Making Privacy Possible: Research on Organizational Privacy Technology

Slides:

Advertisements

Similar presentations

Policy Specification, Analysis and Transformation International Technology Alliance in Network and Information Sciences A scenario based demo will illustrate.

Advertisements

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

Components of a Product Vision/Strategy

Global Business Blueprint Summary Presenters: Laurie Dempsey, CBP Lois McCluskey, eCP January 28, 2004.

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Securing the Broker Pattern Patrick Morrison 12/08/2005.

Dr. Julian Lo Consulting Director ITIL v3 Expert

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

Identifying Needs and Establishing Requirements John Thiesfeld Jeff Morton Josh Edwards.

Software Factory Assembling Applications with Models, Patterns, Frameworks and Tools Anna Liu Senior Architect Advisor Microsoft Australia.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

IIBA Denver | may 20, 2015 | Kym Byron , MBA, CBAP, PMP, CSM, CSPO

System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan System Engineering Hierarchy - System Modeling - Information.

Software Process and Product Metrics

Sharif University of Technology Session # 4.  Contents  Systems Analysis and Design Sharif University of Technology MIS (Management Information System),

The Software Development Life Cycle: An Overview

Chapter 6 System Engineering - Computer-based system - System engineering process - “Business process” engineering - Product engineering (Source: Pressman,

Karolina Muszyńska. Reverse engineering - looking at the solution to figure out how it works Reverse engineering - breaking something down in order to.

Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.

Business Analysis and Essential Competencies

A GENERIC PROCESS FOR REQUIREMENTS ENGINEERING Chapter 2 1 These slides are prepared by Enas Naffar to be used in Software requirements course - Philadelphia.

SOFTWARE DESIGN AND ARCHITECTURE LECTURE 27. Review UML dynamic view – State Diagrams.

What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Systems Analysis and Design

Software Engineering Prof. Ing. Ivo Vondrak, CSc. Dept. of Computer Science Technical University of Ostrava

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Policy Authoring Matthew Dunlop Usable Security – CS 6204 – Fall, 2009 – Dennis.

360 Feedback A Tool For Improving Individual And Organizational Effectiveness.

Data Registry to support HIPAA standards The Health Insurance Portability and Accountability Act of 1996 Title II - Subtitle F Administrative Simplification.

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

 CMMI  REQUIREMENT DEVELOPMENT  SPECIFIC AND GENERIC GOALS  SG1: Develop CUSTOMER Requirement  SG2: Develop Product Requirement  SG3: Analyze.

Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 Click to edit Master title style What is Business Analysis Body of Knowledge?

Information Management LIS /8/99 Martha Richardson.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

ARMA Boston Spring Seminar 2011 Jesse Wilkins, CRM.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

Stages of Research and Development

Information System Applications

Michael J. Novak ASQ Section 0511 Meeting, February 8, 2017

Accountability & Structured Privacy Management

This template provides guidance for the execution of task, Analyze Capabilities (EA.040). It is in a presentation format that may be used to present.

EI Architecture Overview/Current Assessment/Technical Architecture

The Components of Information Systems

DATA COLLECTION METHODS IN NURSING RESEARCH

Michael E. Levin, Benjamin Pierce & Michael Twohig

CIM Modeling for E&U - (Short Version)

Data and database administration

Introduction to Methods Engineering

So where in ISO is Process?

The Systems Engineering Context

SYSTEMS ANALYSIS Chapter-2.

Business System Development

The Open Group Architecture Framework (TOGAF)

Overview of System Engineering

The Components of Information Systems

Object-Oriented Analysis

Community Technology Assessments

Information Technology (IT)

IS4680 Security Auditing for Compliance

Process Auditing Why do people think that this is something new?

On Parametric Obligation Policies: Enabling Privacy-aware Information Lifecycle Management in Enterprises IEEE Policy Workshop 2007 Marco Casassa Mont.

What is IT audit? An examination of how IT systems where implemented to ensure that they meet the organization’s business needs without compromising.

Information System Building Blocks

1 Envision 3 Outline 4 Design

Lecture 10 Structuring System Requirements: Conceptual Data Modeling

Information system analysis and design

Presentation transcript:

Making Privacy Possible: Research on Organizational Privacy Technology Clare-Marie Karat, Carolyn Brodie, and John Karat ckarat,brodiec,jkarat@us.ibm.com Privacy Enabling Technology Research Security, Networking and Privacy (SNAP) To replace the title / subtitle with your own: Click on the title block -> select all the text by pressing Ctrl+A -> press Delete key -> type your own text IBM Research 4/25/2019

The Many Views of Privacy Individual “I want to be alone” “I don’t really care what you know” “Keep this between you and me” (confidential) Organizational “What are the legal requirements” “How can I manage information” There has been more research focus on Individual than on Organizational issues in use of Personal Information (PI) Protecting data at rest (e.g., encryption, annonymization) vs. Providing accountable control over use Organizations need help from technology to provide reasonable policies and to enforce them IBM Research 4/25/2019

