- From: <rjc@enterprivacy.com>
- Date: Sat, 23 Mar 2019 11:01:56 -0700
- To: "Harshvardhan J. Pandit" <me@harshp.com>, public-dpvcg@w3.org
- Message-Id: <49a11012119f49fb538d95217e37b82374c7b801@webmail.dreamhost.com>
Sorry I haven't been very active. You might consider looking at the Data Oriented Strategies and Tactics from Jaap-Henk Hoepman https://www.cs.ru.nl/~jhh/publications/pds-booklet.pdf These are the ones I use and it's been picked up by a number of data protection authorities. I group his Hide and Abstract Strategies under the heading of SECURITY, where as Minimize and Separate are under a heading of Architecture. Jason ..................................................................... R. Jason Cronk | Juris Doctor Privacy and Trust Consultant | IAPP Fellow of Information Privacy ENTERPRIVACY CONSULTING GROUP [1] | CIPT, CIPM, CIPP/US, PbD Ambassador Privacy notices made simple: https://simpleprivacynotice.com [2] .................................................................... UPCOMING TRAINING Privacy by Design Professional: Cyprus (April [3]), Belarus - English/Russian (July) Online (coming soon): https://privacybydesign.training [4] ----- Original Message ----- From: "Harshvardhan J. Pandit" <me@harshp.com> To: <public-dpvcg@w3.org> Cc: Sent: Fri, 22 Mar 2019 14:51:45 +0000 Subject: Re: ISSUE-11: Taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined. Hello, I tried looking up the relevant ISO standards for security and to identify terms for a taxonomy. But I ran into two major problems: a) ISO holds a copyright on their specific codes and terms b) ISO standards are not open, so I cannot look at them in depth Maybe someone who does have access can check the relevant standards and see how we can formulate the taxonomies. In light of this, I feel we need to re-evaluate what a taxonomy of security (related to data) should contain. Attached is a mapping between different security standards and top-level criteria, which is very informational. And I'm sharing my notes for the security ISO standards: ISO STANDARDS * mapping between GDPR and ISO27000 http://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf [5] * There are two standards - ISO27001/2 and ISO27018 for cloud based services ISO27018 ISO27018 adds the following over ISO27001/2 (source random article on the internet https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud [6]) * Rights of the customer to access and delete the data * Processing the data only for the purpose for which the customer has provided this data * Not using the data for marketing and advertising * Deletion of temporary files * Notification to the customer in case of a request for data disclosure * Recording all the disclosures of personal data * Disclosing the information about all the sub-contractors used for processing the personal data * Notification to the customer in case of a data breach * Document management for cloud policies and procedures * Policy for return, transfer and disposal of personal data * Confidentiality agreements for individuals who can access personal data * Restriction of printing the personal data * Procedure for data restoration * Authorization for taking the physical media off-site * Restriction of usage of media that does not have encryption capability * Encrypting data that is transmitted over public networks * Destruction of printed media with personal data * Usage of unique IDs for cloud customers * Records of user access to the cloud * Disabling the usage of expired user IDs * Specifying the minimum security controls in contracts with customers and subcontractors * Deletion of data in storage assigned to other customers * Disclosing to the cloud customer in which countries will the data be stored * Ensuring the data reaches the destination https://en.wikipedia.org/wiki/Security_controls [7] ISO 27001 Controls and Objectives https://en.wikipedia.org/wiki/ISO/IEC_27001 [8] http://www.foo.be/docs/iso/AnnexIX1302-ListOfControls-ISO-27001.pdf [9] ISO 27002 Security Control Objectives http://praxiom.com/iso-17799-objectives.htm [10] http://praxiom.com/iso-27002-objectives.htm [11] ISO/IEC 15408 Evaluation criteria for IT security ISO/IEC 18045 Methodology for IT security evaluation ISO/IEC 19608 Guidance for developing security and privacy functional requirements based on ISO/IEC 15408 ISO/IEC 27002 Code of practice for information security controls ISO/IEC 17030 Guidelines for security and privacy in Internet of Things (IoT) ISO/IEC 27017 Code of practice for information security controls based on ISO/IEC 27002 for cloud services ISO/IEC 18033 Encryption algorithms ISO/IEC 18370 Blind digital signatures ISO/IEC 20008 Anonymous digital signatures ISO/IEC 20009 Anonymous entity authentication ISO/IEC 29191 Partially anonymous partially unlinkable authentication ISO/IEC 20889 Privacy enhancing data de-identification techniques ISO/IEC 27551 Attribute based unlinkable entity authentication JWG8 has proposed to recognize ISO/IEC 29134 (privacy impact assessment Methodology) as a European standard (EN) ETSI DTR/CYBER-0010, TR 103 370, Practical introductory guide to privacy DTS/CYBER-0013, TS 103 485, Mechanisms for privacy assurance and verification DTS/CYBER-0014, TS 103 486, Identity management and naming schema protection mechanisms DTS/CYBER-0020, TS 103 458, Application of Attribute Based Encryption (ABE) for data protection on smart devices, cloud and mobile services Regards, Harsh On 12/02/2019 13:56, Data Privacy Vocabularies and Controls Community Group Issue Tracker wrote: ISSUE-11: Taxonomies on storrage locations and restrictions as well as security measues and restrictions still undefined. https://www.w3.org/community/dpvcg/track/issues/11 [12] Raised by: On product: -- --- Harshvardhan Pandit PhD Researcher ADAPT Centre Trinity College Dublin Links: ------ [1] http://webmail.dreamhost.com/HTTP://WWW.ENTERPRIVACY.COM/ [2] https://simpleprivacynotice.com/ [3] https://enterprivacy.com/cyprus-training/ [4] https://privacybydesign.training/ [5] http://www.iso27001security.com/ISO27k_GDPR_mapping_release_1.pdf [6] https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud [7] https://en.wikipedia.org/wiki/Security_controls [8] https://en.wikipedia.org/wiki/ISO/IEC_27001 [9] http://www.foo.be/docs/iso/AnnexIX1302-ListOfControls-ISO-27001.pdf [10] http://praxiom.com/iso-17799-objectives.htm [11] http://praxiom.com/iso-27002-objectives.htm [12] https://www.w3.org/community/dpvcg/track/issues/11
Received on Saturday, 23 March 2019 18:02:28 UTC