Difference between revisions of "Other Activities"
(26 intermediate revisions by 3 users not shown) | |||
Line 2: | Line 2: | ||
This pages covers other activities which could be of interest: guidelines, studies, events | This pages covers other activities which could be of interest: guidelines, studies, events | ||
== OWASP Top 10 Privacy Risk Project == | |||
{| border="1" cellspacing="1" cellpadding="1" style="line-height: 20.7999992370605px; width: 900px;" | |||
|- | |||
| Context | |||
| | |||
<span style="line-height: 20.7999992370605px;">The </span>[https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project OWASP Top 10 Privacy Risks Project]<span style="line-height: 20.7999992370605px;"> provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications.</span> | |||
|- | |||
| URL | |||
| | |||
[https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project] | |||
|- | |||
| Comments | |||
| | |||
|} | |||
== <span style="font-size:larger;">Guidelines</span> == | == <span style="font-size:larger;">Guidelines</span> == | ||
Line 32: | Line 52: | ||
[Antonio Kung] | [Antonio Kung] | ||
*Integrates lots of input from CNIL risk analysis | *Integrates lots of input from CNIL privacy risk analysis | ||
|} | |} | ||
=== <span style="font-size:larger | === <span style="font-size:larger">CNIL Privacy Impact Assessment</span> (PIA) Manual === | ||
{| | {| style="width: 900px" border="1" cellpadding="1" cellspacing="1" | ||
|- | |- | ||
| Context | | Context<br/> | ||
| <span style="color: rgb(44, 44, 40); font-family: Arial, Helvetica, sans-serif; font-size: 12.996000289917px; line-height: normal; text-align: justify | | | ||
<span style="color: rgb(44, 44, 40); font-family: Arial, Helvetica, sans-serif; font-size: 12.996000289917px; line-height: normal; text-align: justify">The CNIL is the French Data Protection Authority (DPA).</span> | |||
<span style="color: rgb(44, 44, 40); font-family: Arial, Helvetica, sans-serif; font-size: 12.996000289917px; line-height: normal; text-align: justify">In June 2012, the CNIL published a guide on privacy risk management, applicable to complex processings or high risks scenarios. It helped data controllers to get an objective understanding of the risks arising from their processings, in order to select the necessary and sufficient security controls.</span> | |||
<span style="color: rgb(44, 44, 40); font-family: Arial, Helvetica, sans-serif; font-size: 12.996000289917px; line-height: normal; text-align: justify | This guide was updated in July 2015 to remain in line with the European Data Protection Regulation project and the WP29’s work on the risk based approach. It also considers feedbacks and improvements proposed by different interested parties on<span style="color: rgb(44, 44, 40); font-family: Arial, Helvetica, sans-serif; font-size: 12.996000289917px; line-height: normal; text-align: justify"> privacy impact assessments guidelines. Three documents are available</span>. | ||
|- | |- | ||
| URL | | URL | ||
| English web page: | | English web page:[http://www.cnil.fr/english/news-and-events/news/article/privacy-impact-assessments-the-cnil-publishes-its-pia-manual/ http://www.cnil.fr/english/news-and-events/news/article/privacy-impact-assessments-the-cnil-publishes-its-pia-manual/] <br/> | ||
|- | |- | ||
| | | Documents | ||
| | | | ||
Methodology | Methodology: [http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology-EN.pdf http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology-EN.pdf] | ||
Tools (templates and knowledge bases): [http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-2-Tools-EN.pdf http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-2-Tools-EN.pdf] | |||
Good practices: [http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-3-GoodPractices.pdf http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-3-GoodPractices.pdf] | |||
|- | |- | ||
| Comments | | Comments<br/> | ||
| | | | ||
[Antonio Kung] | [Antonio Kung] | ||
* | *It describes how to use the EBIOS method in the specific context of “Personal Data protection”. EBIOS – ''Expression des Besoins et Identification des Objectifs de Sécurité'' (Expression of Needs and Identification of Security Objectives) – is the name of the risk management method published by the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI, the French National Cybersecurity Agency). | ||
[Matthieu Grall] | |||
*The PIA rests on two pillars:<br/>1. fundamental principles and rights, which are “non-negotiable”, established by law and which must be respected and cannot be subject to any variation, regardless of the nature, severity and likelihood of risks;<br/>2. management of data subjects’ privacy risks, which determines the appropriate technical and organizational controls to protect personal data. | |||
|} | |} | ||
Line 68: | Line 95: | ||
== <span style="font-size:larger;">Studies</span> == | == <span style="font-size:larger;">Studies</span> == | ||
=== | === <span style="font-size: larger; line-height: 1.2;">NIST study on privacy risk management framework for Federal Information Systems</span> === | ||