Privacy Research Statement Most organizations store PI data in heterogeneous server system environments. Currently they do not have a unified way of defining or implementing a privacy policy that encompasses both web and legacy applications across the different server platforms. This makes the management of PI data difficult for both enterprises and end users. IBM Research 4/25/2019

Progress to Date Identified Organizational Needs – Initial survey (51 participants) asking about “top privacy concerns and technology needs” Established Scenarios - In-Depth follow up (13 participants) to identify data flow and architectural concepts for privacy technology (e.g., sticky policy) Iterated on Designs - Scenario-based walkthrough sessions of the privacy management prototype (SPARCLE) with target users (2 design iterations, 22 participants) Conducted Evaluations - Laboratory study examining methods for policy authoring (36 participants) Developed Architecture - Ongoing technical feasibility analysis IBM Research 4/25/2019

Identify Organizational Needs Recruited 51 Participants from Industry and Government: North America Europe Asia Pacific Sent Participants Privacy Questionnaires by E-Mail Asked about Top Concerns, Desired Function, Current Activities Analyzed Data by Industry (N=23) and Government (N=28) Questionnaire Response Rate was Approximately 80% from Customers IBM Research 4/25/2019

Top Privacy Concerns Expressed Industry and government patterns of concerns similar Industry more concerned about economic harm to brand Government more concerned about privacy violations by users outside the organization IBM Research 4/25/2019

Desired Privacy Functions Similar pattern across industry and government Desired policy/data portability Looked for easy to use authoring environment Wanted one solution for all organizational data IBM Research 4/25/2019

Establish Scenarios with Customers How would you describe your role regarding privacy? Can you give us an example scenario of what happens to a piece of PI as it passes through your organization from the time it is first collected until you dispose of it? What are the strengths and weaknesses of your organization's current processes (manual or automated)? What additional privacy functionality does your organization need and how would you like this privacy functionality to fit into your business process? Are there different privacy issues for Web and Legacy data? Do you have any other privacy requirements that you would like to tell us about? IBM Research 4/25/2019

Scenario Approach Developed Enriched Domain-Specific Scenarios Combined scenarios gathered from customers into four domain-specific stereotypical scenarios in: Healthcare, Banking/Finance, Travel/Entertainment, Government Enriched Scenarios Reviewed with 17 Customers in email and face-to-face sessions Customers agreed the scenarios represent all steps involving PI in their industries very well Conducted Component Analysis of each Step Broke each scenario down into steps such that each step involves one type of PI use.... Used EPA Benchmark, Mapped Tactical, and Created Future Roadmap Privacy Solutions for Customers Used Scenarios in Design Review Sessions with Customers IBM Research 4/25/2019

Iterative Design of Privacy Enabling Technology Focused on key privacy steps from previous analysis Established interaction requirements and a customer-validated design of a highly usable and effective privacy management tool called SPARCLE (Server Privacy ARchitecture and CapabiLity Enablement). Scope: Author policies Connect policy definition to system entities (Implement) Check policy compliance (Audit) Iteratively designed and reviewed with customers 10 sessions with 22 target users over 2 design iterations IBM Research 4/25/2019

What is a Privacy Policy Rule? Privacy is not about a single absolute privacy rule – Context Specific Policies are involved Policies have been found to have stable form: Who (data user) can see my (data subject) information (data element) For what purposes (e.g., marketing, patient care) To carry out what actions (e.g., distribute) Under what conditions (e.g., lives in California) With what obligations (e.g., data subject must be notified) Key Question - How can organizations author, implement, and audit privacy policies without rewriting all applications? IBM Research 4/25/2019

IBM Research 4/25/2019

Parsed Rule Original Rule Rule Elements IBM Research 4/25/2019

Laboratory Privacy Policy Rule Authoring Study Can we determine whether the Natural Language or Structured Entry method is better for policy authoring? Examined performance of novice policy authors 36 knowledge workers Provided 3 scenarios describing a desired privacy situation Asked people to write policy rules using three methods Unconstrained Natural Language with a policy rule template Structured entry from lists of elements IBM Research 4/25/2019

Privacy Policy Rule Authoring: Preferences Unconstrained policy authoring left participants unsure of their rules Natural Language template seemed to provide good guidance Structured Entry seemed equally satisfying Lower score represents higher degree of satisfaction IBM Research 4/25/2019

Privacy Policy Rule Authoring: Quality Unconstrained authoring yielded low quality (% elements identified) Natural Language and Structured Entry yielded good quality Including both methods seems to be most promising direction IBM Research 4/25/2019

Privacy Policy Creation Utility Author Privacy Policy Machine Readable Natural Language Transform Visualization Of Privacy Implementation Utility Enforcement Engine Log Internal Privacy Audit Privacy Policy Creation Utility IBM Research 4/25/2019

Next Steps Continue enrichment and testing of the prototype with target customers! Exploring relationship to compliance issues IBM Research 4/25/2019