presentation annotated by gail magnuson llc with permission from using information technologies to...

Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com

Using Information Technologies to Empower and Transform

This presentation supported by Gail Magnuson, President, Gail Magnuson LLC

Peter F BrownIndependent Consultant

The Privacy Management Reference Model and Methodology from OASIS:

Using the Privacy Management Reference Model and Methodology to Explore Do Not Track Design

Introduction to PMRMIAPP Cleveland KnowledgeNet Presentation

Gail A Magnuson, CIPP US President, Gail Magnuson LLCGail.Magnuson@gmail.comSeptember 2012

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

A Model and a Methodology

2

The model provides a common conceptual framework and vocabulary to help people cooperate across disciplines and organizational boundaries…

…and the methodology provides a common set of tasks to achieve a privacy architecture and privacy management analysis

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

The PMRM Model

3

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

The PMRM Methodology

4

Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com

Using Information Technologies to Empower and Transform

This presentation supported by Gail Magnuson, President, Gail Magnuson LLC

Peter F BrownIndependent Consultant

The Methodology in Detail

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

Detailed Privacy Analysis

1.High-Level Privacy Analysis and Use Case

6

Scop

e General Description of Services & Applications En

viro

nmen

t

Business Use Case Inventory

App

licab

le R

equi

rem

ents Privacy

Conformance Criteria

Impa

ct A

sses

smen

ts Privacy Assessment PreparationPrivacy Impact AssessmentsPrivacy Maturity AssessmentsCompliance ReviewsAccountability Model Assessments

Application and Business Process Descriptions Applicable Privacy Policies, Practices, Laws & Regulations

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

Domains

2.Detailed Privacy Use Case Analysis

7

Scope:High-Level Privacy AnalysisHigh-Level Use Case Description

Systems

Roles & Responsibilities Actors

Touch Points

Owners

Identify all the following:

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

1st Party WebsiteBrower(s) or DNT

2.US DNT & EU Cookie Touch Points & Data Flows

8

System aTo

uch

Poin

t

Touch Point

Touc

h Po

int

System b

System c

3rd Party Websites

System d

Big Data Vendor(s)

System e

Browser(s) or DNT

System a

Touch Point

Touch Point

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

3.Identify PI and Privacy Controls

9

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

4.Services Supporting Privacy Controls

10

Privacy Controls are usually stated in the form of a policy declaration or requirement and not in a way that is immediately actionable or implementable.

Services provide the ‘bridge’ between requirement and implementation by providing privacy constraints on system-level actions governing the flow of PI between touch points

8 key PMRM Services identified in the initial work:

Agreement

Usage

Validation

Security

Certification

Enforcement

Interaction

Access

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

4.Map Privacy Controls to Services

11

Ag E

I

Ac

Ac

U V E

U V S C I

Incoming PI

Internally Generated PI

Inherited Privacy Controls

Internal Privacy Controls

PMRM Services Required

Outgoing PI Exported Privacy Controls

AcU V S C I

IU V E

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

4.Map Services to Systems

12

Ag E Ac

IU V E

AcU V S C I

PMRM Services Used

AcU V S C I

Business Processes and Technical Mechanisms Required by System

A B C D E

B C E F

A C D G H

C E G H

Risk Assessment

© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC

A Model and a Methodology

13

The model provides a common conceptual framework and vocabulary to help people cooperate across disciplines and organizational boundaries…

…and the methodology provides a common set of tasks to achieve a privacy architecture and privacy management analysis

Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com

The OASIS Privacy Management Reference Model and Methodology

Introduction to PMRM

► peter@peterfbrown.com► www.peterfbrown.com► PensivePeter.wordpress.com► @PensivePeter

PMRM Draft Specification:http://docs.oasis-open.org/pmrm/PMRM/v1.0/csd01/PMRM-v1.0-csd01.docPMRM Committee Home Page:http://www.oasis-open.org/committees/pmrmUSAToday EU Cookie Law Overview with Chris Wolf Interview:http://content.usatoday.com/communities/technologylive/post/2011/09/europe-taking-much-stricter-stance-on-do-not-track-rules/1#.UFiEBrJlR5U