W3C home > Mailing lists > Public > public-dpvcg@w3.org > March 2019

Re: ISSUE-11: Taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined.

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Fri, 22 Mar 2019 14:51:45 +0000
To: public-dpvcg@w3.org
Message-ID: <317103f8-e19d-24b3-cd21-823e0cee0abf@harshp.com>
Hello, I tried looking up the relevant ISO standards for security and to 
identify terms for a taxonomy. But I ran into two major problems:

a) ISO holds a copyright on their specific codes and terms

b) ISO standards are not open, so I cannot look at them in depth

Maybe someone who does have access can check the relevant standards and 
see how we can formulate the taxonomies.

In light of this, I feel we need to re-evaluate what a taxonomy of 
security (related to data) should contain.

Attached is a mapping between different security standards and top-level 
criteria, which is very informational.

And I'm sharing my notes for the security ISO standards:

      ISO standards

  * mapping between GDPR and ISO27000
  * There are two standards - ISO27001/2 and ISO27018 for cloud based


ISO27018 adds the following over ISO27001/2 (source random article on 
the internet 

  * Rights of the customer to access and delete the data
  * Processing the data only for the purpose for which the customer has
    provided this data
  * Not using the data for marketing and advertising
  * Deletion of temporary files
  * Notification to the customer in case of a request for data disclosure
  * Recording all the disclosures of personal data
  * Disclosing the information about all the sub-contractors used for
    processing the personal data
  * Notification to the customer in case of a data breach
  * Document management for cloud policies and procedures
  * Policy for return, transfer and disposal of personal data
  * Confidentiality agreements for individuals who can access personal data
  * Restriction of printing the personal data
  * Procedure for data restoration
  * Authorization for taking the physical media off-site
  * Restriction of usage of media that does not have encryption capability
  * Encrypting data that is transmitted over public networks
  * Destruction of printed media with personal data
  * Usage of unique IDs for cloud customers
  * Records of user access to the cloud
  * Disabling the usage of expired user IDs
  * Specifying the minimum security controls in contracts with customers
    and subcontractors
  * Deletion of data in storage assigned to other customers
  * Disclosing to the cloud customer in which countries will the data be
  * Ensuring the data reaches the destination

ISO 27001 Controls and Objectives 
ISO 27002 Security Control Objectives

ISO/IEC 15408 Evaluation criteria for IT security
ISO/IEC 18045 Methodology for IT security evaluation
ISO/IEC 19608 Guidance for developing security and privacy functional 
requirements based on
ISO/IEC 15408

ISO/IEC 27002 Code of practice for information security controls
ISO/IEC 17030 Guidelines for security and privacy in Internet of Things 
ISO/IEC 27017 Code of practice for information security controls based 
on ISO/IEC 27002 for
cloud services

ISO/IEC 18033 Encryption algorithms
ISO/IEC 18370 Blind digital signatures
ISO/IEC 20008 Anonymous digital signatures
ISO/IEC 20009 Anonymous entity authentication
ISO/IEC 29191 Partially anonymous partially unlinkable authentication
ISO/IEC 20889 Privacy enhancing data de-identification techniques
ISO/IEC 27551 Attribute based unlinkable entity authentication

JWG8 has proposed to recognize ISO/IEC 29134 (privacy impact assessment
Methodology) as a European standard (EN)

DTR/CYBER-0010, TR 103 370, Practical introductory guide to privacy
DTS/CYBER-0013, TS 103 485, Mechanisms for privacy assurance and 
DTS/CYBER-0014, TS 103 486, Identity management and naming schema 
protection mechanisms
DTS/CYBER-0020, TS 103 458, Application of Attribute Based Encryption 
(ABE) for data protection
on smart devices, cloud and mobile services



On 12/02/2019 13:56, Data Privacy Vocabularies and Controls Community 
Group Issue Tracker wrote:
> ISSUE-11: Taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined.
> https://www.w3.org/community/dpvcg/track/issues/11
> Raised by:
> On product:
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin

Received on Friday, 22 March 2019 14:52:39 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:56 UTC