Difference between revisions of "Completed study periods and pwis"
(49 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== <span style="font-size:larger">Started in 2015 and completed</span> == | |||
=== <span style="font-size: larger;">Privacy engineering framework (Started in April 2015. Completed in April 2016)</span> === | === <span style="font-size: larger;">Privacy engineering framework (Started in April 2015. Completed in April 2016)</span> === | ||
Line 48: | Line 50: | ||
|} | |} | ||
=== <span style="font-size: larger; line-height: 1.2;">PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)</span> === | === <span style="font-size: larger; line-height: 1.2;">PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)</span> === | ||
Line 200: | Line 123: | ||
|} | |} | ||
=== <span style="font-size: | == <span style="font-size:larger">Started in 2016 and completed</span> == | ||
=== <span style="font-size: larger;">Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)</span> === | |||
<div> | <div> | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | Nat Sakimura, Mathias Reinis, Elaine Newton | ||
|- | |- | ||
| Objective | | Objective | ||
| | | | ||
Collecting errors and correcting inconsistencies | |||
|- | |- | ||
| | | Documentation | ||
Documentation | |||
| <br/> | | <br/> | ||
|- | |- | ||
| Comments | | Comments<br/> | ||
| | | | ||
*Completed, has led to a draft amendment (with limited scope) | |||
|} | |} | ||
</div> | </div> | ||
=== <span style="font-size: | |||
=== <span style="font-size: larger;">Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)</span> === | |||
<div> | <div> | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Heung Youl Youm, Srinivas Poorsala, Antonio Kung</span><br/> | ||
|- | |- | ||
| Objective | | Objective | ||
| | | | ||
*assess the viability of producing guidelines for Privacy in IoT within WG5; | |||
*to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen | |||
|- | |- | ||
| | | | ||
Line 240: | Line 167: | ||
| Comments | | Comments | ||
| | | | ||
Initiated in Tampa (April 2016) | |||
Initial contribution in Abu Dhabi (October 2016) | |||
Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things. | |||
Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users" | |||
<div><br/></div> | |||
|} | |} | ||
</div> | </div> | ||
=== <span style="font-size: 16px;"> | === <span style="font-size: 16px;">Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)</span> === | ||
<div> | <div> | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | <font face="sans-serif" color="#252525"><span style="font-size: 14px;">Mathias Reinis, </span></font>Heung Youl Youm<br/> | ||
|- | |- | ||
| Objective | | Objective | ||
| | | | ||
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME | |||
|- | |- | ||
| | | | ||
Line 259: | Line 194: | ||
| <br/> | | <br/> | ||
|- | |- | ||
| Comments | | Comments | ||
| | | | ||
Terminated due to lack of contributions | |||
|} | |} | ||
</div> | </div> | ||
=== <span style="font-size: | |||
== <span style="font-size:larger">Started in 2017 and completed</span> == | |||
=== <span style="font-size: larger;">Guidelines for security and privacy for Internet of Things (IoT) (Started in April 2017 - Completed in November 2017)</span> === | |||
<div> | <div> | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |||
| Start/Duration | |||
| April 2017/6 months) | |||
|- | |- | ||
| Leaders | | Leaders | ||
| | | Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala | ||
|- | |- | ||
| Objective | | Objective | ||
| | | prepare the materials necessary to initiate an International Standard<br/>coming out of the SC 27 meeting in Berlin (Oct-2017) | ||
|- | |- | ||
| | | | ||
Line 280: | Line 223: | ||
| Comments | | Comments | ||
| | | | ||
Is an SC27/WG4 study periods involving WG4 and WG5. | |||
Study period is completed and new work item has been proposed ([https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things]). | |||
Kickoff expected in Wuhan in WG4 | |||
|} | |} | ||
</div> | </div> | ||
=== | |||
<div | === <span style="font-size: 16px;">Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018)</span> === | ||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm | ||
|- | |- | ||
| Objective | | Objective | ||
| | | <br/> | ||
|- | |- | ||
| | | | ||
Line 309: | Line 249: | ||
| Comments | | Comments | ||
| | | | ||
Has resulted in a NWIP | |||
|} | |||
</div> | |||
=== <span style="font-size: 16px;">Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| Christophe Stenuit, Joanne Knight | |||
|- | |||
| Objective | |||
| Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks<br/> | |||
|- | |||
| | |||
Documentation | |||
| <br/> | |||
|- | |||
| Comments<br/> | |||
| New work item proposal | |||
