Difference between revisions of "Studies"

From IPEN Wiki
Jump to navigation Jump to search
(Created page with "=== <span class="mw-headline" id="NIST_study_on_privacy_risk_management_framework_for_Federal_Information_Systems"><span style="font-size: larger; line-height: 1.2">NIST stud...")
 
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
=== <span class="mw-headline" id="NIST_study_on_privacy_risk_management_framework_for_Federal_Information_Systems"><span style="font-size: larger; line-height: 1.2">NIST study on privacy risk management framework for Federal Information Systems</span></span><span class="mw-editsection"><span class="mw-editsection-bra">[</span>[http://ipen.trialog.com/?title=Other_Activities&action=edit&section=7 edit]<span class="mw-editsection-bra">]</span></span> ===
=== <span class="mw-headline" id="NIST_study_on_privacy_risk_management_framework_for_Federal_Information_Systems"><span style="font-size: larger; line-height: 1.2">NIST study on privacy risk management framework for Federal Information Systems</span></span><span class="mw-editsection"><span class="mw-editsection-bra">[</span>[http://ipen.trialog.com/?title=Other_Activities&action=edit&section=7 edit]<span class="mw-editsection-bra">]</span></span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
Line 5: Line 5:
| Context
| Context
|  
|  
NIST issued in May 2015 a draft report: NISTIR 8062, Privacy Risk Management for Federal Information Systems
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">NIST issued in May 2015 a draft report: NISTIR 8062, Privacy Risk Management for Federal Information Systems</span>


The report describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems.
The report describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems.


Comments are expected by<span style="line-height: 1.6">&nbsp;July 13, 2015 at 5:00pm.</span>
A subsequent version was published in January 2017: NISTIR 8062,&nbsp;An Introduction to Privacy Engineering and Risk Management in Federal Systems
 
This document provides an introduction to the concepts of privacy engineering and risk management for federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within federal systems, and the effective implementation of privacy principles. This publication introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model.


|-
|-
| URL
| URL
| See 8062 dated May 28:&nbsp;[http://csrc.nist.gov/publications/PubsDrafts.html http://csrc.nist.gov/publications/PubsDrafts.html]&nbsp;and&nbsp;[http://www.nist.gov/itl/201506_privacy_framework.cfm http://www.nist.gov/itl/201506_privacy_framework.cfm]
| <br/>
|-
|-
| Document
| Document
|  
|  
Draft document:&nbsp;[http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf]
Draft document:&nbsp;<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">&nbsp;</span>[http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf]


Comment matrix form:&nbsp;[http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft_comment_matrix.xls http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft_comment_matrix.xls]
FInal version:&nbsp;[http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf]


|-
|-
Line 28: Line 30:
*defines 3 privacy engineering objectives (predictability, manageability, dissociability)
*defines 3 privacy engineering objectives (predictability, manageability, dissociability)
*includes an impact factor which focuses on organisational aspects (e.g. reputation). Impact on citizen (e.g. stigmatization) are not included in the privacy risk equation (likelihood x impact) but they have an influence on the organisational impact
*includes an impact factor which focuses on organisational aspects (e.g. reputation). Impact on citizen (e.g. stigmatization) are not included in the privacy risk equation (likelihood x impact) but they have an influence on the organisational impact
*The work from NIST is integrated in ISO/IEC 27550 Privacy engineering


|}
|}
<span class="mw-headline"><span style="font-size:larger"></span></span>
 
=== <span class="mw-headline"><span style="font-size:larger"></span></span> ===
=== ===


=== <span class="mw-headline" id="ENISA_2015_Study:_Privacy_and_Data_Protection-by-Design_-_from_Policy_to_Engineering"><span style="font-size:larger">ENISA 2015 Study: Privacy and Data Protection-by-Design - from Policy to Engineering</span></span><span class="mw-editsection"><span class="mw-editsection-bra">[</span>[http://ipen.trialog.com/?title=Other_Activities&action=edit&section=8 edit]<span class="mw-editsection-bra">]</span></span> ===
=== <span class="mw-headline" id="ENISA_2015_Study:_Privacy_and_Data_Protection-by-Design_-_from_Policy_to_Engineering"><span style="font-size:larger">ENISA 2015 Study: Privacy and Data Protection-by-Design - from Policy to Engineering</span></span><span class="mw-editsection"><span class="mw-editsection-bra">[</span>[http://ipen.trialog.com/?title=Other_Activities&action=edit&section=8 edit]<span class="mw-editsection-bra">]</span></span> ===
Line 39: Line 42:
| Context
| Context
|  
|  
<span style="color: rgb(85, 85, 85); font-family: Verdana, Arial, sans-serif; font-size: 12px; line-height: 16px">Report published in January 2015. Report&nbsp;</span><span style="color: rgb(85, 85, 85); font-family: Verdana, Arial, sans-serif; font-size: 12px; line-height: 16px">aims to bridge the gap between the legal framework and the available technological implementation measures. It provides an inventory of the existing approaches and privacy design strategies, and the technical building blocks of various degree of maturity from research and development. Limitations and inherent constraints are presented with recommendations for their mitigation.</span>
<span style="color: rgb(85, 85, 85); font-family: Verdana, Arial, sans-serif; font-size: 12px; line-height: 16px">Report published in January 2015. Report&nbsp;</span><span style="color: rgb(85, 85, 85); font-family: Verdana, Arial, sans-serif; font-size: 12px; line-height: 16px">aims to bridge the gap between the legal framework and the available technological implementation measures. It provides an inventory of the existing approaches and privacy design strategies, and the technical building blocks of various degree of maturity from research and development. Limitations and inherent constraints are presented with recommendations for their mitigation.</span>


|-
|-

Latest revision as of 14:46, 30 August 2017

NIST study on privacy risk management framework for Federal Information Systems[edit]

Context

NIST issued in May 2015 a draft report: NISTIR 8062, Privacy Risk Management for Federal Information Systems

The report describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems.

A subsequent version was published in January 2017: NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems

This document provides an introduction to the concepts of privacy engineering and risk management for federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within federal systems, and the effective implementation of privacy principles. This publication introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model.

URL
Document

Draft document:  http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf

FInal version: http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

Comments

[Antonio Kung]

  • defines 3 privacy engineering objectives (predictability, manageability, dissociability)
  • includes an impact factor which focuses on organisational aspects (e.g. reputation). Impact on citizen (e.g. stigmatization) are not included in the privacy risk equation (likelihood x impact) but they have an influence on the organisational impact
  • The work from NIST is integrated in ISO/IEC 27550 Privacy engineering

ENISA 2015 Study: Privacy and Data Protection-by-Design - from Policy to Engineering[edit]

Context

Report published in January 2015. Report aims to bridge the gap between the legal framework and the available technological implementation measures. It provides an inventory of the existing approaches and privacy design strategies, and the technical building blocks of various degree of maturity from research and development. Limitations and inherent constraints are presented with recommendations for their mitigation.

URL Announcement: https://www.enisa.europa.eu/media/news-items/deciphering-the-landscape-for-privacy-by-design
Document Report: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design/at_download/fullReport
Comments

[Antonio Kung]

  • highlights work from Jaap-Henk Hoepman.on Privacy design strategies, based on 4 data oriented strategies (minmise, hide, separate, aggregate) and 4 process oriented strategies (inform, control, enforce, demonstrate). This work is foundational.