Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

Similar documents
Privacy Management in Smart Cities

Privacy by Design with or without information security? Kirsten Bock CPDP

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Privacy, Technology and Economics in the 5G Environment

Privacy engineering, privacy by design, and privacy governance

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Pan-Canadian Trust Framework Overview

Privacy Policy SOP-031

The City of the Future Living Lab Sauro Vicini

HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)

Analysis of Privacy and Data Protection Laws and Directives Around the World

Protection of Privacy Policy

2

Data Protection and Ethics in Healthcare

JTC1 Smart Ci,es workshop. Welcome!

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy architecture framework

What does the revision of the OECD Privacy Guidelines mean for businesses?

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

This is a preview - click here to buy the full publication

ARTICLE 29 Data Protection Working Party

Beyond the Smart City: Towards an open, equitable, democratic and circular City

Comments from CEN CENELEC on COM(2010) 245 of 19 May 2010 on "A Digital Agenda for Europe"

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

The Privacy Case. Matching Privacy-Protection Goals to Human and Organizational Privacy Concerns. Tudor B. Ionescu, Gerhard Engelbrecht SIEMENS AG

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

Robert Bond Partner, Commercial/IP/IT

AI as a Disruptive Opportunity and Challenge for Security

GDPR & Teknologiske Trends

PROTECTION GOALS FOR PRIVACY ENGINEERING

End-to-End Privacy Accountability

An Introduction to a Taxonomy of Information Privacy in Collaborative Environments

ISACA Privacy Principles and Program Management Guide. Yves LE ROUX CISM, CISSP ISACA Privacy TF Chairman. Insert Date Here

ANEC response to the CEN-CENELEC questionnaire on the possible need for standardisation on smart appliances

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

A Pattern Catalog for GDPR Compliant Data Protection

Data Protection by Design and by Default. à la European General Data Protection Regulation

Legal Aspects of the Internet of Things. Richard Kemp June 2017

Privacy Procedure SOP-031. Version: 04.01

Effective Data Protection Governance An Approach to Information Governance in an Information Age. OECD Expert Consultation Boston October 2016

Roadmap Pitch: Road2CPS - Roadmapping Project Platforms4CPS Roadmap Workshop

Integrating Fundamental Values into Information Flows in Sustainability Decision-Making

Enabling Trust in e-business: Research in Enterprise Privacy Technologies

Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

Guidelines for the Stage of Implementation - Self-Assessment Activity

Update on enhanced satellite navigation services empowering innovative solutions in Smart Mobility

Privacy by Design Assessment and Certification. For discussion purposes only

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

Operational Intelligence to deliver Smart Solutions


SMART PLACES WHAT. WHY. HOW.

Presentation Outline

Trust from KnowNow - A new service enabling users to stay in control of their data in realtime all the time. TRUST API

Information Privacy Awareness Seminar

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

Ten Principles for a Revised US Privacy Framework

Digital transformation in the Catalan public administrations

Setting out the EU approach to Standard Essential Patents:

Towards Health Data Democracy

IoT in Health and Social Care

Is Transparency a useful Paradigm for Privacy?

About the Office of the Australian Information Commissioner

ITI Comment Submission to USTR Negotiating Objectives for a U.S.-Japan Trade Agreement

Contact with COPOLCO: Privacy group and networking: Representation: develop an overall short paper for JCT 1 JAG

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

Our Corporate Strategy Digital

Non-ferrous metals manufacturing industry: vision for the future and actions needed

designing with secure n sustainable dna

Digital Engineering and Engineered Resilient Systems (ERS)

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Ocean Energy Europe Privacy Policy

MSc(CompSc) List of courses offered in

COMMISSION RECOMMENDATION. of on access to and preservation of scientific information. {SWD(2012) 221 final} {SWD(2012) 222 final}