|} | |} | ||
</div> | |||
=== <span style="font-size: 16px;">Identify assurance framework (Started in April 2017. Completed in October 2018)</span> === | === <span style="font-size: 16px;">Identify assurance framework (Started in April 2017. Completed in October 2018)</span> === | ||
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | <div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | ||
Line 336: | Line 296: | ||
=== <span style="font-size: 16px;">Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)</span> === | === <span style="font-size: 16px;">Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)</span> === | ||
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | <div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Start/duration | | Start/duration | ||
Line 370: | Line 330: | ||
|} | |} | ||
</div> | </div> | ||
=== <span style="font-size: 16px;"> | |||
<div | === <span style="font-size: 16px;">Concept of PII Deletion (Started in November 2017. Completed in April 2018)</span> === | ||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman<br/> | ||
|- | |- | ||
| | | Objective | ||
| | | Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information"<br/> | ||
|- | |- | ||
| | | | ||
Line 392: | Line 351: | ||
|} | |} | ||
</div></ | </div> | ||
=== | |||
== <span style="font-size:larger">Started in 2018 and completed</span> == | |||
=== Development of Identify standards landscape standing document (<font size="3" style="line-height: 19.2px;">Started in April 2018, Completed in October 2018)</font> === | |||
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | <div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm,<br/> | ||
|- | |- | ||
| Objective | | Objective | ||
| | | | ||
<font color="#000000"> | <font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><span style="margin: 0px;"> </span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Create an initial draft of a new SD that would provide:</font></span></font> | ||
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">The scope of the identity standards landscape</font></span></font> | |||
*<font color="#000000"><span lang="EN-NZ" style="font-family: Symbol; margin: 0px;"><span style="margin: 0px;"> </span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards</font></span></font> | |||
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment</font></span></font> | |||
*<font color="#000000"><span lang="EN-NZ" style="font-family: Symbol; margin: 0px;"><span style="margin: 0px;"> </span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">A register of alignment issues that have been accepted as needing to be resolve</font></span></font> | |||
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Develop a proposal for the process of maintaining the standing document that includes:</font></span></font> | |||
|- | |- | ||
Line 419: | Line 383: | ||
|} | |} | ||
</div></div> | |||
=== <span style="font-size: 16px;">Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019)</span> === | |||
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | |||
=== | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | Malcom Townsend, Heung Youl Youm | ||
|- | |- | ||
| | | Scope | ||
| | | | ||
<span lang="EN-GB" style="margin: 0px;"><font face="Calibri" color="#000000" size="3">This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.</font></span> | |||
|- | |- | ||
| | | | ||
Documentation | |||
| <br/> | |||
|- | |- | ||
| Comments | | Comments | ||
Line 444: | Line 407: | ||
|} | |} | ||
</div> | </div></div> | ||
=== <span style="background-color: transparent;"> | |||
=== <span style="background-color: transparent;">Privacy consideration in practical workflows </span><span style="background-color: transparent; line-height: 18.24px;">(Started in </span><span style="background-color: transparent; font-size: 16px;">April 2018, completed in April 2020)</span> === | |||
<div> | <div> | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | Mickey Cohen<br/> | ||
|- | |- | ||
| Objective | | Objective | ||
| | | | ||
The scope of this study period is to | The scope of this study period is to collect contributions: | ||
<font color="#000000"><span lang="EN-US">(1) On workflows describing '''use-cases''' where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole</span></font> | |||
<span lang="EN-US">(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy</span> | |||
|- | |||
| Documentation | |||
| | |||
|- | |- | ||
Line 463: | Line 436: | ||
|} | |} | ||
=== < | === Identity Standards Landscape Document Update (<font size="3" style="line-height: 19.2px;">Started in October 2018. Completed in October 2019)</font> === | ||
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Leaders | | Leaders | ||
| | | | ||
