OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

tc-announce message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Call for Participation: OASIS Privacy Management Reference Model (PMRM) TC

To:  OASIS members & interested parties

   A new OASIS technical committee is being formed. The OASIS Privacy Management Reference Model (PMRM) Technical Committee has been proposed by the members of OASIS listed below. The TC name, statement of purpose, scope, list of deliverables, audience, and language specified in the proposal will constitute the TC's official charter. Submissions of technology for consideration by the TC, and the beginning of technical discussions, may occur no sooner than the TC's first meeting.

   The eligibility requirements for becoming a participant in the TC at the first meeting are:

   (a) you must be an employee of an OASIS member organization or an individual member of OASIS, and
   (b) you must join the Technical Committee, which members may do by using the "Join this TC" button on the TC's home page at [a].

   To be considered a voting member at the first meeting, you must:
   (a) join the Technical Committee at least 7 days prior to the first meeting (1 September 2010); and
   (b) you must attend the first meeting of the TC, at the time and date fixed below (Wednesday, 8 September 2010 at 11:00AM EDT).

Of course, participants also may join the TC at a later time. OASIS and the TC welcomes all interested parties.

   Non-OASIS members who wish to participate may contact us about joining OASIS [b]. In addition, the public may access the information resources maintained for each TC: a mail list archive, document repository and public comments facility, which will be linked from the TC's public home page at [c].

   Please feel free to forward this announcement to any other appropriate lists. OASIS is an open standards organization; we encourage your participation.



Mary P McRae
Director, Standards Development
Technical Committee Administrator
OASIS: Advancing open standards for the information society
email: mary.mcrae@oasis-open.org 
web: www.oasis-open.org
twitter: @fiberartisan #oasisopen
phone: 1.603.232.9090

[a] [a] http://www.oasis-open.org/apps/org/workgroup/pmrm
[b] See http://www.oasis-open.org/join/
[c] http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pmrm


OASIS Privacy Management Reference Model (PMRM) Technical Committee

OASIS Privacy Management Reference Model (PMRM) Technical Committee

For purposes of this project, from a business and  operational perspective, "data privacy" is defined to mean  the assured, proper, and consistent collection, storage, processing, transmission, use, sharing, trans border transfer, retention and disposition of Personal Information (PI) throughout its life cycle, consistent with data protection principles, privacy and security policy requirements, and the preferences of the individual, where applicable. 

The principal purpose of the PMRM TC will be to develop and articulate a Privacy Management Reference Model that describes a set of broadly-applicable data privacy and security requirements and a set of implementable Services and interactions for fulfilling those requirements. 

Today, increased cross-border and cross-policy domain data flows, networked information processing, federated systems, application outsourcing, social networks, ubiquitous devices and cloud computing bring ever significant challenges, risk, and management complexity to privacy management. 

However, business process engineers, IT analysts, architects, and developers do not have standards-based technical privacy and security frameworks or lifecycle reference models that can enable development and implementation of privacy and associated security requirements.  Frequently, expressed as broad policy objectives (fair information practices and principles), these objectives are far removed from the rigorous requirements’ expressions needed by business sponsors, business and system analysts, architects and developers.

Typical policy expressions provide little insight into how to actually implement such policies, presenting frustration for policymakers (who expect business systems to manage privacy and security rules) and design challenges for IT architects and solution developers (who have few models to guide their work). This becomes a greater problem in increasingly federated networks, systems and applications.

An effective solution to privacy and security management and compliance obligations in today’s IT-centric, networked systems, services and applications environment would be a collection of privacy and security policy-configurable, IT-based, systematic behaviors that faithfully satisfy the requirements of privacy and security policies within a wide variety of contexts and implementation use-case scenarios.

The purpose of the OASIS Privacy Management Reference Model is to aid in the design and implementation of operational privacy and security management systems.

The Reference Model is intended to serve as a guideline or template for developing operational solutions to privacy issues, as an analytical tool for assessing the completeness of proposed solutions, and as the basis for establishing categories and groupings of privacy management controls. The Reference Model will serve as an evaluation framework for implementations, but will not itself be an implementation.  It is intended to be used as a tool or basis for development of further implementations and standards, which either currently exist or would be developed independently.