NEWSLETTER 6 JANUARY 2017

HARNESSING TECHNOLOGY

Data Protection and Privacy in a M2M world. Yiannis Theodorou, Regulatory Policy Manager GSMA Latam Plenary Peru, November 2013

Applying Privacy by Design in Software Engineering - An European Perspective

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Operational Intelligence to Deliver Smart Solutions. Copyright 2015 OSIsoft, LLC

PROJECT FACT SHEET GREEK-GERMANY CO-FUNDED PROJECT. project proposal to the funding measure

The Blockchain Ethical Design Framework

A Critical Analysis of Privacy Design Strategies Michael Colesky. Our Goals

A Guide for Structuring and Implementing PIAs

Helsinki Open Smart City IoT Lab. Cities and companies shaping the IoT sphere together Hanna Niemi-Hugaerts Director,

ISO/IEC JTC1/WG11 (IT aspects of) Smart Cities

Software-Intensive Systems Producibility

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Report OIE Animal Welfare Global Forum Supporting implementation of OIE Standards Paris, France, March 2018

Présentation de l'initiative européenne "Next Generation Internet"

Robotics in Horizon 2020 ICT Work Programme

Field Operational Tests In FP7

Ethics Review Data Sharing Bridging Legal Environments

Global Alliance for Genomics & Health Data Sharing Lexicon

ANEC-ICT-2014-G-020final April 2014

ISO/IEC JTC 1/WG 11 N 49

THE METHODOLOGY: STATUS AND OBJECTIVES THE PILOT PROJECT B

Cyber-Physical Production Systems. Professor Svetan Ratchev University of Nottingham

NEM Strategic Research and Innovation Agenda 2018 NEM General Assembly, 30 May 2017

The new GDPR legislative changes & solutions for online marketing

Model Based Systems Engineering

Transcription:

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments Antonio Kung, CTO 25 rue du Général Foy, 75008 Paris www.trialog.com 9 May 2017 1

Introduction Speaker Engineering background Involved in standardisation Privacy engineering (ISO 27550 ) Big data Security and privacy fabric (ISO 20547-4) Privacy in smart cities (Study period) Privacy guidelines in the IoT (Study period) OASIS Others European Innovation Platform Smart Cities and Communities Citizen approach to data: privacy-by-design Coordinator PRIPARE pripareproject.eu Methodological Tools to Implement Privacy and Foster Compliance with the GDPR 9 May 2017 2

IPEN member (ipen.trialog.com) 9 May 2017 3

Trialog Trialog focuses on innovation since 1987 Security (since 2000) Connected vehicles Privacy (depuis 2007) Intelligent transport system (Sevecom, Preciosa) Pripare Create-IoT 9 May 2017 4

Outline Privacy from a policy maker viewpoint Overview of standards Security and privacy for the IoT 27550 Privacy engineering 9 May 2017 5

Privacy from a Policy Maker Viewpoint Example of smart cities 9 May 2017 6

Deals with Complex Ecosystems Smart Cities Big data IoT Smart grid Transport Health Security Privacy Safety Ecosystems Domains Concerns 9 May 2017 7

Must take into account General Data Protection Regulation (GDPR) May 25th 2018 Data controllers Data processors Data Protection Officers All public authorities Companies processing a large number of data subjects e.g. 5000 Sanctions for breaches up to 20,000,000 EUR up to 4% of the annual worldwide turnover 9 May 2017 8

Must understand these terms Privacy-by-design: PbD Institutionalisation of privacy management Integration of privacy concern in the engineering of systems Privacy-by-default Highest level of protection by default Privacy Impact assessment: PIA Process that evaluates impact on privacy Note that the GDPR uses the term data protection instead of privacy 9 May 2017 9

Must Manage Privacy in Complex Ecosystem Municipality stakeholder Requests Give consent Citizen PIA Data Controller Contracts Agreements For data exchange Agree Data processor Comply Privacy Obligations Integrator Apply PIA and PbD Purpose known Supplier Apply Requirements Purpose unknown 9 May 2017 10

