RE: [pbd-se] Re: Holding meeting today - Privacy Maturity Models (PMM)

["Dawson Frank (Nokia-TECH/Irving)" <frank.dawson@nokia.com>]

Hei Ulrich.

The email list is public, as far as I understand. Decisions are also made by members with voting rights, through continued participation in meetings.

One one-hand, someone has to pay to keep these consoritia/standards groups going. There can also be procedural matters such as IP related to contributions, governance and all that.

Talk to our Oasis secretary, Gershon, as he knows current OASIS policy on Technical Committee participation.

For the rest of the list, my organization has reorganized. I am now within the legal & compliance group of Nokia Technologies. Still serving as privacy officer but my resources for regular participation on the PbD-SE TC has been reduced. I hope to monitor the list and contribute when there is something of value that I can offer, but it might be hard to attend our meetings on a regular basis. FYI.

From: ext Dr. Ulrich Lang [mailto:ulrich.lang@objectsecurity.com]
Sent: Wednesday, February 11, 2015 13:23
To: Dawson Frank (Nokia-TECH/Irving); 'Mike Davis'; 'Dawn Jutla'; jonathan_fox@mcafee.com; join@oasis-open.org
Cc: Fred.Carter@ipc.on.ca; ann.cavoukian@ryerson.ca; gershon@qroot.com
Subject: RE: [pbd-se] Re: Holding meeting today - Privacy Maturity Models (PMM)

Hello Frank, all,

Thanks, so it is necessary to become an OASIS member in order to join the list? I don’t think we can justify the corporate membership cost ($3520) just for joining the mailing list. And we can’t really get too involved in OASIS otherwise because as a small business we don’t have any dispensable team members that would have the spare time to interact with OASIS to the extent that would maybe justify the membership cost.

I understand from past experience that OASIS may feel there are intellectual property issues with non-members being part of the conversation. If that is the case, I would be happy to sign an NDA if that helps. If paid membership is necessary, then I guess we will have to observe from the outside.

Any thoughts on this?

Best
Ulrich

From: Dawson Frank (Nokia-TECH/Irving) [mailto:frank.dawson@nokia.com]
Sent: Wednesday, February 11, 2015 11:06 AM
To: ulrich.lang@objectsecurity.com<mailto:ulrich.lang@objectsecurity.com>; 'Mike Davis'; 'Dawn Jutla'; jonathan_fox@mcafee.com<mailto:jonathan_fox@mcafee.com>; join@oasis-open.org<mailto:join@oasis-open.org>
Cc: Fred.Carter@ipc.on.ca<mailto:Fred.Carter@ipc.on.ca>; ann.cavoukian@ryerson.ca<mailto:ann.cavoukian@ryerson.ca>; gershon@qroot.com<mailto:gershon@qroot.com>
Subject: RE: [pbd-se] Re: Holding meeting today - Privacy Maturity Models (PMM)

Here is website to participation.

https://www.oasis-open.org/join/participation-instructions

From: ext Dr. Ulrich Lang [mailto:ulrich.lang@objectsecurity.com]
Sent: Wednesday, February 11, 2015 13:01
To: 'Mike Davis'; 'Dawn Jutla'; jonathan_fox@mcafee.com<mailto:jonathan_fox@mcafee.com>; join@oasis-open.org<mailto:join@oasis-open.org>
Cc: Fred.Carter@ipc.on.ca<mailto:Fred.Carter@ipc.on.ca>; ann.cavoukian@ryerson.ca<mailto:ann.cavoukian@ryerson.ca>; gershon@qroot.com<mailto:gershon@qroot.com>; Dawson Frank (Nokia-TECH/Irving)
Subject: RE: [pbd-se] Re: Holding meeting today - Privacy Maturity Models (PMM)

Hello all,

Could you please sign me up (with email address ulrich-lp@objectsecurity.com<mailto:ulrich-lp@objectsecurity.com>) to this list? I am working with Mike Davis on our privacy C4P/OPF implementation architecture (which includes model-driven security) and also on a privacy ontology/DSL as part of a European EU FP7 project (“VACLRI”). I’d be interested in collaborating via this list.

Thank you!

Regards,
Ulrich

PS if you would like to know what we are doing, feel free to watch the 2 minute cartoon on our website – thanks!

