United States Department of Justice www.it.ojp.gov/global Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg,

Slides:

Advertisements

Similar presentations

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.

Advertisements

Business Plan and Outstanding Issues for Illinois Justice Network Portal IIJIS Technical Committee Meeting January 16, 2004.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Information Security Policies and Standards

Developing a Records & Information Retention & Disposition Program:

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Global Justice Information Sharing Initiative. Overview The Global Justice Information Sharing Initiative (Global) operates under.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

United States Department of Justice Global Privacy and Information Quality Working Group Chairman Carl Wicklund.

United States Department of Justice The goal : Enable justice information sharing and protect privacy.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005.

Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

Functional Model Workstream 1: Functional Element Development.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

James Cabral, David Webber, Farrukh Najmi, July 2012.

Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.

GFIPM Metadata Status Update GFIPM Delivery Team Meeting November 2011.

Tom Clarke VP, Research & Technology National Center for State Courts.

Documenting the Participation of Fishing Vessel Crew Members in Alaska’s Commercial Fisheries Documenting the Participation of Fishing Vessel Crew Members.

EARTO – working group on quality issues – 2 nd session Anneli Karttunen, Quality Manager VTT Technical Research Centre of Finland This presentation.

Roles and Responsibilities

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

Global Privacy and Information Quality Working Group.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

SEARCH Membership Group Systems & Technology PAC Global Justice XML Data Model (GJXDM) Update January 29, 2005.

Current and Future Applications of the Generic Statistical Business Process Model at Statistics Canada Laurie Reedman and Claude Julien May 5, 2010.

Enterprise Architecture, Enterprise Data Management, and Data Standardization Efforts at the U.S. Department of Education May 2006 Joe Rose, Chief Architect.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

United States Department of Justice Global Security Working Group Update Global Advisory Committee November 2, 2006 Washington, D.C.

REPORT OF THE BJS/SEARCH NATIONAL TASK FORCE ON PRIVACY, TECHNOLOGY AND CRIMINAL JUSTICE INFORMATION May 31, 2000 Washington, DC Presented by Robert R.

Secure Systems Research Group - FAU A Trust Model for Web Services Ph.D Dissertation Progress Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Working with HIT Systems

United States Department of Justice Achieving Information Interoperability and Business Agility The Justice Reference Architecture:

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Health Delivery Services May 29, Eastern Massachusetts Healthcare Initiative Policy Work Group Session 2 May 29, 2009.

HIT Standards Committee Overview and Progress Report March 17, 2010.

A Standards-Based Approach for Supporting Dynamic Access Policies for a Federated Digital Library K. Bhoopalam, K. Maly, F. McCown, R. Mukkamala, M. Zubair.

Interoperable Trust Networks Chris Rogers California Dept of Justice February 16, 2005.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Decoding the Alphabet Soup: Global JIS Standards 101.

United States Department of Justice Achieving Information Interoperability: The Justice Reference Architecture A Global Project Tom.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

Exploring Service-Oriented Architecture (SOA) to Support Justice-Related Information Sharing Steven E. Correll, Chair Global Infrastructure/Standards Working.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Introducing Novell ® Identity Manager 4 Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

The NIST Special Publications for Security Management By: Waylon Coulter.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.

Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health

United Nations Economic Commission for Europe Statistical Division CSPA: The Future of Statistical Production Steven Vale UNECE

GDPR (General Data Protection Regulation)

Data Minimization Framework

Description of Revision

Appropriate Access InCommon Identity Assurance Profiles

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Presentation transcript:

United States Department of Justice Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg, Chair, Global Technical Privacy Task Team and Dr. Alan Harbitter, IJIS Institute 10/31/2007

United States Department of Justice Topics Approach Overview Privacy Policy Technical Framework and Components Applying the Framework to a Simple Use Case Implementing the Framework Task Progress Summary

United States Department of Justice Underlying Principles and Assumptions Do not invent new technology Focus on the domain-specific components required for interoperability (e.g., standards, specific metadata) For now, focus on access rather than collection Assume that there is a written policy in place Briefly, we are going to –Identify technologies to translate written privacy policy in machine-readable form –Define the pieces necessary to link justice information systems to that policy