{| border="1" cellspacing="1" cellpadding="1" style="width: 900px;" | {| border="1" cellspacing="1" cellpadding="1" style="width: 900px;" | ||
Line 78: | Line 105: | ||
The report describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems. | The report describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems. | ||
A subsequent version was published in January 2017: NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems | |||
This document provides an introduction to the concepts of privacy engineering and risk management for federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within federal systems, and the effective implementation of privacy principles. This publication introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model. | |||
|- | |- | ||
| URL | | URL | ||
| | | <br/> | ||
|- | |- | ||
| Document | | Document | ||
Line 88: | Line 117: | ||
Draft document: [http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf] | Draft document: [http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf] | ||
FInal version: http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf | |||
|- | |- | ||
Line 96: | Line 125: | ||
*defines 3 privacy engineering objectives (predictability, manageability, dissociability) | *defines 3 privacy engineering objectives (predictability, manageability, dissociability) | ||
*focuses on organisational | *includes an impact factor which focuses on organisational aspects (e.g. reputation). Impact on citizen (e.g. stigmatization) are not included in the privacy risk equation (likelihood x impact) but they have an influence on the organisational impact | ||
*The work from NIST is integrated in ISO/IEC 27550 Privacy engineering | |||
|} | |} | ||
Line 124: | Line 154: | ||
== <span style="font-size:larger;">Events</span> == | == <span style="font-size:larger;">Events</span> == | ||
{| border="1" cellspacing="1" cellpadding="1" style="width:900px;" | |||
|- | |||
| June 05 2017 | |||
| NIST workshop: Privacy Risk Assessment: A Prerequisite for Privacy Risk Management | |||
| https://www.nist.gov/news-events/events/2017/06/privacy-risk-assessment-prerequisite-privacy-risk-management<br/> | |||
|- | |||
| May 9 2017 | |||
| | |||
EIC OASIS Privacy Engineering Workshop | |||
| <font color="#333333">[https://www.kuppingercole.com/events/eic2017-oasis https://www.kuppingercole.com/events/eic2017-oasis]<br/></font> | |||
|- | |||
| Sept 9 2016 | |||
| 3rd IPEN workshop, Frankfort | |||
| <font color="#333333">[https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/IPEN_Workshop_2016 https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/IPEN_Workshop_2016]<br/></font> | |||
|- | |||
| Sept 7-8 2016 | |||
| 4th Annual Privacy Forum, Fra | |||
| <font color="#333333">[http://privacyforum.eu/ http://privacyforum.eu/]<br/></font> | |||
|- | |||
| May 2016 | |||
| IEEE International Workshop on Privacy Engineering | |||
| <font color="#333333">[http://ieee-security.org/TC/SPW2016/IWPE/program.html http://ieee-security.org/TC/SPW2016/IWPE/program.html]<br/></font> | |||
|- | |||
| January 27-29 2016 | |||
| 9th International conference, Computer Privacy & Data Protection conference, Brussels | |||
| <font color="#333333">[http://www.cpdpconferences.org/ http://www.cpdpconferences.org/]<br/></font> | |||
|- | |||
| October 23-26 2015 | |||
| Amsterdam privacy conference | |||
| <font color="#333333">[http://www.apc2015.net/ http://www.apc2015.net/]<br/></font> | |||
|- | |||
| October 7-8 2015 | |||
| 3rd Annual Privacy Forum, Luxemburg | |||
| <font color="#333333">[http://privacyforum.eu/ http://privacyforum.eu/]<br/></font> | |||
|- | |||
| August 31-September 1 2015 | |||
| CCC Privacy-by-design workshop, Pittsburgh | |||
| <font color="#333333">[http://www.cra.org/ccc/visioning/visioning-activities/privacy-by-design http://www.cra.org/ccc/visioning/visioning-activities/privacy-by-design]<br/></font> | |||
|- | |||
| July 8-9 2015 | |||
| | |||
OASIS conference Ditton Manor UK <span style="line-height: 1.6;">(Building trust in a hyperconnected world)</span> | |||
| <font color="#333333">[https://www.oasis-open.org/events/hyperconnected-2015 https://www.oasis-open.org/events/hyperconnected-2015]<br/></font> | |||
|- | |||
| June 5th 2015 | |||
| IPEN Workshop Leuven | |||
| <font color="#333333">[https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN/IPEN_Workshop_2015 https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN/IPEN_Workshop_2015]<br/></font> | |||
|} |
Latest revision as of 14:22, 30 August 2017
Introduction
This pages covers other activities which could be of interest: guidelines, studies, events
OWASP Top 10 Privacy Risk Project
Context |
The OWASP Top 10 Privacy Risks Project provides a top 10 list for privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues. The Project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The list uses the OECD Privacy Guidelines as a framework and can also be used to assess privacy risks associated with specific web applications. |
URL |
https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project |
Comments |
|
Guidelines
