OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] RE: ISAO Privacy and Security SWG

Really good reference item, Rich.
I'll include in the new revised version
of the ETSI TC CYBER Threat Sharing
Technical Report, TR 103 331.

It might also be worth considering if
these related "privacy filtering" functions
might be imported as a work item in
TC CTI to meet the requirements of the
Cybersecurity Act of 2015.  The attached
slide excises out those requirements. 

A similar requirement exists in the EU NISD,
and having a common filtering specification
would be helpful.  The OASIS publication of
this material as a specification could facilitate
its use globally.

--tony

On 2016-05-11 8:55 AM, Struse, Richard wrote:

The DHS NPPD Privacy Office has done extensive work on this area in support of our Automated Indicator Initiative (AIS) - https://www.us-cert.gov/ais.  In addition to a formal Privacy Impact Assessment (PIA)- https://www.us-cert.gov/sites/default/files/ais_files/PIA_NPPD-AIS.pdf, this has included a data-element-level analysis of potential PII concerns. 

 

From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Modlin, Julie K.
Sent: Wednesday, May 11, 2016 8:27 AM
To: 'cti@lists.oasis-open.org'
Cc: Rick Howard <rhoward@paloaltonetworks.com> (rhoward@paloaltonetworks.com); salgeier@it-isac.org
Subject: [cti] ISAO Privacy and Security SWG

 

CTI TC STIX/TAXII Community,

The Information Sharing and Analysis Organizations (ISAO) Working Group Sub-working Group 4 (SWG4) on Privacy and Security is drafting guidance documents for the emerging ISAO Community. They requested that we reach out to the STIX/TAXII community for information on whether some STIX fields are at a higher risk for containing personal information (privacy risk) or containing information that might pose a security risk (e.g. expose network details that might be taken advantage of). If there are any summaries of security and privacy risks that may have been discussed during the development of STIX and TAXII, they would also be useful. The SWG4 draft documents are available for direct review and comment (https://www.isao.org/products/drafts/ ) but I am happy to gather thoughts from the CTI TC list and submit them to the SWG.

 

Thanks so much,

 

 

 

Julie Modlin

Enhance Shared Situational Awareness (ESSA) Systems Engineering Team

Johns Hopkins Applied Physics Laboratory

MP6-S324

443-778-6989 / Baltimore

240-228-6989 / Washington

Office hours: 8:00 to 2:00 Mon - Thur

 


Attachment: _cybersecurity_act_reference-model_1.1_privacy.pptx
Description: application/vnd.openxmlformats-officedocument.presentationml.presentation

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]