Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Slides:

Advertisements

Similar presentations

Module N° 4 – ICAO SSP framework

Advertisements

Privacy By Design Sample Use Case

Privacy By Design Draft Privacy Use Case Template

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Security Controls – What Works

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Centers for IBM e-Business Innovation :: Chicago © 2005 IBM Corporation IBM Project October 2005.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

PMRM Overview and Privacy Management Analysis Tools Development John Sabo Gershon Janssen

OASIS PRIVACY MANAGEMENT REFERENCE MODEL EEMA European e-identity Management Conference Paris, June 2012 John Sabo, CA Technologies Co-Chair, OASIS.

The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

Integrated Capability Maturity Model (CMMI)

Chapter 15 Database Administration and Security

HIPAA COMPLIANCE WITH DELL

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 7 Software Supporting Processes and Software Reuse.

Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

GRC - Governance, Risk MANAGEMENT, and Compliance

Internal controls. Session objectives Define Internal Controls To understand components of Internal Controls, control environment and types of controls.

Chapter 5 Internal Control over Financial Reporting

Roles and Responsibilities

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

PMRM TC Emergency Responder Use Case Draft: 2 Aug 2011.

Session ID: Session Classification: Dr. Michael Willett OASIS and WillettWorks DSP-R35A General Interest OASIS Privacy Management Reference Model (PMRM)

Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

ISO / IEC : 2012 Conformity assessment – Requirements for the operation of various types of bodies performing inspection.

Eliza de Guzman HTM 520 Health Information Exchange.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

Working with HIT Systems

QUALITY MANAGEMENT STATEMENT

Incoming communication Diagram A0 Carry out business activity 2 Outgoing communication Manage records 3 Result, deliverable Mandate External requests.

Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.

Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair:

S5: Internal controls. What is Internal Control Internal control is a process Internal control is a process Internal control is effected by people Internal.

1 PARCC Data Privacy & Security Policy December 2013.

1 Designing a Privacy Management System International Security Trust & Privacy Alliance.

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.

PMRM Revision Discussion Slides Illustrations/Figures 1-3 o Model, Methodology, “Scope” options Functions, Mechanisms and “Solutions” Accountability and.

Castlebridge associates | | Castlebridge changing how people think about information How to Implement the.

Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.

Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

1. Scope of Application 2. Use Case Actors Data Flows Touch Points Initial PI 3. PI - at Touch Points In Internal Out 4. PI - Operational Privacy Policies.

 The processes used for RE vary widely depending on the application domain, the people involved and the organisation developing the requirements.  However,

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.

McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.

Accountability & Structured Privacy Management

Service Organization Control (SOC)

CMMI – Staged Representation

6 Principles of the GDPR and SQL Provision

UConn NIST Compliance Project

Analysis of Privacy and Data Protection Laws and Directives

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Operationalizing Export Certification and Regionalization Programmes

Engineering Processes

Presentation transcript:

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data

PbD Use Case Privacy Controls Based on PMRM v1.0 Makes possible: o Identification of abstract controls at the data-flow level Controls are mechanisms and processes designed to provide reasonable assurance of the achievement of stated objectives o Technical o Administrative o Physical Controls can be pre-defined/baseline (e.g. NIST SP r4 Appendix J) and/or bespoke o Decomposition of individual controls into pre-defined supporting services o Design and implementation of concrete functionality and processes comprising the services

Use Case Privacy Control Development (Four Further Stages) Inherited Privacy Controls Internal Privacy Controls Exported Privacy Controls Supporting Services Risk Assessment Technical Functionality and Business Processes

Use Case Privacy Control Development Stage Six Acme Insurance Customer Vehicle Programs Customer Profile Dept. Analytics Domain Customer Portal Software Development Group Data Communications Local Agent portal Incoming PI (Driving patterns and assessed risk linked to VIN) Generated PI (Driving patterns and assessed risk) Outgoing PI (Name, account number, driving pattern and assessment summaries)

