1 the istpa privacy framework john sabo manager, security, privacy and trust initiatives computer...
TRANSCRIPT
1
The ISTPA Privacy Framework
John Sabo
Manager, Security, Privacy and Trust Initiatives
Computer Associates
Workshop on the Relationship
between Security and Privacy
Pittsburgh, PA
May 30, 2002
ISTPA Framework Copyright © 1999-2002 International Security, Trust & Privacy AllianceAll Rights Reserved
2
What Is ISTPA?
ISTPA is a not-for-profit global alliance of organizations addressing issues related to security, privacy and trust from a
consumer, technology and business perspectiveNot a privacy advocacy organization
ISTPA’s focus is on the protection of personal information (PI).
3
ISTPA Member CompaniesAMDAmerican ExpressArthur Anderson, LLPBennett Gold, Chartered Accountants BITSCarnegie Mellon UniversityComputer AssociatesCritical PathCYVA Research CorpDealing TechnologyEWA IITGemPlusGSR ConsultingIntelIntelytics, Inc.
International Systems Security Engineering AssociationJP Morgan/ ChaseMotorolaNCROneName CorporationPersonaPonoi CorporationSec2WirelessTRUSTeVanguard Integrity ProfessionalsW. Scott BlackmerWave Systems, IncYouPoweredZero-Knowledge Systems
4
ISTPA’s Internal Organization
Board and Executive Director Self-Managed Four working groups:
Framework Proof of Concept Legal and Regulatory Requirements Outreach
2-3 meetings annually plus WG meetings/teleconferences
5
ISTPA’s Privacy Perspective
New technologies and business models provide benefits for consumers, citizens, business, government.
Privacy and security risks accompany their use
Sound privacy policies, architectures and implementations will support business value and achieve consumer trust.
6
How ISTPA Is Addressing Privacy Challenges
Constructing an open, policy-neutral Framework for designing, constructing, and evaluating privacy architectures, technologies and tools to meet business and consumer needs
Mapping legal, policy, and business requirements into the Framework
Sponsoring objective privacy research on usability, manageability, cost of implementing privacy technologies
7
Multiple Expressions of Privacy Policy and Rules
OECD Privacy Principles Fair Information Practices U.S.- E.U. Safe Harbor Agreement U.S. Federal Trade Commission Legislation…
U.S. Privacy Act European Union Data Directive Gramm Leach Bliley (GLB) C6 in Canada HIPAA
8
The Challenge of Integrated Privacy Solutions
Interrelationships among polices, practices and rules are not intuitive
Critical architectural components are missing or only implicit the consumer “agency” interfaces
No clarity in privacy- security relationship No linkages to operational policy and
technical implementations
9
Why a Privacy Framework?
A coherent analytical model is needed to foster development of data protection products, services and trusted implementations.
Networked trust systems require interoperability -- privacy requirements must be supported across jurisdictional, business, and consumer boundaries.
A framework of privacy services can serve as a solution-neutral methodology and tool for policymakers, business managers, developers, auditors and regulators, and consumers
10
Other Major ProjectsJohns Hopkins University
• research project to address usability, cost, manageability, trust of privacy technologies
Carnegie Mellon University
•“Digital Privacy Handbook”-- synthesizes technical standards, regulatory and legal privacy requirements by jurisdiction and existing technologies
•an analytical tool for the development of more mature and sophisticated capabilities in privacy management
Michael Willett:
The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.
Michael Willett:
The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.