Re: ISSUE-11: Taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined. from Harshvardhan J. Pandit on 2019-03-22 (public-dpvcg@w3.org from March 2019)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Fri, 22 Mar 2019 14:51:45 +0000
To: public-dpvcg@w3.org
Message-ID: <317103f8-e19d-24b3-cd21-823e0cee0abf@harshp.com>
Hello, I tried looking up the relevant ISO standards for security and to 
identify terms for a taxonomy. But I ran into two major problems:

a) ISO holds a copyright on their specific codes and terms

b) ISO standards are not open, so I cannot look at them in depth

Maybe someone who does have access can check the relevant standards and 
see how we can formulate the taxonomies.

In light of this, I feel we need to re-evaluate what a taxonomy of 
security (related to data) should contain.


Attached is a mapping between different security standards and top-level 
criteria, which is very informational.

And I'm sharing my notes for the security ISO standards:


      ISO standards

  * mapping between GDPR and ISO27000
    http://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf
  * There are two standards - ISO27001/2 and ISO27018 for cloud based
    services


        ISO27018

ISO27018 adds the following over ISO27001/2 (source random article on 
the internet 
https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud)

  * Rights of the customer to access and delete the data
  * Processing the data only for the purpose for which the customer has
    provided this data
  * Not using the data for marketing and advertising
  * Deletion of temporary files
  * Notification to the customer in case of a request for data disclosure
  * Recording all the disclosures of personal data
  * Disclosing the information about all the sub-contractors used for
    processing the personal data
  * Notification to the customer in case of a data breach
  * Document management for cloud policies and procedures
  * Policy for return, transfer and disposal of personal data
  * Confidentiality agreements for individuals who can access personal data
  * Restriction of printing the personal data
  * Procedure for data restoration
  * Authorization for taking the physical media off-site
  * Restriction of usage of media that does not have encryption capability
  * Encrypting data that is transmitted over public networks
  * Destruction of printed media with personal data
  * Usage of unique IDs for cloud customers
  * Records of user access to the cloud
  * Disabling the usage of expired user IDs
  * Specifying the minimum security controls in contracts with customers
    and subcontractors
  * Deletion of data in storage assigned to other customers
  * Disclosing to the cloud customer in which countries will the data be
    stored
  * Ensuring the data reaches the destination

https://en.wikipedia.org/wiki/Security_controls
ISO 27001 Controls and Objectives 
https://en.wikipedia.org/wiki/ISO/IEC_27001
http://www.foo.be/docs/iso/AnnexIX1302-ListOfControls-ISO-27001.pdf
ISO 27002 Security Control Objectives
http://praxiom.com/iso-17799-objectives.htm
http://praxiom.com/iso-27002-objectives.htm

ISO/IEC 15408 Evaluation criteria for IT security
ISO/IEC 18045 Methodology for IT security evaluation
ISO/IEC 19608 Guidance for developing security and privacy functional 
requirements based on
ISO/IEC 15408

ISO/IEC 27002 Code of practice for information security controls
ISO/IEC 17030 Guidelines for security and privacy in Internet of Things 
(IoT)
ISO/IEC 27017 Code of practice for information security controls based 
on ISO/IEC 27002 for
cloud services

ISO/IEC 18033 Encryption algorithms
ISO/IEC 18370 Blind digital signatures
ISO/IEC 20008 Anonymous digital signatures
ISO/IEC 20009 Anonymous entity authentication
ISO/IEC 29191 Partially anonymous partially unlinkable authentication
ISO/IEC 20889 Privacy enhancing data de-identification techniques
ISO/IEC 27551 Attribute based unlinkable entity authentication

JWG8 has proposed to recognize ISO/IEC 29134 (privacy impact assessment
Methodology) as a European standard (EN)

ETSI
DTR/CYBER-0010, TR 103 370, Practical introductory guide to privacy
DTS/CYBER-0013, TS 103 485, Mechanisms for privacy assurance and 
verification
DTS/CYBER-0014, TS 103 486, Identity management and naming schema 
protection mechanisms
DTS/CYBER-0020, TS 103 458, Application of Attribute Based Encryption 
(ABE) for data protection
on smart devices, cloud and mobile services

Regards,

Harsh

On 12/02/2019 13:56, Data Privacy Vocabularies and Controls Community 
Group Issue Tracker wrote:
> ISSUE-11: Taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined.
>
> https://www.w3.org/community/dpvcg/track/issues/11
>
> Raised by:
> On product:
>
>
>
>
>
-- 
---
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Attachments

application/pdf attachment: Poster_Winter2016_CSCs.pdf
Received on Friday, 22 March 2019 14:52:39 UTC