Andrew Hughes, <span style="background-color: transparent;">Christophe Stenuit, </span><span style="background-color: transparent;">Kai Rannenberg</span> | |||
|- | |- | ||
| | | Objective | ||
| | | | ||
<font color="#000000">''S''</font>olicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document | |||
|- | |||
| | |||
Documentation | |||
| <br/> | |||
|- | |- | ||
| Comments | | Comments | ||
Line 489: | Line 462: | ||
|} | |} | ||
=== <span style="background-color: transparent;">Use case for identity assurance </span><span style="background-color: transparent; line-height: 18.24px;">(Started in </span><span style="background-color: transparent; font-size: 16px;">October 2018, completed in September 2020)</span> === | |||
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | <div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
Line 519: | Line 493: | ||
|} | |} | ||
</div></div> | </div></div> | ||
=== <span style="font-size: 13px;">Impact of Artificial Intelligence on Privacy (</span><font size="3" style="line-height: 19.2px;">Started in October 2018, Completed in September 2020)</font> === | === <span style="font-size: 13px;">Impact of Artificial Intelligence on Privacy (</span><font size="3" style="line-height: 19.2px;">Started in October 2018, Completed in September 2020)</font> === | ||
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | <div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | ||
Line 602: | Line 577: | ||
|} | |} | ||
</div></div> | </div></div> | ||
== <span style="font-size:larger">Started in 2019 and completed</span> == | |||
=== <span style="background-color: transparent;">Review of requirements for accredited certification for sector specific ISMS standards (S</span><span style="background-color: transparent; line-height: 18.24px;">tarted in </span><span style="background-color: transparent; font-size: 16px;">April 2019. Completed in October 2019)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| Hans Hedbom, Alan Shipman<br/> | |||
|- | |||
| Objective | |||
| | |||
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon. | |||
|- | |||
| Comments | |||
| | |||
|} | |||
=== Consent receipts and records <span style="line-height: 18.24px;">(Started in </span><span style="font-size: 16px;">April 2019, completed in October 2019)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| Collin Wallis, Andrew Hughes<br/> | |||
|- | |||
| Objective | |||
| | |||
The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing | |||
|- | |||
| Documentation | |||
| | |||
|- | |||
| Comments | |||
| | |||
|} | |||
</div> | |||
=== <span style="font-size: larger;">Privacy engineering model <span style="line-height: 18.24px;">(Started in</span></span><span style="line-height: 18.24px;"> </span><span style="font-size: 16px;">April 2019, Completed in September 2020)</span> === | === <span style="font-size: larger;">Privacy engineering model <span style="line-height: 18.24px;">(Started in</span></span><span style="line-height: 18.24px;"> </span><span style="font-size: 16px;">April 2019, Completed in September 2020)</span> === | ||
<div> | <div> | ||
Line 623: | Line 643: | ||
|} | |} | ||
</div> | </div> | ||
=== Guidance on processes of a privacy information management system (<span style="font-size: 16px;">Started in October 2019, Completed in September 2020))</span> === | === Guidance on processes of a privacy information management system (<span style="font-size: 16px;">Started in October 2019, Completed in September 2020))</span> === | ||
<div> | <div> | ||
Line 656: | Line 677: | ||
|} | |} | ||
</div> | </div> | ||
=== Privacy for Fintech services <span style="font-size: 16px;">(Started in October 2019, completed in September 2020)</span> === | === Privacy for Fintech services <span style="font-size: 16px;">(Started in October 2019, completed in September 2020)</span> === | ||
<div> | <div> | ||
Line 690: | Line 713: | ||
|} | |} | ||
</div></div></div></div></div> | </div> | ||
== <span style="font-size:larger">Started in 2020 and completed</span> == | |||
=== <span style="font-size: medium;">PWI 5181 Information technology - Security and privacy - Data provenance (Started in September 2020, Completed in October 2022)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
Ryan Ko, Jan de Meer, Yi Zhang | |||
|- | |||
| Proposed Scope | |||
| | |||
This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data. | |||
The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not. | |||
|- | |||
| Documentation | |||
| | |||
|- | |||
| Comments | |||
| | |||
Is a WG4 project | |||
1st report Nov 2020 | |||
2nd report March 2021 | |||
3rd report May 2021 | |||
4th report Oct 2021 | |||
5th report Feb 2022 | |||
6th report April 2021 | |||
7th report July 2022 | |||
