Difference between revisions of "Other Activities"

From IPEN Wiki
Jump to navigation Jump to search
Line 2: Line 2:


This pages covers other activities which could be of interest: guidelines, studies, events
This pages covers other activities which could be of interest: guidelines, studies, events
== <span style="font-size:larger;"></span>OWASP Top 10 Privacy Risk Project ==


== <span style="font-size:larger;">Guidelines</span> ==
== <span style="font-size:larger;">Guidelines</span> ==

Revision as of 11:09, 17 July 2015

Introduction

This pages covers other activities which could be of interest: guidelines, studies, events

OWASP Top 10 Privacy Risk Project

Guidelines

EC Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems

Context

The Smart Grids Task Force was set up by the European Commission in 2009 to advise on issues related to smart grid deployment and development. One of the working group (WG2) is on security and privacy.

The EC has provided a Data Protection Impact Assessment Template for smart grid and smart metering systems.

The EC has decided to have a two-year trial of the template starting from March 2015.

URL

Smart grid task force: http://ec.europa.eu/energy/en/topics/markets-and-consumers/smart-grids-and-meters

Test phase for template: https://ec.europa.eu/energy/en/test-phase-data-protection-impact-assessment-dpia-template-smart-grid-and-smart-metering-systems

Documents Template document: https://ec.europa.eu/energy/sites/ener/files/documents/2014_dpia_smart_grids_forces.pdf
Comments

[Antonio Kung] 

  • Integrates lots of input from CNIL privacy risk analysis

CNIL Privacy Risk analysis

Context CNIL is the French DPA. It has produced two guidelines in November 2012
  • a methodology for managing the risks that can affect the individuals ;
  • a catalogue of measures and best practices to treat the risks identified with the methodology.

The two new guides propose a way to build a comprehensive analysis to handle complex personal data processing operations. These documents are primarily intended for use by controllers, data protection officers (DPO) and chief information security officers (CISO). They assist them in creating a rational understanding of the risks arising from the processing of personal data and to choose necessary and sufficient organizational and technical measures to protect privacy.

URL English web page: http://www.cnil.fr/english/news-and-events/news/article/the-cnil-publishes-an-english-translation-of-its-two-advanced-security-and-privacy-risk-management/
Document

Methodology to manage risk: http://www.cnil.fr/fileadmin/documents/en/CNIL-ManagingPrivacyRisks-Methodology.pdf

Measures for the privacy risk treatment: http://www.cnil.fr/fileadmin/documents/en/CNIL-ManagingPrivacyRisks-Measures.pdf

Comments

[Antonio Kung]

  • inspired from EBIOS security risk analysis.

Studies

NIST study on privacy risk management framework for Federal Information Systems

Context

NIST issued in May 2015 a draft report: NISTIR 8062, Privacy Risk Management for Federal Information Systems

The report describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems.

Comments are expected by July 13, 2015 at 5:00pm.

URL See 8062 dated May 28: http://csrc.nist.gov/publications/PubsDrafts.html and http://www.nist.gov/itl/201506_privacy_framework.cfm
Document

Draft document: http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf

Comment matrix form: http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft_comment_matrix.xls

Comments

[Antonio Kung]

  • defines 3 privacy engineering objectives (predictability, manageability, dissociability)
  • focuses on organisational risks (e.g. reputation). Does not focus at this point on risks for citizens 

ENISA 2015 Study: Privacy and Data Protection-by-Design - from Policy to Engineering

Context

Report published in January 2015. Report aims to bridge the gap between the legal framework and the available technological implementation measures. It provides an inventory of the existing approaches and privacy design strategies, and the technical building blocks of various degree of maturity from research and development. Limitations and inherent constraints are presented with recommendations for their mitigation.

URL Announcement: https://www.enisa.europa.eu/media/news-items/deciphering-the-landscape-for-privacy-by-design
Document Report: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design/at_download/fullReport
Comments

[Antonio Kung]

  • highlights work from Jaap-Henk Hoepman.on Privacy design strategies, based on 4 data oriented strategies (minmise, hide, separate, aggregate) and 4 process oriented strategies (inform, control, enforce, demonstrate). This work is foundational.

Events

May 2016 IEEE International Workshop on Privacy Engineering http://ieee-security.org/TC/SPW2015/IWPE
January 27-29 2016 9th International conference, Computer Privacy & Data Protection conference, Brussels http://www.cpdpconferences.org/
October 7-8 2015 3rd Annual Privacy Forum, Luxemburg http://privacyforum.eu/
August 31-September 1 2015 CCC Privacy-by-design workshop, Pittsburgh http://www.cra.org/ccc/visioning/visioning-activities/privacy-by-design
July 8-9 2015

OASIS conference Ditton Manor UK (Building trust in a hyperconnected world)

https://www.oasis-open.org/events/hyperconnected-2015
June 5th 2015 IPEN Workshop Leuven https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN/IPEN_Workshop_2015