Privacy-by-design Methodology

Privacy-by-design Methodology
Nicolas Notario. Atos Antonio Kung. Trialog 09/03/2015 Privacy and Security by Design Methodology I

Privacy-by-Design (PbD)?
Not only related to design Thibaud Antignac and Daniel LeMétayer (Inria) used the term Privacy-by-Construction We also use the term Privacy and Security by Design (PsBD) Term discussed during CSP 2014 ( See blog ( Four possible definitions of PSbD A: Approach to System Engineering which takes into account privacy and measures to protect ICT assets during the whole engineering process B: Institutionalisation of the concepts of privacy and security in organisations and integration of these concepts in the design of systems C: Embedding privacy and security in the technology and system development from the early stages of conceptualisation and design and institutionalizing privacy and security considerations in organisations D: Applying a set of principles from the design phase of ICT systems in order to mitigate security and privacy concerns guiding designers and implementer decisions throughout the development of the systems 09/03/2015 Privacy and Security by Design Methodology I

PRIPARE : Integration of disconnected practices
Ontario IPC PbD principles Privacy Impact Assessments Privacy Management Reference Model (PMRM) Microsoft Security Development Lifecycle Risk management Privacy Enhancing Architectures ISO Standards (29100, 29101, 24760, 29140) PIA Context Feared events Threats (if needed) Risks (if needed) Measures PEARs 09/03/2015 Privacy and Security by Design Methodology I

Privacy and Security by Design Methodology I
References PRIPARE D1.2 deliverable: Privacy and Security-by-design Methodology December 2014 09/03/2015 Privacy and Security by Design Methodology I

Several Phases (A to H) – Many Processes
A Analysis A1 Functional description and high-level privacy analysis A2 Detailed Privacy Analysis A3 Privacy Requirements A4 Legal compliance A5 Risk management B Design B1 Privacy enhancing architecture design (PEAR) B2 Privacy enhancing detailed design B3 User-centered UI design C Imple-mentation C1 Privacy implemen-tation D Verifica-tion D1 Accoun-tability D2 Security and Privacy static analysis D3 Security and Privacy dynamic analysis E Release E1 Create incident response plan E2 Create system retirement plan E3 Final security and privacy review E4 Publish PIA report F Mainte-nance F1 Execute incident response plan F2 Security and privacy verification G Decommis-sion G1 Execute retirement plan H Environment and Infrastructure H1 Organisational privacy architecture H2 Promote privacy awareness 09/03/2015 Privacy and Security by Design Methodology I

SIPOC Template: Supplier – Input –Process – Output - Customer
Process name Suppliers Inputs Process Outputs Customers Who supplies inputs to the process? What specifications are placed on the inputs? What does the process consist of What are the requirements of the consumers? Who are the true consumers of the outputs of the process? Tools & Techniques Methodologies, Practices, Standards, Patterns Knowledge What is the knowledge needed? Responsible Stakeholders and roles 09/03/2015 Privacy and Security by Design Methodology I

Part 1 Monday (Antonio Kung) Part 2 Tuesday ( Nicolas Notario)
A Analysis A1 Functional description and high-level privacy analysis A2 Detailed Privacy Analysis A3 Privacy Requirements A4 Legal compliance A5 Risk management B Design B1 Privacy enhancing architecture design (PEAR) B2 Privacy enhancing detailed design B3 User-centred UI design C Imple-mentation C1 Privacy implemen-tation D Verification D1 Security and Privacy static analysis D2 Security and Privacy static analysis D3 Security and Privacy dynamic analysis E Release E1 Create incident response plan E2 Create system retirement plan E3 Final security and privacy review E4 Publish PIA report F Mainte-nance F5 Execute incident response plan F6 Security and privacy verification G Decommis-sion G7 Execute retirement plan H Environment and Infrastructure 5mn H1 Organisational privacy architecture H2 Promote privacy awareness 09/03/2015 Privacy and Security by Design Methodology I

A – Analysis H Environment and Infrastructure A Analysis B Design
A1 Functional description and high-level privacy analysis A2 Detailed Privacy Analysis A3 Privacy Requirements A4 Legal compliance A5 Risk management B Design B1 Privacy enhancing architecture design (PEAR) B2 Privacy enhancing detailed design B3 User-centered UI design C Imple-mentation C1 Privacy implemen-tation D Verifica-tion D1 Accoun-tability D2 Security and Privacy static analysis D3 Security and Privacy dynamic analysis E Release E1 Create incident response plan E2 Create system retirement plan E3 Final security and privacy review E4 Publish PIA report F Mainte-nance F1 Execute incident response plan F2 Security and privacy verification G Decommis-sion G1 Execute retirement plan H Environment and Infrastructure H1 Organisational privacy architecture H2 Promote privacy awareness 09/03/2015 Privacy and Security by Design Methodology I