EC Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems
Context |
The Smart Grids Task Force was set up by the European Commission in 2009 to advise on issues related to smart grid deployment and development. One of the working group (WG2) is on security and privacy. The EC has provided a Data Protection Impact Assessment Template for smart grid and smart metering systems. The EC has decided to have a two-year trial of the template starting from March 2015. |
URL |
Smart grid task force: http://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-and-meters Test phase for template: https://ec.europa.eu/energy/en/test-phase-data-protection-impact-assessment-dpia-template-smart-grid-and-smart-metering-systems |
Documents | Template document: https://ec.europa.eu/energy/sites/ener/files/documents/2014_dpia_smart_grids_forces.pdf |
Comments |
[Antonio Kung]
|
CNIL Privacy Impact Assessment (PIA) Manual
Context |
The CNIL is the French Data Protection Authority (DPA). In June 2012, the CNIL published a guide on privacy risk management, applicable to complex processings or high risks scenarios. It helped data controllers to get an objective understanding of the risks arising from their processings, in order to select the necessary and sufficient security controls. This guide was updated in July 2015 to remain in line with the European Data Protection Regulation project and the WP29’s work on the risk based approach. It also considers feedbacks and improvements proposed by different interested parties on privacy impact assessments guidelines. Three documents are available. |
URL | English web page:http://www.cnil.fr/english/news-and-events/news/article/privacy-impact-assessments-the-cnil-publishes-its-pia-manual/ |
Documents |
Methodology: http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-1-Methodology-EN.pdf Tools (templates and knowledge bases): http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-2-Tools-EN.pdf Good practices: http://www.cnil.fr/fileadmin/documents/en/CNIL-PIA-3-GoodPractices.pdf |
Comments |
[Antonio Kung]
[Matthieu Grall]
|
Studies
NIST study on privacy risk management framework for Federal Information Systems
Context |
NIST issued in May 2015 a draft report: NISTIR 8062, Privacy Risk Management for Federal Information Systems The report describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems. A subsequent version was published in January 2017: NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems This document provides an introduction to the concepts of privacy engineering and risk management for federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within federal systems, and the effective implementation of privacy principles. This publication introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model. |
URL | |
Document |
Draft document: http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf FInal version: http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf |
Comments |
[Antonio Kung]
|
ENISA 2015 Study: Privacy and Data Protection-by-Design - from Policy to Engineering
Context |
Report published in January 2015. Report aims to bridge the gap between the legal framework and the available technological implementation measures. It provides an inventory of the existing approaches and privacy design strategies, and the technical building blocks of various degree of maturity from research and development. Limitations and inherent constraints are presented with recommendations for their mitigation. |
URL | Announcement: https://www.enisa.europa.eu/media/news-items/deciphering-the-landscape-for-privacy-by-design |
Document | Report: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design/at_download/fullReport |
Comments |
[Antonio Kung]
|
Events
June 05 2017 | NIST workshop: Privacy Risk Assessment: A Prerequisite for Privacy Risk Management | https://www.nist.gov/news-events/events/2017/06/privacy-risk-assessment-prerequisite-privacy-risk-management |
May 9 2017 |
EIC OASIS Privacy Engineering Workshop |
https://www.kuppingercole.com/events/eic2017-oasis |
Sept 9 2016 | 3rd IPEN workshop, Frankfort | https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/IPEN_Workshop_2016 |
Sept 7-8 2016 | 4th Annual Privacy Forum, Fra | http://privacyforum.eu/ |
May 2016 | IEEE International Workshop on Privacy Engineering | http://ieee-security.org/TC/SPW2016/IWPE/program.html |
January 27-29 2016 | 9th International conference, Computer Privacy & Data Protection conference, Brussels | http://www.cpdpconferences.org/ |
October 23-26 2015 | Amsterdam privacy conference | http://www.apc2015.net/ |
October 7-8 2015 | 3rd Annual Privacy Forum, Luxemburg | http://privacyforum.eu/ |
August 31-September 1 2015 | CCC Privacy-by-design workshop, Pittsburgh | http://www.cra.org/ccc/visioning/visioning-activities/privacy-by-design |
July 8-9 2015 |
OASIS conference Ditton Manor UK (Building trust in a hyperconnected world) |
https://www.oasis-open.org/events/hyperconnected-2015 |
June 5th 2015 | IPEN Workshop Leuven | https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN/IPEN_Workshop_2015 |