WG
5 is not the only SC27 WG that takes on privacy, as WG 2 has
some crypto primitives for partial anonymous authentication.
Dear all,
As I said during the confcall, PRIPARE has now a liaison with
ISO/IEC JTC1/SC27/WG5
The public web site of WG5 is
http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en. I
am now in the WG5 mailing list (sc27wg5@dlist.uni-frankfurt.de)
where all the working documents are exchanged.
I also attended the last meeting in Mexico where I presented
PRIPARE and mentioned PMRM, PbD-SE.
The WG5 convenor (Kai Rannenberg) said that there is a higher
level liaison between ISO and OASIS, but no liaison betweed
OASIS and ISO SC27/WG5.
During the Mexico meeting I identified the following standards
related to privacy:
-
29100 IS Privacy framework
Provides a framework for defining privacy
control requirements related to personally identifiable
information within an information and communication
technology environment. Designed for those individuals who
are involved in specifying, procuring, architecting,
designing, developing, testing, administering and operating
ICT systems.
Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
-
29101 IS Privacy architecture framework
Describes a privacy architecture
framework that describes concerns for ICT systems that
process PII; lists components for the implementation of such
systems; and provides architectural views contextualizing
these components.This International Standard is applicable
to entities involved in specifying, procuring, architecting,
designing, testing, maintaining, administering and operating
ICT systems that process PII. It focuses primarily on ICT
systems that are designed to interact with PII principals.
-
29134 WD Privacy impact assessment -- Methodology Privacy
impact assessment - Guidelines
It should be used by organizations that
are establishing or operating programs or systems that
involve the processing of PII, or that are making
significant changes to existing programs or systems. This
International Standard also provides guidance on privacy
risk treatment options. Privacy Impact Assessments can be
conducted at various stages in the life cycle of a programme
or systems ranging from the prelaunch phase and
decommissioning.
In particular, it will provide a framework for privacy
safeguarding and specific method for privacy impact
assessment.
It will be applicable to all types and sizes of
organizations, including public and private companies,
government entities and not-for-profit organizations and
will be relevant to any staff involved in designing or
implementing projects which will have an impact on privacy
within an organization, including operating data processing
systems and services and, where appropriate, external
parties supporting such activities.
Describes privacy risk assessment as introduced by ISO/IEC
29100:2011. For the basic elements of the privacy framework
and the privacy principles, reference is made to ISO/IEC
29100:2011.
For principles and guidelines on risk management, reference
is made to ISO 31000:2009.
-
29151 WD Code of Practice for PII Protection
Establishes commonly accepted control
objectives, controls and guidelines for implementing
controls, to meet the requirements identified by a risk and
impact assessment related to the protection of Personally
Identifiable Information (PII).
In particular, specifies guidelines based on ISO/IEC 27002,
taking into consideration the regulatory requirements for
processing PII which may be applicable within the context of
an organization's information security risk environment(s).
Is applicable to all types and sizes of organizations,
including public and private companies, government entities,
and not-for-profit organizations, which process PII, as part
of their information processing.
-
29190 FDIS - Privacy capability assessment model
Provides organizations with high-level
guidance about how to assess their capability to manage
privacy-related processes. In particular, it:
-
specifies steps in assessing processes to determine
privacy capability;
-
specifies a set of levels for privacy capability
assessment;
-
provides guidance on the key process areas against which
privacy capability can be assessed;
-
provides guidance for those implementing process
assessment;
-
provides guidance on how to integrate the privacy
capability assessment into organizations operations
-
29191 IS Requirements for partially anonymous, partially
unlinkable authentication
Defines requirements on relative
anonymity with identity escrow based on the model of
authentication and authorization using group signature
techniques. This document provides guidance to the use of
group signatures for data minimization and user convenience.
This guideline is applicable in use cases where
authentication or authorization is needed. It allows the
users to control their anonymity within a group of
registered users by choosing designated escrow agents.
In particular I talked to the editor of 29151 (Code of
Practice for PII Protection), Heung Youl Youm from Korea. He
said he would be delighted to have a discussion with Dawn in
order to ensure that PbD-SE and 20151 are complementary
Antonio Kung
--
_________________________________________________________________________
TRIALOG
25 rue du general Foy
F-75008 Paris
http://www.trialog.com
Tel : 33 (0) 1 44 70 61 00 Direct : 33 (0) 1 44 70 61 03
Fax : 33 (0) 1 44 70 05 91
mailto:antonio.kung@trialog.com
_________________________________________________________________________
-- Software Engineering Focused on Embedded Systems Technology --
-- Connectivity Solutions for Embedded Systems --
_____________________________________________________________________
The information contained in this transmission, which may be
confidential and proprietary, is only for the intended recipients.
Unauthorized use is strictly prohibited. If you receive this
transmission in error, please notify me immediately by telephone
or electronic mail and confirm that you deleted this transmission
and the reply from your electronic mail system.
_____________________________________________________________________