC Issue, Rule, Analysis, Conclusion First year law school technique for answering hypotheticals Working towards making output easier to read for lawyers, policy analysts, and line of business

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 61 Statute Text MGL § – MCCL – 5 USC § 552a (Privacy Act) –

For info, contact: kkw”at”mit.edu K. Krasnow Waterman 62 Our Team Tim Berners-Lee Hal Abelson Gerry Sussman Lalana Kagal K. Krasnow Waterman Bill Cattey Mike Speciner Ian Jacobi Oshani Seneviratne Samuel Wang Jim Hollenbach Mike Rosensweig Rafael Crespo Patrick Vatterott

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.