The TC will accept as input the ISTPA Privacy Management Reference Model v2.0 - a structure for resolving privacy policy requirements into operational controls and implementations - developed by the International Security, Trust and Privacy Alliance (ISTPA). It is anticipated that this document will be contributed to the TC for further elaboration and standardization at OASIS.

 The TC is open to submission of other relevant work and encourages submissions, particularly use cases appropriate for testing the lifecycle management aspects of the Reference Model.

 The PMRM will:


· Define a set of operationally-focused privacy requirements which can serve as a reference for evaluating options for designing and implementing operational privacy controls. These requirements will constitute a useful working set of ‘privacy guidelines’, which can both serve as general guidance, and as a feature set against which the PMRM and any implementation can be tested.

·  Define a structured format for describing privacy management Services, and identify categories of functions that may be used in defining and executing the Services.

·  Define a set of privacy management Services to support and implement the privacy requirements at a functional level. These Services will include some capabilities that are typically implicit in privacy practices or principles (such as policy management or interaction), but that are necessary if information systems and processes are to be made privacy configurable and compliant.

·  Establish an explicit relationship between security requirements and supporting security services (such as confidentiality, integrity and availability services) and the privacy management Services. Security services and standards are essential to secure Personal Information; therefore, each specific privacy management Service is expected to have its own security service requirements.

In order to refine the Privacy Management Reference Model, the TC may employ and refine use cases supplied by other OASIS TCs and external organizations.  The TC may also consider hosting educational workshops and producing additional supporting materials such as ‘best practices’ documents.

Specification of the performance of any particular security service, mechanism or standard for the security of Personal Information is out of scope for this TC. The Reference Model, however, will consider the applicability and relationship of security services (confidentiality, including identity management, authentication and access controls; integrity; and availability) within the Reference Model, since the Reference Model incorporates security as a component of privacy management services.   

The key deliverables are the OASIS Privacy Management Reference Model and one or more comprehensive Use Cases.  Estimated completion date is 12 months after the formation of this TC.

-  Privacy Management Reference Model: Define a set of operational privacy management Services. Each Service will consist of a set of syntactically-structured and logically related Functions that implement that Service. The Service/Function sets will be complete in the sense that all arbitrary but rational sets of privacy requirements (e.g., principles, practices, privacy legislation) can be re-defined in terms of the Services. In that sense, the Reference Model will provide the basis for a high-level system design, a privacy architecture, and a privacy management implementation that solves the given set of privacy requirements.

- One or more comprehensive Use Cases: From a number of initial candidates solicited from a cross-section of vertical industries and privacy-sensitive environments, the TC will select one or more Use Cases and apply the Privacy Management Reference Model to convert the Use Case requirements into a system design for an implementation. Ideally, the Use Cases will fully exploit the set of operational Services.

As part of the Use Case development, two additional items are applicable:

· Selection of one or more formal methodologies for expressing Use Cases, and.

·  Profiles of the PMRM applied to selected specific environments (such as Cloud Computing, Health IT, e-Gov, and/or the Smart Grid) that could be used to derive architectures for implementing the PMRM.                    

Any additional deliverables will be produced after the main deliverables have been finalized. However, additional, representative use cases can be developed in parallel with the Reference Model.

This TC will operate under the Non-Assertion Mode of the OASIS IPR Policy.   

The PMRM audience includes, but is not limited to, privacy policy makers, privacy and security consultants, auditors, IT systems architects and designers of systems that collect, store, process, use, share, transport across borders, exchange, secure, retain or destroy Personal Information. In addition, other OASIS TCs and external organizations and standards bodies may find the PMRM useful in developing privacy management use cases in their context.      

The TC will conduct its business in English.

Similar or applicable work being done and level of liaison

Since most prior work related to privacy management implementation focuses on specific aspects, like policy expression languages or security controls for privacy, the PMRM is unprecedented in defining privacy management services for an arbitrary set of privacy requirements.  

