GFIPM Metadata Status Update GFIPM Delivery Team Meeting November 2011.

Slides:

Advertisements

Similar presentations

NIEM and Content Policy briefing David Webber - Public Sector NIEM Team, April 2013 NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.

Advertisements

1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014.

UDDI v3.0 (Universal Description, Discovery and Integration)

This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,

SIU School of Medicine Identity Protection Act and Associated SIU Policy.

Data Classification & Privacy Inventory Workshop

Information Security Policies and Standards

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

CUMC IRB Investigator Meeting November 9, 2004 Research Use of Stored Data and Tissues.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

Configuration Management

GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.

GFIPM Deliverables Overview GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

This presentation was prepared by Georgia Tech Research Institute using Federal funds under award 70NANB13H189 from National Institute of Standards and.

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Procedures to Develop and Register Data Elements in Support of Data Standardization September 2000.

SWITCHaai Team Federated Identity Management.

Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Functional Model Workstream 1: Functional Element Development.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

© 2012 IBM Corporation Rational Insight | Back to Basis Series Documents and Record Control Liu Xue Ning.

James Cabral, David Webber, Farrukh Najmi, July 2012.

Proposal for App Id and Service Provider Id registration Group Name: Shelby Kiewel Source: Shelby Kiewel, iconectiv / Ericsson,

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

Confidentiality in Your TEAP Program By Diane A. Tennies, Ph.D., LADC Lead TEAP Health Specialist October 20,

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Tom Clarke VP, Research & Technology National Center for State Courts.

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

App-ID Use Cases, Syntax and Attributes SEC App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

...From Collaboration to Integration... Page: 1 November 2, 2006 Welcome and Introduction James Dyche Systems Manager 5 Technology Park Harrisburg, PA.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

GRA Implementations using Open Source Technologies Mark Perbix and Yogesh Chawla SEARCH.

United States Department of Justice Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg,

VAMDC use-case for the RDA Data Citation Working Group C.M. Zwölf and VAMDC consortium 6 th RDA Plenary PARIS September 2015.

1 CS 502: Computing Methods for Digital Libraries Lecture 19 Interoperability Z39.50.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

United States Department of Justice Global Security Working Group Update Global Advisory Committee November 2, 2006 Washington, D.C.

DRRP’s Updated MOU: Implementing the Transition Plan for Monitoring and Maintenance Daniel Oppenheimer Tamarisk Coalition.

GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.

Proposal for App Id and Service Provider Id registration Group Name: Shelby Source: Shelby, iconectiv / Ericsson,

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

When Can You Redact Information Without Requesting an Attorney General Decision? Karen Hattaway Assistant Attorney General Open Records Division Views.

Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

May 2007 Registration Status Small Group Meeting 1: August 24, 2009.

Healthcare Information Standards Panel 2007,2008, and Beyond John D. Halamka MD Chair, HITSP.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

International Planetary Data Alliance Registry Project Update September 16, 2011.

OGF PGI – EDGI Security Use Case and Requirements

Chapter 3 Legal Issues.

Chapter 11: Software Configuration Management

The 2018 Human Subject Rules

What’s changed in the Shibboleth 1.2 Origin

Health Ingenuity Exchange - HingX

The 2018 Human Subject Rules

Chapter 11: Software Configuration Management

Appropriate Access InCommon Identity Assurance Profiles

On Parametric Obligation Policies: Enabling Privacy-aware Information Lifecycle Management in Enterprises IEEE Policy Workshop 2007 Marco Casassa Mont.

Presentation transcript:

GFIPM Metadata Status Update GFIPM Delivery Team Meeting November 2011

History of GFIPM Metadata Evolved out of an early “strawman” exercise – Collected attribute concepts from many agencies – Reconciled ideas and built a standard set of terms Version 1.0 approved by GAC in 2008 – User and entity attrs only; complex XML structure Version 2.0 approved by GAC in 2010 – Added resource/action/environment attrs – Changed to a flat attr structure for COTS compat.

Recent GFIPM Metadata Activity Early 2011: Support for Inter-Federation/TIBs – Improved structure of some attribute values – Added a GFIPM Federation Name Registry : – Proposed new attrs based on NCSC XACML work Late 2010 to Present: – Emerging concept of “obligation” metadata Based on work by Global Obligations Task Team

Trusted Identity Broker Concept TIB = “Trusted Identity Broker” – TIB is the service endpoint; TIBO is the agency Brokers users to a federation SP from an IDP outside the federation Example: FBI CJIS – May join NIEF as a TIB soon – Would broker several IDPs (e.g. Chicago PD) to NIEF SPs – Bridges the technical gap, but not at policy level

GFIPM Direct Inter-Agency Trust and Interoperability

GFIPM Inter-Agency Trust and Interoperability via a TIBO

GFIPM Metadata Support for TIBs Modified data formats for three attributes – Federation Id (User Attribute) {Fed Name}:[TIB:{TIB}:]IDP:{IDP}:USER:{User ID} – Identity Provider Id (User Attribute) {Fed Name}:[TIB:{TIB}:]IDP:{IDP} – Entity Id (Entity Attribute) {Federation}:{Technical Role}:{Unique Entity ID} Each attr’s format now supports TIB concept Already approved by GFIPM DT in early 2011