----------------------------------------------------------------------------
Ulrich Lang, PhD
CEO

ObjectSecurity LLC,
1855 First Avenue, Suite 103, San Diego, CA 92101
101 The Embarcadero, Suite 200, San Francisco, CA 94105
Tel. +1-650-515-3391, Fax +1-360-933-9591


ObjectSecurity Ltd.  St. John's Innovation Centre, Cowley Road,
Cambridge CB4 0WS, UK , Tel: +44-1223-420 252, Fax: +44-1223-420 844

ulrich.lang@objectsecurity.com<mailto:ulrich.lang@objectsecurity.com>, www.objectsecurity.com<http://www.objectsecurity.com/>
----------------------------------------------------------------------------



From: Mike Davis [mailto:mike.davis.sd@gmail.com]
Sent: Wednesday, February 11, 2015 5:53 AM
To: 'Dawn Jutla'; jonathan_fox@mcafee.com<mailto:jonathan_fox@mcafee.com>
Cc: Fred.Carter@ipc.on.ca<mailto:Fred.Carter@ipc.on.ca>; ann.cavoukian@ryerson.ca<mailto:ann.cavoukian@ryerson.ca>; gershon@qroot.com<mailto:gershon@qroot.com>; frank.dawson@nokia.com<mailto:frank.dawson@nokia.com>
Subject: RE: [pbd-se] Re: Holding meeting today - Privacy Maturity Models (PMM)

Great topic!  Thanks.
I can’t make it today…  very interested in this topic.,, helping where I can

I like the AICPA/CICA Privacy Maturity Model (2011 version, web link below), as it is based on both CMM overall & GAPP (10 principles and 73 criteria used) – there framework has each criteria with 5 levels defined  out..
Seems using that as a baseline for discussion on a PMM is a good endeavor..

Roger Frank’s suggestions on considering “ISO 29190/Privacy Capability Assessment” too…
There may be  some utility in also seeing how these map to the NIST privacy items in 800-53a, rev 4…(26 or so)   and the NIST cyber security framework IA controls overall (105)

Ciao
Mike

Cyber security is serious business for us all – so ACT accordingly!
http://www.linkedin.com/in/mikedavissd
http://www.sciap.org/blog1/wp-content/uploads/CISO-Fundamentals.pdf
http://www.sciap.org/blog1/wp-content/uploads/Executing-an-effective-security-plan.pdf



From: pbd-se@lists.oasis-open.org<mailto:pbd-se@lists.oasis-open.org> [mailto:pbd-se@lists.oasis-open.org] On Behalf Of Dawson Frank (Nokia-TECH/Irving)
Sent: Wednesday, February 11, 2015 5:49 AM
To: ext Dawn Jutla; pbd-se@lists.oasis-open.org<mailto:pbd-se@lists.oasis-open.org>
Subject: RE: [pbd-se] Re: Holding meeting today

Hello Dawn and PbD-SE-ers.

Unfortunately, I will not be able to attend today, due to schedule conflicts.

With respect to the topic of privacy business process maturity, I would point also to the recent ISO publication of ISO 29190/Privacy Capability Assessment. It is a rather solid standard coming from ISO/IEC JTC1 SC27/WG5. Nokia piloted its use in 2013 to baseline privacy maturity of our privacy program. One of the strengths of that standard is that it uses a multi-dimensional review criteria, as privacy maturity is difficult to merely judge as a scalar value (EG, best represented with a tool like a spider-web graph to show maturity of a set of criteria). Also it is flexible to the organizational differences across industries, as well as differences in the structure of a privacy program across organizations.

BSIMM approach to measuring security program maturity is similarly structured, but also as implemented is based on feedback from a set of industry players.

Frank/



From: pbd-se@lists.oasis-open.org<mailto:pbd-se@lists.oasis-open.org> [mailto:pbd-se@lists.oasis-open.org] On Behalf Of Dawn Jutla
Sent: Wednesday, February 11, 2015 4:33 AM
To: pbd-se@lists.oasis-open.org<mailto:pbd-se@lists.oasis-open.org>
Subject: [pbd-se] Re: Holding meeting today

Please see attached for the references that Jonathan supplied for our discussions.
Best regards, Dawn.

On Wed, Feb 11, 2015 at 8:28 AM, Dawn Jutla <dawn.jutla@gmail.com<mailto:dawn.jutla@gmail.com>> wrote:
Dear PbD-SE Committee:

With apologies for the late notice due to Gershon's and my recent demanding schedules. We are holding the meeting today as planned.

Our Jonathan Fox has kindly agreed to lead a discussion on his scan of Privacy Maturity Models to inform our work going forward.

1. CMM
2. CMMI
3. BSIMM (See attached)
4. Open SAMM http://www.opensamm.org/
5. AICPA/CICA Privacy Maturity Model
http://www.kscpa.org/writable/files/AICPADocuments/10-229_aicpa_cica_privacy_maturity_model_finalebook.pdf


Looking forward to our discussions at 1:30 p.m. EST today.

Kind regards, Dawn.

* Call-In Information:

Thanks to Saint Mary's University for providing the conference bridge.

Conference Reference: 147385
Participant Access Code: 9793565 #

Dial in numbers:
- North America:
877-385-4099<tel:877-385-4099> + Conference Access Code

- Overseas Locations provided with the exception of Greece:
International Access Code + 800-8358-7111<tel:%2B%20800-8358-7111> + Conference Access Code

__________________________________________________________________________________
Dr. Dawn Jutla,

<<attachment: winmail.dat>>