Re: ISSUE-11: Taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined. from rjc@enterprivacy.com on 2019-03-23 (public-dpvcg@w3.org from March 2019)

From: <rjc@enterprivacy.com>
Date: Sat, 23 Mar 2019 11:01:56 -0700
To: "Harshvardhan J. Pandit" <me@harshp.com>, public-dpvcg@w3.org
Message-Id: <49a11012119f49fb538d95217e37b82374c7b801@webmail.dreamhost.com>
Sorry I haven't been very active.

You might consider looking at the Data Oriented
 Strategies and Tactics from Jaap-Henk Hoepman

https://www.cs.ru.nl/~jhh/publications/pds-booklet.pdf

These are the ones I use and it's been picked up by a number of data
protection authorities.  I group his Hide and Abstract Strategies
under the heading of SECURITY, where as Minimize and Separate are
under a heading of Architecture. 

Jason 

	.....................................................................
R. Jason Cronk                  | Juris Doctor  
Privacy and Trust Consultant    | IAPP Fellow of Information
Privacy
ENTERPRIVACY CONSULTING GROUP [1]   | CIPT, CIPM, CIPP/US, PbD
Ambassador
Privacy notices made simple: https://simpleprivacynotice.com [2] 
....................................................................

	UPCOMING TRAINING

Privacy by Design Professional:  Cyprus (April [3]), Belarus -
English/Russian (July)

Online (coming soon): https://privacybydesign.training [4]

----- Original Message -----
From:
 "Harshvardhan J. Pandit" <me@harshp.com>

To:
<public-dpvcg@w3.org>
Cc:

Sent:
Fri, 22 Mar 2019 14:51:45 +0000
Subject:
Re: ISSUE-11: Taxonomies on storrage locations and restrictions as
well as security measues and restrictions still undefined.

	Hello, I tried looking up the relevant ISO standards for security and
to identify terms for a taxonomy. But I ran into two major problems: 

	a) ISO holds a copyright on their specific codes and terms 

	b) ISO standards are not open, so I cannot look at them in depth 

	Maybe someone who does have access can check the relevant standards
and see how we can formulate the taxonomies.  

	In light of this, I feel we need to re-evaluate what a taxonomy of
security (related to data) should contain. 

	Attached is a mapping between different security standards and
top-level criteria, which is very informational.

	And I'm sharing my notes for the security ISO standards: 

ISO STANDARDS

	* mapping between GDPR and ISO27000
http://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf [5]
 	* There are two standards - ISO27001/2 and ISO27018 for cloud based
services

ISO27018

	 ISO27018 adds the following over ISO27001/2 (source random article
on the internet
https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud
[6])

	* Rights of the customer to access and delete the data
 	* Processing the data only for the purpose for which the customer
has provided this data
 	* Not using the data for marketing and advertising
 	* Deletion of temporary files
 	* Notification to the customer in case of a request for data
disclosure
 	* Recording all the disclosures of personal data
 	* Disclosing the information about all the sub-contractors used for
processing the personal data
 	* Notification to the customer in case of a data breach
 	* Document management for cloud policies and procedures
 	* Policy for return, transfer and disposal of personal data
 	* Confidentiality agreements for individuals who can access personal
data
 	* Restriction of printing the personal data
 	* Procedure for data restoration
 	* Authorization for taking the physical media off-site
 	* Restriction of usage of media that does not have encryption
capability
 	* Encrypting data that is transmitted over public networks
 	* Destruction of printed media with personal data
 	* Usage of unique IDs for cloud customers
 	* Records of user access to the cloud
 	* Disabling the usage of expired user IDs
 	* Specifying the minimum security controls in contracts with
customers and subcontractors
 	* Deletion of data in storage assigned to other customers
 	* Disclosing to the cloud customer in which countries will the data
be stored
 	* Ensuring the data reaches the destination

	 https://en.wikipedia.org/wiki/Security_controls [7]
 ISO 27001 Controls and Objectives
https://en.wikipedia.org/wiki/ISO/IEC_27001 [8]
http://www.foo.be/docs/iso/AnnexIX1302-ListOfControls-ISO-27001.pdf
[9]
 ISO 27002 Security Control Objectives
http://praxiom.com/iso-17799-objectives.htm [10]
http://praxiom.com/iso-27002-objectives.htm [11]  

	 ISO/IEC 15408 Evaluation criteria for IT security
 ISO/IEC 18045 Methodology for IT security evaluation
 ISO/IEC 19608 Guidance for developing security and privacy functional
requirements based on
 ISO/IEC 15408  

	 ISO/IEC 27002 Code of practice for information security controls
 ISO/IEC 17030 Guidelines for security and privacy in Internet of
Things (IoT)
 ISO/IEC 27017 Code of practice for information security controls
based on ISO/IEC 27002 for
 cloud services  

	 ISO/IEC 18033 Encryption algorithms
 ISO/IEC 18370 Blind digital signatures
 ISO/IEC 20008 Anonymous digital signatures
 ISO/IEC 20009 Anonymous entity authentication
 ISO/IEC 29191 Partially anonymous partially unlinkable authentication
 ISO/IEC 20889 Privacy enhancing data de-identification techniques
 ISO/IEC 27551 Attribute based unlinkable entity authentication  

	 JWG8 has proposed to recognize ISO/IEC 29134 (privacy impact
assessment
 Methodology) as a European standard (EN)  

	 ETSI
 DTR/CYBER-0010, TR 103 370, Practical introductory guide to privacy
 DTS/CYBER-0013, TS 103 485, Mechanisms for privacy assurance and
verification
 DTS/CYBER-0014, TS 103 486, Identity management and naming schema
protection mechanisms
 DTS/CYBER-0020, TS 103 458, Application of Attribute Based Encryption
(ABE) for data protection
 on smart devices, cloud and mobile services  

	Regards, 

	Harsh
 On 12/02/2019 13:56, Data Privacy Vocabularies and Controls Community
Group Issue Tracker wrote:

	ISSUE-11: Taxonomies on storrage locations and restrictions as well
as security measues and restrictions still undefined.

https://www.w3.org/community/dpvcg/track/issues/11 [12]

 Raised by: 

 On product: 

	-- 

 ---

 Harshvardhan Pandit

 PhD Researcher

 ADAPT Centre

 Trinity College Dublin



Links:
------
[1] http://webmail.dreamhost.com/HTTP://WWW.ENTERPRIVACY.COM/
[2] https://simpleprivacynotice.com/
[3] https://enterprivacy.com/cyprus-training/
[4] https://privacybydesign.training/
[5] http://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf
[6]
https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud
[7] https://en.wikipedia.org/wiki/Security_controls
[8] https://en.wikipedia.org/wiki/ISO/IEC_27001
[9]
http://www.foo.be/docs/iso/AnnexIX1302-ListOfControls-ISO-27001.pdf
[10] http://praxiom.com/iso-17799-objectives.htm
[11] http://praxiom.com/iso-27002-objectives.htm
[12] https://www.w3.org/community/dpvcg/track/issues/11
Received on Saturday, 23 March 2019 18:02:28 UTC