IoT Vision: Supply Chain Supply Chain Smart City Officer Privacy impact assessment 1 Privacy impact assessment 2 Operator Smart City Application 1 Operator Smart City Application 2 Integrator - Purpose known Supplier - Purpose unknown Sensor Device Smart device Cloud solution Electronics Security module OS Middleware 9 May 2017 11

Big Data Vision : Sharing Chain Smart City Officer Data collecting Data sharing agreement Data transformation Data sharing agreement Data analytics Sharing Chain 9 May 2017 12

Several Types of Concerns Demand side Stakeholder Policy maker Legal Compliance Concern Management Concern Compliance Check / Follow standards Transparency System Lifecycle Concern Operator Data Controller Operator Data processor Regulation GPDR Privacy Impact Assessment PIA Sharing Agreement Privacy-by-Design PbD Supply side Supplier Operators Requirements 9 May 2017 13

Guidelines for GDPR Compliance Sharing cities project H2020 (http://www.sharingcities.eu) London, Milan, Lisbon, Bordeaux, Burgas, Warsaw Program on GDPR compliance March 2017 Workshop on use cases June 2017 Workshop on PIAs Further Applying a management plan for GDPR compliance Proposed content Privacy management plan Governance scheme Roles and duties Data controllers Data processors Suppliers Resources and staff Management Repository of PIAs and data sharing agreements Interaction with citizens Transparency (dashboard) Complaints Breach management Continuous improvement Templates PIA template Data sharing agreement template Privacy notice template Supplier privacy support description template 9 May 2017 14

Overview of Standards 9 May 2017 15

Possible Landscape (Author Vision) Additional guidelines Privacy Standards for Smart Cities Management oriented Privacy Standards for Big Data Sharing chain oriented Privacy Standards for IoT Supply chain oriented General Privacy Standards Privacy framework 29100 Privacy impact assessment 29134 Privacy engineering 27550 (new) Code of practice 29151 Privacy Information management systems 27552 (new) OASIS-PMRM 9 May 2017 16

29100 Privacy framework 29134 Privacy impact assessment 29151 Code of practice for PII protection ISO/IEC Standards 27550 Privacy Engineering 27551 Requirements for attribute-based unlinkable entity authentication 27552 Privacy management requirements 20547-4 Big data reference architecture: Security and privacy fabric ISO Study period Privacy in smart cities Privacy guidelines in the IoT 9 May 2017 17

Security and privacy for the IoT Study period 9 May 2017 18

IoT Architectural Viewpoint Application Layer / IoT Applications Management Application Support Network Layer Security Device 9 May 2017 19

IoT Abstract Viewpoint IoT App Thing Thing Thing 9 May 2017 20

Interoperability Viewpoint Subsystem PI: Point of interoperability PI Subsystem PI Subsystem Subsystem PI Subsystem 9 May 2017 21

IoT Semantic Interoperability Viewpoint IoT App IoT App IoT App IoT Semantic Interoperability PI Thing Thing Thing 9 May 2017 22

IoT Systems Stakeholders User IoT App Supplier User centric design IoT App Supplier Platform supplier Supply market place IoT App operator IoT Platform operator Operation Design Procurement Deployment IoT Function Objectives and concerns Security, Privacy, Safety 9 May 2017 23

IoT Security and privacy from an Interoperability Viewpoint IoT App Security & Privacy-by-design IoT App Security and Privacy Security and privacy Service description IoT Semantic Interoperability PI Thing Security & Privacy-by-design Thing 9 May 2017 24

27550 Privacy Engineering 9 May 2017 25

Privacy Engineering: Integrating privacy concerns Privacy Privacy Privacy! Privacy Privacy Privacy Privacy 9 May 2017 26

Beyond CIA Confidentiality Integrity Availability Unlinkability Intervenability Transparency From ULD: ieee-security.org/tc/spw2015/iwpe/2.pdf 9 May 2017 27