The TC may elect to form liaisons as appropriate with relevant OASIS TCs and outside organizations, including:

§  OASIS Blue Member Section (for Smart Grid projects)
§  Other OASIS IDtrust Member Section TCs (for Use Cases) 
§  SOA Reference Model TC (for service models)
§  ISO/IEC JTC1 Subcommittee 27 – Information technology - Security techniques
§  ITU-T Study Group 17 on Security
§  ISO TC 68 Subcommittee 7 on Financial Services Data Privacy
§  International Association of Privacy Professionals
§  Open Geospatial Consortium, contact: Carl Reed, creed@opengeospatial.org
§  US SmartGrid Interoperability Program (SGIP) Cybersecurity Committee
§  Healthcare Information Technology Standards Panel (HITSP): Security, Privacy and Infrastructure Domain Technical Committee
§  Kantara Initiative
§  Liaison with ISO SC27/WG5 (on identity management and privacy)
§  A global de jure standards organization such as ITU or ISO/IEC JTC1

First meeting:
Date: Wednesday, 8 September 2010
Time: 11:00AM EDT
Location (in person or by telephone): Telephone
Sponsor: ISTPA and CA Technologies

Meeting schedule and Sponsor:  Weekly teleconferences, time/date TBD, periodic face-to-face in conjunction with the OASIS IDtrust Member Section meetings; possible face-to-face meeting (with teleconference option) coincident with the OASIS Identity Management 2010 Conference,  27-28 October, at the World Bank - Washington, DC;  sponsors: CA Technologies and ISTPA

Names, electronic mail addresses, and membership affiliations of supporting Minimum Membership (proposers):
John Sabo, John.T.Sabo@ca.com, CA Technologies
Michael Willett, mwillett@nc.rr.com, ISTPA
Erika McCallister, Erika.mccallister@nist.gov,  NIST
Rolly Chambers, RLChambers@smithcurrie.com, American Bar Association
Bill Tabor,  btabor@protexx.com, WidePoint Corporation
Drummond Reed, director@informationcard.net, Information Card Foundation
Peter Brown, peter-oasis@justbrown.net, (individual)
John Bradley, john.bradley@wingaa.com,  (individual)
Michele Drgon, micheledrgon@dataprobity.com, (individual)
Gail Magnuson, gail.magnuson@gmail.com, (individual)
John Moehrke, John.Moehrke@med.ge.com, (individual)

For each OASIS Organizational Member above, name, electronic mail address, membership affiliation, and statement of support

John Sabo, John.T.Sabo@ca.com
Director, Global Government Relations
CA Technologies and President: ISTPA

As the Primary Representative to OASIS of the International Security, Trust, and Privacy Alliance (ISTPA), I approve the Charter.  ISTPA is pleased to be able to contribute our Privacy Management Reference Model v2.0 to the technical committee. We believe that the new PMRM TC will undertake important standardization work in lifecycle privacy management and compliance.   

Rolly Chambers, RLChambers@smithcurrie.com, American Bar Association
I'm assuming you realize the ABA approves.

Paul Lipton, paul.lipton@ca.com
VP, Industry Standards and Open Source, CA Technologies
As CA Primary Representative, I approve the PMRM TC Charter and CA’s inclusion (in the person of John Sabo) as a named co-proposer. Also, my compliments on the quality of the charter itself. It has come along nicely, if I may be so bold.

David Flater, dflater@nist.gov
National Institute of Standards and Technology
As the NIST primary representative to OASIS, I approve the final draft of the PMRM TC charter.

Bill Tabor, btabor@protexx.com 
I am the Primary Rep for Widepoint and I approve.

Drummond Reed, director@informationcard.net
 I am the primary rep for the Information Card Foundation, and I approve the PMRM TC Charter.

Convener: ISTPA (Michael Willett)

Member Section: IDtrust

Contributions of existing technical work:
ISTPA Privacy Management Reference Model V2.0:

Draft Frequently Asked Questions (FAQ) document: TBD (Willett) 

Proposed working title and acronym for the specification(s): OASIS Privacy Management Reference Model (PMRM), pronounced ‘pimrim’.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]