A deliverable mapping security services more explicitly to the Privacy Services in the TC's draft charter

["Sabo, John T" <John.T.Sabo@ca.com>]

I believe that an additional (and manageable) deliverable for the TC and draft charter would be to address more security as an integral part of the reference model and begin work to define the relationship more explicitly between privacy services (such as Control, Usage, etc.) and particular security services, such as encryption, identity management/ authentication/access control, data integrity controls, etc.   In the current ISTPA version of the reference model, while there are explicit requirements for security at both the privacy service and infrastructure levels,  more detailed security mapping work was out of scope of the current model.  I think such mapping – at least at an abstract level – would be well within the scope of the new TC in OASIS, would add value to the work of the TC and generate more interest from many TC members.  This could be done as a third major deliverable, handled as an appendix/annex or profile:

 

- An annex (or profile?) which maps security services (confidentiality, integrity, availability, expressed at the mechanism level – for example, encryption, identity management/authentication/access control, digital signature) to the PMRM services

 

This would require deleting or modifying  the current “out of scope statement” in the draft charter:

 

Specification of any particular security service, mechanism or standard for the security of Personal Information is out of scope for this TC.

 

List members should read the ISTPA PMRM v2.0 at http://www.istpa.org/pdfs/ISTPAPrivacyManagementReferenceModelV2%200.pdf to understand the careful treatment of security in the current draft.

 

John

 

__________________________________

John T. Sabo, CISSP
Director, Global Government Relations

CA, Inc. 

Suite 1220

1401 I Street NW

Washington DC 20005

 

Tel: +1 202-513-6304

Mobile: +1 443-629-6198
Fax: +1 202-513-6395
------------------------------------
This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

From: Michael Willett [mailto:mwillett@nc.rr.com]
Sent: Wednesday, March 10, 2010 11:06 AM
To: privacymgmt-discuss@lists.oasis-open.org
Subject: [privacymgmt-discuss] OASIS "Operational Aspects of Privacy Management" Discussion List

 

Hi –

 

Thank you for registering for the Discussion List. We now have

a sizable number of registrants, across a variety of academic, governmental, and business segments.

 

First, I am repeating (in part) my introductory message from an earlier e-mail below.

Mainly, that posting contained your first homework assignment!

 

I am also attaching two items to this e-mail:

 

-          a storyboard “cartoon” featuring Mr. Private “I” (get it?), who

provides a quick introduction to the 10 Privacy Services of the PMRM.

Run the slides in SLIDE SHOW mode; tedious, but cumulative.

In actuality, the Services were conceived through a more methodical

process, during which the definitions were refined and tested against

various sets of privacy requirements.

 

-          the draft Charter for the proposed PMRM Technical Committee.

We can certainly add your (institutional or individual) name to the list of “proposers”.

Just send me an affirmative note.

 

We welcome your edits/comments/observations on the Charter.

 

Also, feel free to post commentary or questions on the topic of

“Operational Aspects of Privacy Management” to the reflector.

 

We look forward to further dialog.              

 

************   repeated from first posting  *********************

  

My name is Michael Willett and I, along with John Sabo from CA, will

be your Discussion List moderators.

 

As the introductory e-mail from Mary indicated, this List is focused

on the creation of a Privacy Management Reference Model (PMRM) Technical Committee.

The (initial) Reference Model will be based on the PMRM V2.0, donated

by the ISTPA (www.istpa.org) freely to OASIS.

 

As background for our discussions (and as your first homework assignment!),

I suggest you review the following materials:

 

-          The PMRM V2.0, published on the ISTPA web site above

 

-          (optional) The document “Analysis of Privacy Principles: Making Privacy Operational”,

also on the ISTPA web site

 

-          Recent webinar offered by OASIS and the ISTPA entitled: “Making Privacy Operational”:

 

 The recorded version is now available at:    

https://www1.gotomeeting.com/register/735745448

 

Slide set from webinar:  http://xml.coverpages.org/PMRM-Overview-OASIS-Webinar-20100223.pdf

 

Feel free to distribute these links to others who are interested in the operational aspects of privacy management.

 

************   (end of) repeated from first posting  *********************

 

Michael Willett