RE: [pbd-se] Privacy Engineering & Assurance - Technical Sub-WG?

["Mike Davis" <mike.davis.sd@gmail.com>]

Thanks

This complements Jose's paper / efforts as well as Ian's efforts, captured
fairly well by Joe below.
Including the "Cyber enabled / facilitated Privacy by Design" approach,
effort my SD IEEE / ISC2 groups is developing? below links to that brief /
paper.

Seems we would most all agree that we need some level of technical sub-WG
for PBD-SE?

CIAO
-----Original Message-----
From: pbd-se@lists.oasis-open.org [mailto:pbd-se@lists.oasis-open.org] On
Behalf Of frank.dawson@nokia.com
Sent: Monday, September 8, 2014 4:58 PM
To: pbd-se@lists.oasis-open.org
Cc: frank.dawson@nokia.com
Subject: [pbd-se] Privacy Engineering & Assurance

https://www.oasis-open.org/committees/document.php?document_id=54054&wg_abbr
ev=pbd-se

Please find above URL to input contribution from Nokia on "Privacy
Engineering & Assurance - The Emerging Engineering Discipline for
implementing Privacy by Design" for consideration by OASIS PbD-SE TC. This
might serve as basis for a white paper from the group on what we have in
mind for the Privacy Engineering discipline.


From: José M. del Álamo [mailto:jm.delalamo@upm.es] 
Sent: Monday, September 8, 2014 5:58 AM
To: Mike Davis
Cc: Oliver, Ian
Subject: Re: [pbd-se] A Cyber model enabling / Facilitating Privacy by
Design (PbD)

Hi Mike, thanks for the welcome and the references. 

I went through your initial description and the detailed technical paper,
and I agree we are both focusing somehow on the same problem: you providing
a global framework for that and UPM focusing on specifities for requirements
operationalization (what you named in your technical paper as "...a
community approved requirements set..."). I am also aware of Ian's work on
privacy engineering and the use of data flows and ontologies to guide the
process, but I am still trying to put all the pieces together and get the
global picture.

Hope we can shed some light on this in the PbD SE discussions.

Regards,

Jose

2014-09-07 18:32 GMT+02:00 Mike Davis <mike.davis.sd@gmail.com>:
Hi Jose,
 
Welcome to the group?
I skimmed your paper? great stuff!!
 
Maybe you can skim the one we did on subject line? (see Cyber 4 PbD verbiage
. links below)
First the overview brief, then the paper?  (which we used to put in several
DHS proposals on the topic as well) 
 
Then maybe you, Ian and I can harmonize?
 
CIAO
Mike
 
 
From: pbd-se@lists.oasis-open.org [mailto:pbd-se@lists.oasis-open.org] On
Behalf Of José M. del Álamo 
Sent: Friday, September 5, 2014 5:44 AM
To: pbd-se@lists.oasis-open.org
Subject: [pbd-se] Brief introduction
 
Hi folks! I've just joined the PbD-SE group and would like to introduce
myself.
 
I'm Associate Professor at Universidad Politecnica de Madrid (UPM), involved
in several research projects regarding privacy engineering.
 
Here at UPM we are currently focusing on privacy requirements
operationalization, and the use of heuristics to move from principles to
design requirements (you can find in [1] a light paper briefly describing
our position on this matter). The results are being applied to different
projects e.g. PRIPARE, which recently joined PbD-SE on its own. 
 
Although I'm still trying to catch up on the group status and advances, I
can see that our work is somehow aligned with PbD-SE methodology and the
idea of de-composing principles into lower level sub-principles. Thus, we
are excited about joining your discussion on these issues and, if considered
as valuable, contributing with inputs and comments.
 
I am looking forward to joining the next call.
 
Best regards,
-- 
José M. del Álamo
 
http://web.dit.upm.es/~jmdela/ESPRE2014.pdf

 
-=-=-=-
 
Our topic / effort is all about ?A Cyber model enabling / Facilitating
Privacy by Design (PbD) ( = ?C4P?)  ? and why you should play?
SO?   We all know the question everyone needs to address - where does
privacy sit in your organization today?   So how do we address all the
various elements therein?
Chances are if you don?t have a chief privacy officer or data protection
officer, your company is lacking in protecting critical data, let alone all
the laws and statutory regulations dealing with privacy (e.g., be they PII,
HIPAA, CPI, audit / compliance, etc)
In addition, the privacy definitions and policy are themselves are quite
varied, complex and change depending on where your data resides ? city,
state, country (for example, the EU?s data protection directorate is much
stricter than weak (to non-existent)  USA laws (where you should know about
?safe harbor? if you have a global product)).
So how does one start to protect the both the organizational and
individual?s critical data and the related privacy aspects with all the many
key variables themselves in flux and likely take many more years to sort out
? if ever globally?  Implement a cyber model that enables the Privacy by
Design (PbD) initiative, building in protections using a data centric
security (DCS) approach that is relatively agnostic to the digital
environment. Thus inherently address the key data and privacy protection
aspects from the start, making the actual IT / data space relatively
agnostic to the privacy definitions and requirements churn mentioned
earlier.
As for selling better security to the public, a ?privacy message? resonates
with users better, tends to be an emotional issue and is mandated by laws;
THUS it ?sells cyber? better than security scare tactics?
 
Our C4P construct enables PbD for most environments (yes, IoT needs privacy
protection as well).    Our Cyber 4 PbD overview is at this link (= using
data centric security methods on top of the typical IA/CND/Security suite)
- We suggest to get acclimated to PbD and cyber, just SKIM for effect at
first?
http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-securi
ty.pdf 
 
Our much more detailed technical paper on our ?C4P? approach, including an
executable, proposed open privacy framework within an enterprise
architecture is here (a rough draft still being finessed):
http://www.sciap.org/blog1/wp-content/uploads/Cyber-security-enable-privacy-
design.pdf