Use Case Privacy Control Development Stage Six 1.Specify privacy controls inherited from Privacy Domains or Systems within Privacy Domains 2.Specify privacy controls mandated by internal Privacy Domain policies 3.Specify privacy controls exported to other Privacy Domains or Systems within Privacy Domains

Use Case Privacy Control Development Stage Six Acme Insurance Customer Vehicle Programs Customer Profile Dept. Analytics Domain Customer Portal Software Development Group Data Communications Local Agent portal Generated PI (Driving patterns and assessed risk) Outgoing PI (Name, account number, driving pattern and assessment summaries) Exported Control AR-3: Requirements for Contractors Internal Control DI-1: Data Quality Incoming PI (Driving patterns and assessed risk linked to VIN) Inherited Control DM-1: Minimization of PII

Use Case Privacy Control Development Stage Seven 4.Identify Services satisfying privacy controls

Use Case Privacy Control Development Stage Seven AGREEMENT Define and document permissions and rules for the handling of PI based on applicable policies, data subject preferences, and other relevant factors; provide relevant Actors with a mechanism to negotiate or establish new permissions and rules; express the agreements for use by other Services USAGE Ensure that the use of PI complies with the terms of any applicable permission, policy, law or regulation, including PI subjected to information minimization, linking, integration, inference, transfer, derivation, aggregation, and anonymization over the lifecycle of the use case VALIDATION Evaluate and ensure the information quality of PI in terms of Accuracy, Completeness, Relevance, Timeliness and other relevant qualitative factors

Use Case Privacy Control Development Stage Seven CERTIFICATION Ensure that the credentials of any Actor, Domain, System, or system component are compatible with their assigned roles in processing PI; and verify their compliance and trustworthiness against defined policies and assigned roles. ENFORCEMENT Initiate response actions, policy execution, and recourse when audit controls and monitoring indicate that an Actor or System does not conform to defined policies or the terms of a permission (agreement) SECURITY Provide the procedural and technical mechanisms necessary to ensure the confidentiality, integrity, and availability of personal information; make possible the trustworthy processing, communication, storage and disposition of privacy operations

Use Case Privacy Control Development Stage Seven INTERACTION Provide generalized interfaces necessary for presentation, communication, and interaction of PI and relevant information associated with PI; encompasses functionality such as user interfaces, system-to-system information exchanges, and agents ACCESS Enable data-subjects, as required and/or allowed by permission, policy, or regulation, to review their PI that is held within a Domain and propose changes and/or corrections to their PI

Use Case Privacy Control Development Stage Seven Internal Control DI-1: Data Quality o Validation service Inherited Control DM-1: Minimization of PII o Usage service o Security service Exported Control AR-3: Requirements for Contractors o Agreement service

Use Case Development Use Case Development Stage Eight 5.Define technical functionality and business processes supporting selected services

Use Case Privacy Control Development Stage Eight Validation service o Vehicle data cleansing E.g., check for inconsistent event sequences Usage service o Automated interfaces to maintain separation of data using identifier with relatively inaccessible auxiliary info Security service o Role-based access control Agreement service o Chain-of-trust contract clause

Use Case Privacy Control Development Stage Eight Acme Insurance Customer Vehicle Programs Customer Profile Dept. Analytics Domain Customer Portal Software Development Group Data Communications Local Agent portal Generated PI (Driving patterns and assessed risk) Outgoing PI (Name, account number, driving pattern and assessment summaries) Exported Control AR-3: Requirements for Contractors Internal Control DI-1: Data Quality Incoming PI (Driving patterns and assessed risk linked to VIN) Inherited Control DM-1: Minimization of PII

Use Case Development Use Case Development Stage Nine 6.Risk assessment o VIN sufficient to maintain data separation? o If not, implement usage service via random pseudonymous identifiers shared between Acme Insurance Company and Hudson Motor Company