Draft for proposed new project September 2022 | |||
|} | |||
</div> | |||
=== <span style="font-size:medium;">PWI 6089 Impact of Artificial Intelligence on Security and Privacy (Started in September 2020, Completed in October 2022)</span> === | |||
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
'''Phase 1 (completed):''' Antonio Kung, <span style="background-color: transparent;">Srinivas Poosarla, </span><span style="background-color: transparent;">Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, </span>Zhao Yunwei, Volker Smoljko | |||
'''Phase 2 (completed):''' Antonio Kung, Lenora Zimmerman | |||
|- | |||
| Objective | |||
| | |||
'''Phase 1 (completed): '''The PWI has the objective to investigate the possibility to propose one or several documents | |||
*Part 1: a TR providing | |||
**guidance on how to assess the impact of security and privacy of AI use cases, | |||
**providing a security and privacy analysis of the use cases in ISO/IEC TR 24030 (AI use cases) | |||
*Part 2: a TS providing | |||
**an overview of privacy concerns for AI, | |||
**guidance concerning AI-based systems | |||
**additional recommendations concerning standards where appropriate | |||
*Part 3: a TS providing | |||
**an overview of security concerns for AI, | |||
**guidance concerning AI-based systems | |||
**additional recommendations concerning standards where appropriate | |||
The following work will be carried out in the PWI: | |||
*extend the content of the study period report with the following | |||
**analysis of TR 24030 use cases from a security viewpoint, | |||
**identification of standards for which specific recommendations concerning AI would be useful, | |||
**identification of AI standards for which specific recommendations concerning security and privacy would be useful; | |||
**identification of specific security controls; and | |||
**whatever contributions that matches the intended content of part 1, part 2, and part 3. | |||
*transform the report into a set of three documents that can be submitted as draft TR and TS; | |||
*make a recommendation on the way to proceed concerning the three documents; | |||
'''Phase 2 (completed): '''Guidance on addressing privacy protection for artificial intelligence systems | |||
*Currently discussed scope: | |||
This document provides guidance for organizations to identify and address privacy concerns in the development and use of artificial intelligence systems. The guidance in this document aims to provide information to organizations to help them better understand and address the impact of AI systems and Machine Learning techniques on individual privacy and society at-large. This document also addresses ways in which societal and regulatory expectations influence how AI systems and Machine Learning is and is not used. | |||
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems. | |||
|- | |||
| | |||
Documentation | |||
| | |||
1st PWI report was published in April 2021. | |||
2nd PWI report was published in October 2021 | |||
|- | |||
| Comments | |||
| | |||
Is the continuation of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Impact_of_Artificial_Intelligence_on_Privacy_.28Started_in_October_2018.2C_Completed_in_September_2020.29 study period] that concluded in September 2020 | |||
Further to the completion of phase 1, part 1 is registered as a TR (ISO/IEC 27653; Impact of security and privacy in AI use cases), part 2 is still-on going. Note that part 3 has been transferred to another PWI 7699 (Guidance for addressing security threats and failures in artificial<br/>intelligence) | |||
Further to March 2022 meeting, PWI is working on making a new work item proposal on Guidance for privacy protection in AI systems | |||
Further to October 2022 meeting, a ballot has been initiative for ISO/IEC 27091 Cybersecurity and data protection - Artificial intelligence - Privacy Protection | |||
|} | |||
</div></div> | |||
=== <span style="font-size:medium;">PWI 6102 Guidance on illustrative processes of a privacy information management system (Started in September 2020, Completed in October 2022)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
Michael Steiner, Vishnu Kanhere | |||
|- | |||
| Objective | |||
| | |||
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family. | |||
Consider the following: | |||
<ol style="list-style-type: lower-roman;"> | |||
<li>ISO/IEC 27001 and ISO/IEC 27003</li> | |||
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li> | |||
<li>ISO Handbook “The integrated use of management system standards”</li> | |||
<li>ISO/IEC 33004</li> | |||
<li>2<sup>nd</sup> WD of ISO/IEC 27022</li> | |||
</ol> | |||
|- | |||
| Documentation | |||
| | |||
|- | |||
| Comments | |||
| | |||
Was cancelled because of lack of progress | |||
|} | |||