Attribute Format Examples Federation Id Examples “CONNECT:IDP:XYZ12:USER:johndoe99” Identity Provider Id Examples “NIEF:IDP:JNET” “DOJTB:IDP:RISS” “NIEF:TIB:CJIS-Portal:IDP:RISS” “CONNECT:IDP:XYZ” Entity Id Examples “NIEF:IDP:JNET” “CONNECT:SP:ABC” “DOJTB:WSP:123” “NIEF:TIB:CJIS-Portal”

GFIPM Federation Name Registry New attr definitions require use of registered federation name – Guarantees global uniqueness of Federation Id, Identity Provider Id, and Entity Id List of registered names: – “GFIPM” and “NIEF” are already assigned to NIEF Request for registration of a new name: – How to vet name registration requests: – GFIPM Name Registration Process doc

Name Registry Screen Shot

Screen Shot of Reg. Instructions

Open Questions about Name Registry GFIPM Federation Name Reg. Process doc – Brief (3-page) document – Where does it belong? (In the Metadata Spec?) – Who acts as the “GFIPM Governing Body”? – Who acts as “GFIPM Support”? Open federation name reg. requests – RISS: “RISS” – LA County ISAB: “LAC-ISAB”

NCSC XACML Pilot Project Funded via BJA grant to NCSC Goal: Demonstrate the use of an externalized access control mechanism with an existing law enforcement information sharing system – Integrate XACML with test instance of GBI JIMnet – Implement info sharing policies from GBI Directive 7-6 Work Products: – GBI rules expressed in XACML – “XACML-enablement” prototype of GBI JIMnet – Identification of potential new GFIPM attributes

New Attributes Identified Summary of Results: – No new User Attrs – No new Entity Attrs – Five (5) new Resource Attrs – Four (4) new Action Attrs – One (1) new Environment Attr – Four (4) new Obligation Attrs * New attrs recommended for GFIPM Metadata Report available for DT review * Obligations are not yet part of the GFIPM Metadata Spec.

Recommended New Attributes (1/3) Resource Attributes – “Subject of Resource” Category Code Set: “Adult”, “Juvenile”, “Sealed”, etc. – Data Classification Category Code Set: “Sensitive”, “Classified”, “GBI Only”, etc. – Data Jurisdiction Code Set based on jurisdictions – Resource ID – Criminal Activity Category Code Set: “Assault”, “Arson”, “Robbery”, etc.

Recommended New Attributes (2/3) Action Attributes – Query Action Category Code Set: “NCIC Record”, “NLETS”, “AFIS”, etc. – Query Purpose Category Indicates purpose of a criminal history query Code Set: “Lawyer”, “Public Records”, etc. – Criminal Activity Description (Text) Description of criminal activity motivating the query – Access Mode (“Local” or “Remote”)

Recommended New Attributes (3/3) Environment Attributes – Imminent Danger Indicator (Boolean) May need to be self-asserted by user Obligations – “Must Get User Consent to Disclaimer” – “Must Log Access” – “Must Notify Data Owner” – “Must Redact Data from Results”

Refresher on Authorization and Privacy Framework Response message Access Obligations Audit trail Environmental conditions Written policy Obligations Electronic policy statements (dynamic, federated) PEP PDP Actions: release, store, modify, access PII, access w/o PII Request message Identity credentials PEP: Policy Enforcement Point PDP: Policy Decision Point Identity ProvidersService Providers Security & Privacy Policy Services

What is an Obligation? Action that must be performed to fulfill an authorization or privacy policy – Separate from the YES/NO access decision – Examples: “Notify Data Owner of Access” “Redact all PII Data” Can be precisely defined and modeled via XML – Includes both schemas and instances Can be fulfilled via an “obligation handler” – Software that conforms to the obligation definition

Global Obligations Task Team Convened at GISST meeting in Oct 2010 – J. Ruegg, S. Came, J. Dyche, I. Topalova, M. Moyer Goals and Progress in 2011: – Identify obligation concepts in laws and policies DONE – Identify common patterns among obligation concepts DONE – Develop syntax and structure for expressing obligation concepts ONGOING

Laws and Policies Analyzed Privacy Act of 1974 Freedom of Information Act Florida Fusion Center Privacy Policy CFR 28 Part 23 HIPAA Administrative Simplification Statute Colorado Health and Hospital Assoc. Data Use Agreement Colorado Cancer Stats Data Sharing MOU Colorado Data Retention and Destruction Template

Obligation Concepts Identified Notify Redact Delete Data Log Obtain Consent Obtain Acknowledgment from User Restrict Usage To… No Secondary Dissemination No Contact with Subject Purge Within N Days

Ongoing Work Developing a standard structure for expressing obligations precisely – Conceptual model Obligor: Who must perform the obligation? Obligee: For whom must it be performed? Action/Content: What must be performed? Deadline: By when? – Technical model (XML schemas and instances) Target completion date: 1Q or 2Q 2012 – Will recommend addition to GFIPM Metadata Spec

Example Notify Obligation Instance * Matt Moyer John Ruegg Your medical record was accessed on by Dr. John Doe. Fri Oct 28 18:00:00 EDT 2011 * Not a realistic example, in content or structure. For illustration purposes only.