1

The ISTPA Privacy Framework

John Sabo

Manager, Security, Privacy and Trust Initiatives

Computer Associates

Workshop on the Relationship

between Security and Privacy

Pittsburgh, PA

May 30, 2002

ISTPA Framework Copyright © 1999-2002 International Security, Trust & Privacy AllianceAll Rights Reserved

2

What Is ISTPA?

ISTPA is a not-for-profit global alliance of organizations addressing issues related to security, privacy and trust from a

consumer, technology and business perspectiveNot a privacy advocacy organization

ISTPA’s focus is on the protection of personal information (PI).

3

ISTPA Member CompaniesAMDAmerican ExpressArthur Anderson, LLPBennett Gold, Chartered Accountants BITSCarnegie Mellon UniversityComputer AssociatesCritical PathCYVA Research CorpDealing TechnologyEWA IITGemPlusGSR ConsultingIntelIntelytics, Inc.

International Systems Security Engineering AssociationJP Morgan/ ChaseMotorolaNCROneName CorporationPersonaPonoi CorporationSec2WirelessTRUSTeVanguard Integrity ProfessionalsW. Scott BlackmerWave Systems, IncYouPoweredZero-Knowledge Systems

4

ISTPA’s Internal Organization

Board and Executive Director Self-Managed Four working groups:

Framework Proof of Concept Legal and Regulatory Requirements Outreach

2-3 meetings annually plus WG meetings/teleconferences

5

ISTPA’s Privacy Perspective

New technologies and business models provide benefits for consumers, citizens, business, government.

Privacy and security risks accompany their use

Sound privacy policies, architectures and implementations will support business value and achieve consumer trust.

6

How ISTPA Is Addressing Privacy Challenges

Constructing an open, policy-neutral Framework for designing, constructing, and evaluating privacy architectures, technologies and tools to meet business and consumer needs

Mapping legal, policy, and business requirements into the Framework

Sponsoring objective privacy research on usability, manageability, cost of implementing privacy technologies

7

Multiple Expressions of Privacy Policy and Rules

OECD Privacy Principles Fair Information Practices U.S.- E.U. Safe Harbor Agreement U.S. Federal Trade Commission Legislation…

U.S. Privacy Act European Union Data Directive Gramm Leach Bliley (GLB) C6 in Canada HIPAA

8

The Challenge of Integrated Privacy Solutions

Interrelationships among polices, practices and rules are not intuitive

Critical architectural components are missing or only implicit the consumer “agency” interfaces

No clarity in privacy- security relationship No linkages to operational policy and

technical implementations

9

Why a Privacy Framework?

A coherent analytical model is needed to foster development of data protection products, services and trusted implementations.

Networked trust systems require interoperability -- privacy requirements must be supported across jurisdictional, business, and consumer boundaries.

A framework of privacy services can serve as a solution-neutral methodology and tool for policymakers, business managers, developers, auditors and regulators, and consumers

10

Other Major ProjectsJohns Hopkins University

• research project to address usability, cost, manageability, trust of privacy technologies

Carnegie Mellon University

•“Digital Privacy Handbook”-- synthesizes technical standards, regulatory and legal privacy requirements by jurisdiction and existing technologies

•an analytical tool for the development of more mature and sophisticated capabilities in privacy management

Michael Willett:

The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.

Michael Willett:

The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.

11

Additional Information

www.istpa.org

John Sabo

john.t.sabo@ca.com