Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

Slides:

Advertisements

Similar presentations

Module N° 4 – ICAO SSP framework

Advertisements

Privacy By Design Sample Use Case

EMS Checklist (ISO model)

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Privacy By Design Draft Privacy Use Case Template

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.

Developing a Records & Information Retention & Disposition Program:

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Internal Auditing and Outsourcing

The use and convergence of quality assurance frameworks for international and supranational organisations compiling statistics The European Conference.

Project Human Resource Management

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

OASIS PRIVACY MANAGEMENT REFERENCE MODEL EEMA European e-identity Management Conference Paris, June 2012 John Sabo, CA Technologies Co-Chair, OASIS.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Occupational Health and Safety

Basics of OHSAS Occupational Health & Safety Management System

Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:

DG Enterprise and Industry Philippe JEAN Sustainable Mobility & Automotive Industry Unit WP.29 Enforcement Working Group meeting 27 June update.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

Internal controls. Session objectives Define Internal Controls To understand components of Internal Controls, control environment and types of controls.

ITEC 3220M Using and Designing Database Systems

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

1 Chapter 9 Database Design. 2 2 In this chapter, you will learn: That successful database design must reflect the information system of which the database.

Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011.

Gershon Janssen 11 th October 2011 London Privacy Management Reference Model International Cloud Symposium 2011.

Session ID: Session Classification: Dr. Michael Willett OASIS and WillettWorks DSP-R35A General Interest OASIS Privacy Management Reference Model (PMRM)

Presentation annotated by Gail Magnuson LLC with permission from Using Information Technologies to Empower and Transform.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Methodology - Conceptual Database Design. 2 Design Methodology u Structured approach that uses procedures, techniques, tools, and documentation aids to.

Creating a European entity Management Architecture for eGovernment CUB - corvinus.hu Id Réka Vas

QUALITY MANAGEMENT STATEMENT

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

2-1 A Federation of Information Systems. 2-2 Information System Applications.

1 Accounting systems design & evaluation Karen Lau 25 Feb 2002.

S5: Internal controls. What is Internal Control Internal control is a process Internal control is a process Internal control is effected by people Internal.

INFORMATION SYSTEM ANALYSIS & DESIGN

1 Designing a Privacy Management System International Security Trust & Privacy Alliance.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

The Second Annual Medical Device Regulatory, Reimbursement and Compliance Congress Presented by J. Glenn George Thursday, March 29, 2007 Day II – Track.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

PMRM Revision Discussion Slides Illustrations/Figures 1-3 o Model, Methodology, “Scope” options Functions, Mechanisms and “Solutions” Accountability and.

Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.

Systems Architectures System Integration & Architecture.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

1. Scope of Application 2. Use Case Actors Data Flows Touch Points Initial PI 3. PI - at Touch Points In Internal Out 4. PI - Operational Privacy Policies.

1 The XMSF Profile Overlay to the FEDEP Dr. Katherine L. Morse, SAIC Mr. Robert Lutz, JHU APL

Module 8: Securing Network Traffic by Using IPSec and Certificates

IE352 System Analysis and Design

Chapter 27 Security Engineering

Analysis of Privacy and Data Protection Laws and Directives

Module 8: Securing Network Traffic by Using IPSec and Certificates

ISO management systems

Presentation transcript:

Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC

What is the Privacy Management Reference Model (PMRM)? An analytic tool and methodology developed to: o improve the ability to analyze use cases in which personal information is used, communicated, processed and stored o understand and implement appropriate operational privacy management functionality and supporting mechanisms o achieve compliance across policy and system boundaries o support the stakeholders having an interest in the use case service or application See for TC informationwww.oasis-open.org

Why is the PMRM Important?  Support for networked, interoperable services, applications and devices and the complexity of managing personal information across legal, regulatory and policy environments in interconnected domains  Applicability to privacy management and compliance in cloud computing, health IT, smart grid, social networking, federated identity and similarly complex environments  An organizing structure for exposing privacy requirements for specific business systems, organizing privacy management mechanisms, and improving systemic privacy management risk assessment  Support for “privacy by design” concepts  PMRM is Not a static or a prescriptive model - implementers have flexibility in determining the level and granularity of analysis necessary for a particular use case

Three Major Components A conceptual model of privacy management, including definitions of terms A methodology A set of operational services together with the inter-relationships among these three elements.

PMRM - Model

PMRM Methodology

PI in Use Case Systems System 1 Incoming/Internally Generated/Outgoing System n Incoming/Internally Generated/Outgoing Detailed Privacy Use Case Analysis Domains and Owners Risks - Responsibilities Data Flows and Touch Points Systems [and Subsystems] Actors High Level Privacy Use Case Analysis Services/ApplicationsPrivacy Requirements Impact/Other Assessments PMRM –Methodology

Risk Assessment Technical and Process Mechanisms Services Required for Operationalized Controls AgreementUsageValidation CertificationEnforcement SecurityInteractionAccess Operational Privacy Control Requirements InheritedInternalExported Iterative Process

PMRM Services

10 SERVICEFUNCTIONALITY INFORMAL DEFINITION AGREEMENTDefine and document permissions and rules for the handling of PI based on applicable policies, individual preferences, and other relevant factors; provide relevant Actors with a mechanism to negotiate or establish new permissions and rules; express the agreements for use by other Services Manage and negotiate permissions and rules USAGEEnsure that the use of PI complies with the terms of any applicable permission, policy, law or regulation, including PI subjected to information minimization, linking, integration, inference, transfer, derivation, aggregation, and anonymization over the lifecycle of the use case Control PI use VALIDATIONEvaluate and ensure the information quality of PI in terms of Accuracy, Completeness, Relevance, Timeliness and other relevant qualitative factors Check PI CERTIFICATIONValidate the credentials of any Actor, Domain, System or Subsystem, or system component involved in processing PI; verify compliance and trustworthiness of that Actor, Domain, System or Subsystem, or system component against defined policies Check credentials ENFORCEMENTInitiate response actions, policy execution, and recourse when audit controls and monitoring indicate that an Actor or System does not conform to defined policies or the terms of a permission (agreement) Monitor and respond to audited exception conditions SECURITYProvide the procedural and technical mechanisms necessary to ensure the confidentiality, integrity, and availability of personal information; make possible the trustworthy processing, communication, storage and disposition of privacy operations Safeguard privacy information and operations INTERACTIONProvide generalized interfaces necessary for presentation, communication, and interaction of PI and relevant information associated with PI; encompasses functionality such as user interfaces, system-to-system information exchanges, and agents information presentation and communication ACCESSEnable data-subject Actors, as required and/or allowed by permission, policy, or regulation, to review their PI that is held within a Domain and propose changes and/or corrections to their PI View and propose changes to stored PI

Thank You