</div> | |||
== <span style="font-size:larger">Started in 2021 and completed</span> == | |||
=== <span style="font-size: medium;">PWI 7748 Guidance and practices for privacy preservation based on zero-knowledge proofs (Started in April 2021, completed in October 2021)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla | |||
|- | |||
| Objective | |||
| | |||
This work item is to provide guidance and best practices for privacy preservation based on zeroknowledge proofs, taking into account normative references and comparing specifically with ISO/IEC 27551, 27556 and 29191. It intends to cover the usage of zero-knowledge proof protocols for privacy preservation and PII protection in a wide range of data processing applications. It takes into account using zero knowledge proof based privacy-preserving verification system architectures, data process flows and module interfaces. | |||
|- | |||
| Documentation | |||
| | |||
|- | |||
| Comments | |||
| | |||
Completed, transformed into a NWIP 27565 | |||
|} | |||
</div> | |||
=== <span style="font-size: medium;">PWI 7732 Age verification (Started in April 2021, completed in October 2022)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
Tony Allen | |||
|- | |||
| Objective | |||
| | |||
Study the possibility to submit a new work item | |||
*Age Verification Systems –Part 1: Framework, Levels of Assurance and Privacy Protection | |||
*Age Verification Systems –Part 2: Conformity Assessment | |||
*Age Verification Systems –Part 3: Interoperability | |||
|- | |||
| Documentation | |||
| | |||
|- | |||
| Calendar | |||
| | |||
|- | |||
| Comments | |||
| | |||
Completed and transformed into project proposal 27566 | |||
|} | |||
</div> |
Latest revision as of 18:21, 2 January 2023
Started in 2015 and completed
Privacy engineering framework (Started in April 2015. Completed in April 2016)
Leaders | Antonio Kung, Matthias Reinis |
Objective | Study the concept of privacy engineering and see whether new work items are needed |
Documentation | Slides presenting motivation for study period by Antonio Kung: http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf |
Timeline |
|
Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)
Leader | Pascal Pailler, Nat Sakimura, Jaz Hoon Nah |
Objective | |
Documentation | |
Comments |
|
PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)
Leader | Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri |
Objective |
Study mobile application ecosystems from a privacy viewpoint Collect views of multiple stakeholders in the mobile applications space Collect mobile apps privacy guidelines issued by various agencies Collate a report on the findings Potentially provide a new work item proposal |
Documentation | |
Comments |
Initiated in Jaipur (October 2015) |
Privacy in smart cities (Started in October 2015. Completed in November 2017)
Leaders | Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari |
Objective |
Connect with multiple stakeholders in the smart city space Refer the existing work on smart cities Collate information, feedback, inputs from the stakeholders and draft the guidelines Potentially provide (a) new work item proposal(s) that can translate in guidelines |
Documentation | |
Comments |
Initiated in Jaipur (October 2015) Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) Presentation in Tampa (April 2016) of intermediate state
Presentation in Abu Dhabi (October 2016) of intermediate state
Presentation in Hamilton (April 2017) of intermediate state
Proposal for new work item in Berlin (Nov 2017) |
Started in 2016 and completed
Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)
Leaders | Nat Sakimura, Mathias Reinis, Elaine Newton |
Objective |
Collecting errors and correcting inconsistencies |
Documentation | |
Comments |
|
Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)
Leaders | Heung Youl Youm, Srinivas Poorsala, Antonio Kung |
Objective |
|
Documentation |
|
Comments |
Initiated in Tampa (April 2016) Initial contribution in Abu Dhabi (October 2016) Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things. Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users" |
Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)
Leaders | Mathias Reinis, Heung Youl Youm |
Objective |
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME |
Documentation |
|
Comments |
Terminated due to lack of contributions |
Started in 2017 and completed
Guidelines for security and privacy for Internet of Things (IoT) (Started in April 2017 - Completed in November 2017)
Start/Duration | April 2017/6 months) |
Leaders | Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala |
Objective | prepare the materials necessary to initiate an International Standard coming out of the SC 27 meeting in Berlin (Oct-2017) |