ISO 15288 System Life Cycle Processes Agreement Acquisition Supply Organisational project-enabling Life cycle model management Infrastructure management Portfolio management Human resource management Quality management Knowledge management Technical management Project planning Project assessment and control Decision management Risk management Configuration management Information management Measurement Quality assurance Technical Business or mission analysis Stakeholder needs and requirements definition System requirements definition Architecture definition Design definition System analysis Implementation Integration Verification Transition Validation Operation Maintenance Disposal 9 May 2017 28

Privacy Impact Assessment Risk sources Consequences Measures Focus on privacy Personal data processing Focus on PIA Impact on citizen s privacy PIA Organisational Threats and vulnerability of system Focus on security Privacy breach Impact on organisation Focus of business impact assessment Technical 9 May 2017 Slide 29

Privacy-by-design Risk Management Process PIA Iteration PIA Iteration Privacy Principles Analysis Privacy Requirements Design Privacy controls Architecture PETs Privacy-by-design Lifecycle Process 9 May 2017 30

From Principles to Services: OASIS-PMRM Service Purpose Core policy services Agreement Usage Validation Manage and negotiate permissions and rules Control PII use Ensures PII quality Credential certification Ensure appropriate management of credentials Privacy assurance services Enforcement Monitor proper operation, respond to exception conditions and report on demand evidence of compliance where required for accountability Security Safeguard privacy information and operations Presentation and lifecycle services Interaction Access Information presentation and communication View and propose changes to stored PII 9 May 2017 31

From security properties to security threats: STRIDE Property Description Threat Authentication Integrity Nonrepudiation Confidentiality Availability Authorization The identity of users is established (or you re willing to accept anonymous users). Data and system resources are only changed in appropriate ways by appropriate people. Users can t perform an action and later deny performing it. Data is only available to the people intended to access it. Systems are ready when needed and perform acceptably. Users are explicitly allowed or denied access to resources. Spoofing Tampering Repudiation Information disclosure Denial Of Service Elevation of privilege 9 May 2017 32

From privacy properties to privacy threats: LINDDUN Type Property Description Threat Hard privacy Unlinkability Anonymity Plausible deniability Hiding the link between two or more actions, identities, and pieces of information. Hiding the link between an identity and an action or a piece of information Ability to deny having performed an action that other parties can neither confirm nor contradict Linkability Identifiability Non-repudiation Undetectability and unobservability Hiding the user s actvities Detectability Security Confidentiality Hiding the data content or controlled release of data content Disclosure of information Content awareness User s consciousness regarding his own data Unawareness Soft Privacy Policy and consent compliance Data controller to inform the data subject about the system s privacy policy, or allow the data subject to specify consents in compliance with legislation Non compliance https://distrinet.cs.kuleuven.be/software/linddun/catalog.php 9 May 2017 33

ISO 27550 Privacy Engineering (2 nd Working Draft) Privacy engineering Security and privacy System engineering Risk management Privacy engineering processes Negotiation Acquisition Supply Organisation Competence management Knowledge management Technical management Risk management Cycle Stakeholders privacy expectation Privacy principle operationalisation Privacy engineering architecture Privacy engineering design Annex A Specific guidelines Supporting Domains Supporting agile programming Supporting small organisations Annex B Objectives to identify capabilities Privacy engineering objectives Privacy protections goals Annex C Cheat sheets Annex D Risk models NIST, CNIL Annex E Methodologies PMRM LINDDUN PRIPARE 9 May 2017 34

Conclusion ISO/IEC 27550 Privacy engineering Provides a system life cycle process vision Integrates current body of knowledge Will evolve Standards and guidelines Still in the making There is now a core of common standards Could be complemented by specific privacy guidelines Management oriented for smart cities Supply chain oriented for IoT Sharing chain oriented for big data 9 May 2017 35

www.trialog.com Questions? 9 May 2017 36

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback