PRIPARE's New Vision on Engineering Privacy and Security by Design



Similar documents
How To Protect Privacy In A Computer System

Best Practices at Research Level

The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D.

Modellistica Medica. Maria Grazia Pia, INFN Genova. Scuola di Specializzazione in Fisica Sanitaria Genova Anno Accademico

Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices

From Chaos to Clarity: Embedding Security into the SDLC

EXPLORING THE CAVERN OF DATA GOVERNANCE

Privacy by Design Setting a new standard for privacy certification

Project Lifecycle Management (PLM)

Overview TECHIS Carry out risk assessment and management activities

Privacy Requirements Definition and Testing in the Healthcare Environment

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Kangas Cybersecurity strategy

ISTQB Certified Tester. Foundation Level. Sample Exam 1

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION.

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Privacy and Data Protection by Design from policy to engineering

MIS Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

CYSPA - EC projects supporting NIS

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Becoming a Business Analyst

Medicaid Enterprise Data Governance Approach. MESConference August 21, 2012 Rashmi Menon, Deloitte Consulting LLP

Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET. 7 th May Dear Sir or Madam,

E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION

Sytorus Information Security Assessment Overview

SACM and CMDB Strategy and Roadmap. David Lowe ActionableITSM.com March 20, 2012

2015 Information Security Awareness Catalogue

G-Cloud Service Description. Atos: Cloud Professional Services: Requirements Specification

The Next Generation of Security Leaders

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3)

National Cybersecurity Assessment and Technical Services

CYBERBOK Cyber Crime Security Essential Body of Knowledge: A Competency and Functional Framework for Cyber Crime Management

Enterprise SOA Governance

A NEW APPROACH TO CYBER SECURITY

Honourable members of the National Parliaments of the EU member states and candidate countries,

Requirement Management with the Rational Unified Process RUP practices to support Business Analyst s activities and links with BABoK

Product Build. ProPath. Office of Information and Technology

Agile & PMI Project Management Mapping MAVERIC S POINT OF VIEW Vol. 7

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

Have it all Protecting privacy in the age of analytics

Secure Development LifeCycles (SDLC)

Chief Information Security Officer

Richard Gadsden Information Security Office Office of the CIO Information Services

Australian Government Cyber Security Review

Asset Management Policy March 2014

SOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT

Cyber Security: from threat to opportunity

I&IT Strategy & Cyber Security

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Validating Enterprise Systems: A Practical Guide

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

The New Zealand Human Services Quality Framework - ISO9002:2008 to 2012

Securing your Corporate Infrastructure What is really needed to keep your assets protected

Keywords document, agile documentation, documentation, Techno functional expert, Team Collaboration, document selection;

Antonio Kung, Trialog. HIJA technical coordinator. Scott Hansen, The Open Group. HIJA coordinator

Malicious Mitigation Strategy Guide

Accountability in Cloud Computing An Introduction to the Issues, Approaches, and Tools

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

Cooperation in Securing National Critical Infrastructure

ISE Northeast Executive Forum and Awards

SUMMARY OF A PRIVACY IMPACT ASSESSMENT FOR THE ONTARIO BRAIN INSTITUTE S BRAIN-CODE

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Defending against modern cyber threats

Privacy by Design Protecting privacy in the age of analytics

A Guide to the Business Analysis Body of Knowledge (BABOK Guide) Version 2.0

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

The Value of ITAM To IT Service Management. Presented by Daryl Frost. Copyright Burswood Information Solutions Limited 2015

Cloud Computing Security Considerations

Preparing yourself for ISO/IEC

Websphere Portal and Lotus Web Content Management adoption and Project best practices at the Royal Bank of Scotland Group

From Capability-Based Planning to Competitive Advantage Assembling Your Business Transformation Value Network

SECURITY OPERATIONS CENTER (SOC) Implementing Security Monitoring in Small and Mid-Sized Organizations

TGA key performance indicators and reporting measures

Business Analysis Standardization & Maturity

Revised October 2013

Security Controls Assessment for Federal Information Systems

Existing Technologies and Data Governance

UTS POSITION DESCRIPTION UTS:HUMAN RESOURCES

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

Effort and Cost Allocation in Medium to Large Software Development Projects

CESG Certification of Cyber Security Training Courses

Transcription:

PReparing Industry to Privacy-by-design by supporting its Application in REsearch PRIPARE's New Vision on Engineering Privacy and Security by Design CYBER SECURITY & PRIVACY FORUM 2014 NicolásNotario(nicolas.notario@atos.net) Atos

What is PSbD? An approach that takes privacy and security into account during the whole engineering process A series of privacy and security principles Helps to design and choose Best Available Technologies and Techniques Ensuring that engineered systems are secure and privacy-respectful 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design 2

State of the art Measures Risks (if needed) Threats (if needed) Context Feared events Ontario IPC PbD principles Full Functionality Positive-Sum, not Zero-Sum Privacy Impact Assessments More than a compliance check Privacy Management Reference Model Understanding and analysing privacy policies and their management requirements; selecting technical services which must be implemented to support privacy controls Risk Management remove, minimise, transfer or accept identified risks Privacy Enhancing ARchitectures 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design

The problem Current practices are disengaged with engineering practices Unexperienced designers have no guidelines to produce privacysupporting designs Current approaches mainly focus on analysis & design phase The architectural dimension is not well addressed 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design 4

PRIPARE s approach: PSbD methodology Designed to cover the whole system lifecycle Short, easy-to-understand and easy-to-use Flexible so it can adapt depending on the nature of the project and the information collected Integrated with risk assessment standards Useful for different types of stakeholders Engaged with system engineering practices (complements existing methodologies) 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design 5

PRIPARE -Analysis Complement PMRM with PIA and (Privacy) Risk management approaches for the analysis stage. The output of this stage would be a boundary object that holds all extracted information that can then be selected according to each stakeholder s interests (privacy officers, system designers, developers ) Application description Information flows Stakeholders Domains Touch points 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design 6

PRIPARE -Design & Implementation Apply PEARs approach Use privacy patterns to aid in the effective design of secure systems that support privacy Use architecture tactics to tailor patterns during the design & implementation phases Perform Static Analysis of the system 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design 7

PRIPARE Verification, Release & maintenance Apply a Privacy and Security Test Plan during the verification stage (privacy & security verification) Perform Dynamic Analysis Heartbleed example Final Privacy and Security reviews Privacy & Security Incidents Response Plan Publish PIA Report (& foreseen updates) Execute the Incident Response Plan Verification of privacy and security policies enforcement 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design 8

Approaches/desirable features comparison PIA Risk Management (CNIL) PMRM PEAR PRIPARE Ensures system's legal compliance Provides system's architectural aspects Useful for multiple stakeholders Useful for system engineers Identifies privacy risks Supports multiple domains (organisational or legal) Supports privacy patterns Provides accountability for privacy decisions Degree of support: Low Medium High 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design 9

PRIPARE Open challenges What privacy or security metrics can assist during the design process in order to ensure that taken decisions are correctly assessed? Howcan PRIPARE complement the wide variety of system engineering methodologies?. I.e. Scrum lacks a design phase or formal requirements analysis Is there a way to truly and easily verify (statically and dynamically) that security and privacy non-functional requirements are being covered? 22/05/2014 PRIPARE's New Vision on Engineering Privacy and Security by Design 10

PReparing Industry to Privacy-by-design by supporting its Application in REsearch Thank you for your attention Questions? Website: www.pripareproject.eu Nicolás Notario: nicolas.notario@atos.net Project Co-ordinator Antonio Kung (Trialog) Technical Co-ordinator Christophe Jouvray(Trialog)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information