Documentation |
|
Comments |
Is an SC27/WG4 study periods involving WG4 and WG5. Study period is completed and new work item has been proposed (https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things). Kickoff expected in Wuhan in WG4 |
Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018)
Leaders | David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm |
Objective | |
Documentation |
|
Comments |
Has resulted in a NWIP |
Leaders | Christophe Stenuit, Joanne Knight |
Objective | Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks |
Documentation |
|
Comments |
New work item proposal |
Identify assurance framework (Started in April 2017. Completed in October 2018)
Leaders | Patrick Curry, Anthony Nadalin |
Objective | analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework. |
Documentation |
|
Comments |
|
Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)
Start/duration |
April 2017 / 18 months |
Leaders | Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm |
Objective | define frameworks of user-centric PII handling based on privacy preferences of users |
Documentation |
|
Comments |
Triggered by an initiative from ITU-T for such a framework applied to the IoT. See https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment In Berlin (November 2017), it was decided to consider 3 options
In Wuhan (May 2018), it was decided to prepare a NWIP In Gjovik (October 2018), the NWIP was finalised |
Concept of PII Deletion (Started in November 2017. Completed in April 2018)
Leaders | Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman |
Objective | Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information" |
Documentation |
|
Comments |
|
Started in 2018 and completed
Development of Identify standards landscape standing document (Started in April 2018, Completed in October 2018)
Leaders | Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm, |
Objective |
Create an initial draft of a new SD that would provide:
|
Documentation |
|
Comments |
|
Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019)
Leaders | Malcom Townsend, Heung Youl Youm |
Scope |
This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on. |
Documentation |
|
Comments |
|
Privacy consideration in practical workflows (Started in April 2018, completed in April 2020)
Leaders | Mickey Cohen |
Objective |
The scope of this study period is to collect contributions: (1) On workflows describing use-cases where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole (2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy |
Documentation |
|
Comments |
|
Identity Standards Landscape Document Update (Started in October 2018. Completed in October 2019)
Leaders |
Andrew Hughes, Christophe Stenuit, Kai Rannenberg
|
Objective |
Solicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document |
Documentation |
|
Comments |
|
Use case for identity assurance (Started in October 2018, completed in September 2020)
Leaders |
Andrew Hughes, Tony Nadalin, Patrick Curry
|
Objective |
To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance. These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115 |
Documentation |
|
Comments |
|
Impact of Artificial Intelligence on Privacy (Started in October 2018, Completed in September 2020)
Leaders |
Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei |
Objective |
Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period
Is extended for 6 months to study TR 24030 AI use cases and to check the impact of AI on ISO/IEC 27701 Is further extended 6 months to study the integration of security |
Documentation |
In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references: |
Comments |
Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence An intermediate report was provided in Tel-Aviv (April 2019). A second report was provided in Paris (October 2019) A third report was provided in the virtual meeting (April 2020) including the study of SC42 ISO/IEC 24030 on AI use cases and the study of ISO/IEC 27701 A fourth report was provide in the virtual meeting (Sep 2020) including a contribution to TC215 on security and privacy in eHealth. A preliminary work item is started |
Started in 2019 and completed
Review of requirements for accredited certification for sector specific ISMS standards (Started in April 2019. Completed in October 2019)
Leaders | Hans Hedbom, Alan Shipman |
Objective |
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon. |
Comments |
|
Consent receipts and records (Started in April 2019, completed in October 2019)
Leaders | Collin Wallis, Andrew Hughes |
Objective |
The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing |
Documentation |
|
Comments |
|
Privacy engineering model (Started in April 2019, Completed in September 2020)
