Download
1 / 20
230 likes | 378 Vues
Designing a Privacy Management System. International Security Trust & Privacy Alliance. PRIVACY MANAGEMENT.
E N D
Designing a Privacy Management System International Security Trust & Privacy Alliance
PRIVACY MANAGEMENT Mr. Private I, system designer and charter member of the ISTPA Framework Committee, has been given a real challenge by one of his customers: Design a total privacy management system for ALL the corporate databases, which receive, hold, and transfer both customer and employee data, and in multiple jurisdictions! WHERE TO BEGIN???
Personal Information Mr. Private I decided to start at the center of the design challenge: The corporate databases containing the Personal Information. But, from his ISTPA tutorials, he knew that SECURITY was an essential element of privacy management….
Personal Information SECURITY The system components would need to draw on well-defined SECURITY functions, such as confidentiality, integrity, authentication, and access control. Now, what privacy management services are needed?
Personal Information SECURITY Since privacy deals with life cycle management of PI, I needed to fence off that PI data from the rest of the database….
Personal Information AGENT SECURITY Looking ahead, I realized that the “fence” created a boundary and that any dialog about PI would have to cross that boundary. I gave it a name: AGENT. Dialog about PI is handled by the AGENT service…
INTERACTION Personal Information AGENT SECURITY The AGENT will need to interface to the world outside the database and interact with other system elements, so I created an INTERACTION service.
INTERACTION CONTROL Personal Information AGENT SECURITY Procedures, best practices, legislation, and jurisdictional mandates will govern the collection, access, and use of PI. A CONTROL service is needed to execute the particular privacy “policy” against the PI database….
INTERACTION AGREEMENT CONTROL Personal Information AGENT SECURITY Privacy is the proper use of PI throughout its lifecycle, consistent with the permission of the subject and applicable laws/policies. As PI is collected and maintained, an AGREEMENT service is needed to arbitrate with the PI subject for permissible use of the PI….
INTERACTION AGREEMENT CONTROL USAGE Personal Information AGENT SECURITY Reflect on the concept of “proper use of PI throughout its lifecycle”, which is a core management requirement of the definition of privacy. Subsequent use of PI by other system entities could involve transfer, linking, inference and even re-negotiation of permissions. I added a USAGE service for that purpose….
INTERACTION ACCESS AGREEMENT CONTROL USAGE Personal Information AGENT SECURITY PI is “personal” information about the subject. Since the use of the PI is to be “proper” and “consistent with the permission of the subject and applicable laws/policies”, the subject should be able to access, review, and possibly correct PI about the subject held by another entity. Thus, the ACCESS Service…
INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE Personal Information AGENT SECURITY Given the assumed value of PI collected in the database, the privacy management system should make every effort itself to check the accuracy of PI at any point in its life cycle. The VALIDATION service does the checking, through the AGENT service.
INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE CERTIFICATION Personal Information AGENT SECURITY “Users” should have the proper credentials to use the system. The CERTIFICATION service will manage and check those credentials for any entity involved in processing PI.
INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE CERTIFICATION Audit Personal Information AGENT SECURITY The privacy management system needs its own “watchdog” to record, maintain, and report any and all relevant events in order to subsequently confirm compliance. For that reason, I added the AUDIT service.
INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE CERTIFICATION Audit Personal Information ENFORCEMENT AGENT SECURITY What should happen IF the system fails in some aspect of privacy management or violates an accepted tenet of the system? The ENFORCEMENT service handles redress in such cases.
REQUESTOR SUBJECT INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE CERTIFICATION Audit Personal Information ENFORCEMENT AGENT SECURITY PI SUBJECTS will interact with the system, as well as PI REQUESTORS.
SUBJECT REQUESTOR INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE CERTIFICATION Audit Personal Information ENFORCEMENT AGENT SECURITY WHEW! Mr Private I needed a rest after all that design. I had identified 10 privacy SERVICES, but how did they work together to create an operational privacy management system? I needed to experiment with a few Use Cases…
SUBJECT REQUESTOR INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE CERTIFICATION Audit Personal Information ENFORCEMENT AGENT SECURITY I started simple: Consider an employer application like Payroll that requests certain PI from an employee…
NOTICE SUBJECT REQUESTOR PI INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE CERTIFICATION Audit Personal Information PI ENFORCEMENT AGENT SECURITY Through the employer AGENT and INTERACTION, a NOTICE of the purpose and use of the requested PI is presented to the SUBJECT. The PI, together with the permissible purpose/use, is submitted for VALIDATION, then stored in the PI database by CONTROL. Through CONTROL, PI is shared with the REQUESTOR.
SUBJECT REQUESTOR INTERACTION ACCESS VALIDATION AGREEMENT CONTROL USAGE CERTIFICATION Audit Personal Information ENFORCEMENT AGENT SECURITY (ADDITIONAL USE CASES…)
