Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

Published byGriselda Russell Modified over 8 years ago

Similar presentations

Presentation on theme: "Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC."— Presentation transcript:

1 Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC

2 What is the Privacy Management Reference Model (PMRM)? An analytic tool and methodology developed to: o improve the ability to analyze use cases in which personal information is used, communicated, processed and stored o understand and implement appropriate operational privacy management functionality and supporting mechanisms o achieve compliance across policy and system boundaries o support the stakeholders having an interest in the use case service or application See www.oasis-open.org for TC informationwww.oasis-open.org

3 Why is the PMRM Important?  Support for networked, interoperable services, applications and devices and the complexity of managing personal information across legal, regulatory and policy environments in interconnected domains  Applicability to privacy management and compliance in cloud computing, health IT, smart grid, social networking, federated identity and similarly complex environments  An organizing structure for exposing privacy requirements for specific business systems, organizing privacy management mechanisms, and improving systemic privacy management risk assessment  Support for “privacy by design” concepts  PMRM is Not a static or a prescriptive model - implementers have flexibility in determining the level and granularity of analysis necessary for a particular use case

4 Three Major Components A conceptual model of privacy management, including definitions of terms A methodology A set of operational services together with the inter-relationships among these three elements.

5 PMRM - Model

6 PMRM Methodology

7 PI in Use Case Systems System 1 Incoming/Internally Generated/Outgoing System n Incoming/Internally Generated/Outgoing Detailed Privacy Use Case Analysis Domains and Owners Risks - Responsibilities Data Flows and Touch Points Systems [and Subsystems] Actors High Level Privacy Use Case Analysis Services/ApplicationsPrivacy Requirements Impact/Other Assessments PMRM –Methodology

8 Risk Assessment Technical and Process Mechanisms Services Required for Operationalized Controls AgreementUsageValidation CertificationEnforcement SecurityInteractionAccess Operational Privacy Control Requirements InheritedInternalExported Iterative Process

9 PMRM Services

10 10 SERVICEFUNCTIONALITY INFORMAL DEFINITION AGREEMENTDefine and document permissions and rules for the handling of PI based on applicable policies, individual preferences, and other relevant factors; provide relevant Actors with a mechanism to negotiate or establish new permissions and rules; express the agreements for use by other Services Manage and negotiate permissions and rules USAGEEnsure that the use of PI complies with the terms of any applicable permission, policy, law or regulation, including PI subjected to information minimization, linking, integration, inference, transfer, derivation, aggregation, and anonymization over the lifecycle of the use case Control PI use VALIDATIONEvaluate and ensure the information quality of PI in terms of Accuracy, Completeness, Relevance, Timeliness and other relevant qualitative factors Check PI CERTIFICATIONValidate the credentials of any Actor, Domain, System or Subsystem, or system component involved in processing PI; verify compliance and trustworthiness of that Actor, Domain, System or Subsystem, or system component against defined policies Check credentials ENFORCEMENTInitiate response actions, policy execution, and recourse when audit controls and monitoring indicate that an Actor or System does not conform to defined policies or the terms of a permission (agreement) Monitor and respond to audited exception conditions SECURITYProvide the procedural and technical mechanisms necessary to ensure the confidentiality, integrity, and availability of personal information; make possible the trustworthy processing, communication, storage and disposition of privacy operations Safeguard privacy information and operations INTERACTIONProvide generalized interfaces necessary for presentation, communication, and interaction of PI and relevant information associated with PI; encompasses functionality such as user interfaces, system-to-system information exchanges, and agents information presentation and communication ACCESSEnable data-subject Actors, as required and/or allowed by permission, policy, or regulation, to review their PI that is held within a Domain and propose changes and/or corrections to their PI View and propose changes to stored PI

11 Thank You John.annapolis@verizon.net www.oasis-open.org

Download ppt "Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Privacy By Design Sample Use Case

Privacy By Design Sample Use Case
EMS Checklist (ISO model)

EMS Checklist (ISO model)
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
Privacy By Design Draft Privacy Use Case Template

Privacy By Design Draft Privacy Use Case Template
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.

IS 700.a NIMS An Introduction. The NIMS Mandate HSPD-5 requires all Federal departments and agencies to: Adopt and use NIMS in incident management programs.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.

Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
The use and convergence of quality assurance frameworks for international and supranational organisations compiling statistics The European Conference.

The use and convergence of quality assurance frameworks for international and supranational organisations compiling statistics The European Conference.
Project Human Resource Management

Project Human Resource Management
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google