United States Department of Justice Global Privacy Task Team Approach 1.Review the Global Privacy and Information Quality Working Group “Privacy Policy Development Guide and Implementation Templates” for Business Requirements 2.Draft Technical Requirements from Business Requirements 3.Validate Technical Requirements against sample use cases

United States Department of Justice Global Privacy Task Team Approach (continued) 4.Define a Technical Framework for Implementing Privacy Policy 5.Identify metadata to support electronic privacy policy implementations 6.Review vendor products, market maturity for designing and deploying policy services 7.Provide a Summary of Design/Implementation Guidelines, Technical Framework, Standards, and Recommendations for Next Steps

United States Department of Justice Technical Framework Audit trail Environmental conditions Written policy Obligations Actions: release, modify, access, delete, … Response message Content metadata Electronic policy statements (dynamic, federated) PEP PDP Request message Identity credentials PEP: Policy Enforcement Point PDP: Policy Decision Point

United States Department of Justice Electronic Policy Rules General authorization policy rule –Perform outcomes in response to requests by user categories to perform actions on data categories under conditions for valid business purpose(s) subject to prior agreement to [optional] obligations (metadata in bold italics)

United States Department of Justice Example Electronic Privacy Policy Rule Specific to justice applications –Allow (oc) law enforcement ORIs (uc) to perform Updates (a) on criminal history records (dc) under the condition where the ORI is the record owner (c) for criminal history reporting (p) requiring logging of actions (o) uc:User categories a:Actions dc:Data categories c:Conditions p:Purposes o:Obligations Oc:Outcome

United States Department of Justice Simple Use Case: A Cross-Jurisdictional Traffic Stop

United States Department of Justice More Implementation Considerations Level of authorization granularity impacts cost and complexity –Coarse-grained authorization—user categories including attributes such as user role, user certifications, user organization/membership, … are evaluated to grant/deny access to an application/database/portal –Fine-grained authorization—user categories and data categories are evaluated to restrict access to specific records within a database or specific functions within an application Industry support –There are commercial products available to implement each component of the framework

United States Department of Justice More Implementation Considerations (continued) Open standards support –WS-Federation built upon WS-Policy Framework WS-Trust WS-SecureConversation WS-Security –WS-MetaDataExchange –XACML (Policy Assertion Language (PAL)) –WS-SecurityPolicy Domain-specific vocabulary –NIEM/GJXDM privacy and data quality metadata additions

United States Department of Justice Implementation Cost Considerations Balance cost, risk, and complexity –Human MOU with no technical implementation standards –Low-hanging fruit such as encryption of portable media (memory sticks, laptops, etc.) –Larger investment and support required for fine- grained than for coarse-grained authorization

United States Department of Justice It’s Not All Technology Training and outreach Legal research of laws governing privacy and disclosure requirements Establishment of information stewards and policy decision makers –Confidentiality of personal information –Appropriate Use Practices –Appropriate dissemination policy –Physical security measures –Procedural measures –Policy on portable devices/media –Separation of security administration roles

United States Department of Justice Global Tech Privacy Team Status Update First draft report delivery—June 2007 Global Working Groups, GESC, and IJIS reviews— July/August 2007 Final draft—executive review and ready for release in fall 2007 Follow-up and next steps—currently under consideration by GAC GESC: Global Executive Steering Committee IJIS: Integrated Justice Information System Institute

United States Department of Justice Next Steps Action items and assignments –Privacy Policy Pilot Projects Global Security Working Group (GSWG) Global Privacy Information Quality Working Group (GPIQWG) –Continued integration with Justice Reference Architecture (JRA) Global Infrastructure Standards Working Group (GISWG) –Mature metadata and integrate with NIEM/GJXDM/GFIPM XML Structure Task Force (XSTF)

United States Department of Justice Recommendations Adopt the Privacy Policy Technical Framework Adopt the common set of standards and metadata that are specific to the justice domain and aligned with current initiatives Develop a transition strategy for moving to enterprise electronic policy services

United States Department of Justice Questions?

United States Department of Justice GAC Recommendations 1.Adopt Implementing Privacy Policy in Justice Information Sharing: A Technical Framework 2.Recommend as resource Implementing Privacy Policy in Justice Information Sharing: A Technical Framework Executive Summary Flyer 3.Recommend as resource Global Federated Identity and Privilege Management Executive Summary Flyer