Leaders | John Sabo, Antonio Kung, Srinivas Poorsala |
Objective | Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems |
Documentation |
|
Comments |
As a result of this study period, a NWIP - Privacy operationalisation model and method for engineering has been established |
Guidance on processes of a privacy information management system (Started in October 2019, Completed in September 2020))
Leaders |
Michael Steiner, Alan Shipman |
Objective |
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family. Consider the following:
|
Documentation |
|
Comments |
|
Privacy for Fintech services (Started in October 2019, completed in September 2020)
Leaders |
Heung Youl Youm, Gurshabad Grover, Janssen Esguerra |
Objective |
Objectives
Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services. |
Documentation |
|
Comments |
|
Started in 2020 and completed
PWI 5181 Information technology - Security and privacy - Data provenance (Started in September 2020, Completed in October 2022)
Leaders |
Ryan Ko, Jan de Meer, Yi Zhang |
Proposed Scope |
This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data. The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not. |
Documentation |
|
Comments |
Is a WG4 project 1st report Nov 2020 2nd report March 2021 3rd report May 2021 4th report Oct 2021 5th report Feb 2022 6th report April 2021 7th report July 2022 Draft for proposed new project September 2022 |
PWI 6089 Impact of Artificial Intelligence on Security and Privacy (Started in September 2020, Completed in October 2022)
Leaders |
Phase 1 (completed): Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei, Volker Smoljko Phase 2 (completed): Antonio Kung, Lenora Zimmerman |
Objective |
Phase 1 (completed): The PWI has the objective to investigate the possibility to propose one or several documents
The following work will be carried out in the PWI:
Phase 2 (completed): Guidance on addressing privacy protection for artificial intelligence systems
This document provides guidance for organizations to identify and address privacy concerns in the development and use of artificial intelligence systems. The guidance in this document aims to provide information to organizations to help them better understand and address the impact of AI systems and Machine Learning techniques on individual privacy and society at-large. This document also addresses ways in which societal and regulatory expectations influence how AI systems and Machine Learning is and is not used. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems. |
Documentation |
1st PWI report was published in April 2021. 2nd PWI report was published in October 2021 |
Comments |
Is the continuation of the study period that concluded in September 2020 Further to the completion of phase 1, part 1 is registered as a TR (ISO/IEC 27653; Impact of security and privacy in AI use cases), part 2 is still-on going. Note that part 3 has been transferred to another PWI 7699 (Guidance for addressing security threats and failures in artificial Further to March 2022 meeting, PWI is working on making a new work item proposal on Guidance for privacy protection in AI systems Further to October 2022 meeting, a ballot has been initiative for ISO/IEC 27091 Cybersecurity and data protection - Artificial intelligence - Privacy Protection |
PWI 6102 Guidance on illustrative processes of a privacy information management system (Started in September 2020, Completed in October 2022)
Leaders |
Michael Steiner, Vishnu Kanhere |
Objective |
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family. Consider the following:
|
Documentation |
|
Comments |
Was cancelled because of lack of progress |
Started in 2021 and completed
PWI 7748 Guidance and practices for privacy preservation based on zero-knowledge proofs (Started in April 2021, completed in October 2021)
Leaders |
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla |
Objective |
This work item is to provide guidance and best practices for privacy preservation based on zeroknowledge proofs, taking into account normative references and comparing specifically with ISO/IEC 27551, 27556 and 29191. It intends to cover the usage of zero-knowledge proof protocols for privacy preservation and PII protection in a wide range of data processing applications. It takes into account using zero knowledge proof based privacy-preserving verification system architectures, data process flows and module interfaces. |
Documentation |
|
Comments |
Completed, transformed into a NWIP 27565 |
PWI 7732 Age verification (Started in April 2021, completed in October 2022)
Leaders |
Tony Allen |
Objective |
Study the possibility to submit a new work item
|
Documentation |
|
Calendar |
|
Comments |
Completed and transformed into project proposal 27566 |