Analysis A Analysis The WHAT: characterize the system or business process to be built and to provide a specification of the system attributes Goals and purpose Components Environment and imposed constraints by the environment Inputs and outputs Interrelation between the various components Stakeholders Functional perspective 09/03/2015 Privacy and Security by Design Methodology I

Analysis A Analysis Two stages Preliminary stage: identify Scope Scale Stakeholder and roles Principal stage: characterize the system or business process A Analysis Preliminary stage Scope Scale Stakeholders and roles Principal stage A1 Functional description and high-level privacy analysis A2 Detailed Privacy Analysis A3 Privacy Requirements A4 Legal compliance A5 Risk management One of the most important aspects that must be taken into account during this phase is the involvement and consultation of internal and external stakeholders (including data subjects and end users) in order to identify privacy and security risks based on their own expertise and particular interests 09/03/2015 Privacy and Security by Design Methodology I

Scope A Analysis Depends on following parameters Application domain Smart grid, Internet of things, Surveillance, … Legislation France Context Media awareness, Horror stories Available initiatives Type of value chain Type of architecture Distributed system, Local system… Type of system Application (e.g. a health monitoring system) Platform (e.g. an data storage system for health data) 09/03/2015 Privacy and Security by Design Methodology I

Scale (i.e. how much Effort?)
A Analysis Scale (i.e. how much Effort?) Depends on following parameters TRL (Technology Readiness Level) TRL 1-3: Research proof of concept TRL 4-6: Living lab experimentation TRL 7-9: Market level deployment Complexity parameter Component in a system Integrated system Layer parameter Application Platform 09/03/2015 Privacy and Security by Design Methodology I

Methodology Scale Example
A Analysis Application e.g. a banking application x3 x12 x18 Component in Application e.g. a user display x1 x4 x6 TRL 1-3 Research prototype TRL 4-6 Living lab product TRL 7-9 Market product Infrastructure e.g. cloud operating system x3 x12 x18 Component Infrastructure e.g. wifi protocol x1 x4 x6 TRL 1-3 Research prototype TRL 4-6 Living lab product TRL 7-9 Market product 09/03/2015 Privacy and Security by Design Methodology I

Stakeholders and Roles
A Analysis System engineers: in charge of design and development Privacy & security manager & officers : senior executive in charge of privacy and security Data protection authorities : independent body Subjects: persons whose personal data are collected Project managers: senior executive in charge of development End users: users of the engineered system 09/03/2015 Privacy and Security by Design Methodology I

A Preliminary stage Resources Examples
A Analysis Lightweight 1h meeting with minutes from system engineer Medium 4h meeting 4h work on report 1h review of report with project manager Full 2 day work on report 1h meeting with PSMO Component Infrastructure e.g. wifi protocol Infrastructure e.g. cloud operating system TRL 1-3 Research prototype TRL 4-6 Living lab product TRL 7-9 Market Component in Application e.g. a user display Application e.g. a banking application Light Med Full 09/03/2015 Privacy and Security by Design Methodology I

Analysis preliminary stage
SIPOC Summary A Analysis Analysis preliminary stage Suppliers Inputs Process Outputs Customers Project managers, PSMOs, DPA Information on project Determine scope and methodology scale Assess PRIPARE process w.r.t organisation standards and processes Distribution of roles Scope Methodology scale Roles and responsibilities System Engineers, internal and external stakeholders Tools & Techniques Knowledge Methodology scale. Business domain of the project, privacy and security risks Responsible Project manager, PSMO 09/03/2015 Privacy and Security by Design Methodology I

Exercise A Analysis Scope Application Methodology scale TRL 4-6. Living lab Complexity: Medium Responsibilities and roles System engineers: computer science project team Privacy & security manager & officers : university dean with the help of university lawer and academic expert on security privacy and trust Subjects: students End users: students, professors, academic administration 09/03/2015 Privacy and Security by Design Methodology I

A1 – Functional description and high-level privacy analysis

A1 Functional description and high-level privacy analysis
Quickly exposes potential privacy risks and the need and scope of following privacy and security by design methodologies Based on OASIS/PMRM: 09/03/2015 Privacy and Security by Design Methodology I

Four main Activities A1 Functional description and high-level privacy analysis Functional description General description Inventory description Level of granularity consistent with methodology scale Examples: Systems and subsystems, Legal and regulatory jurisdictions, Policies, Personal information Criteria for conformance Based on applicable privacy and security policies. Initial privacy impact assessment Risk assessment (e.g. simpler version of A4), privacy maturity assessment, compliance review, accountability model assessment… A1 Functional description and high-level privacy analysis Functional description Inventory description Criteria for compliance Initial Privacy Impact Assessment 09/03/2015 Privacy and Security by Design Methodology I

A1 Resources Examples Light Med Full Lightweight Medium Full
A1 Functional description and high-level privacy analysis Lightweight 2h meeting (system engineer and project manager) Minutes reviewed by project manager Medium 4h meeting (system engineer and project manager) 2 day work on report by system engineer reviewed by project manager 2h meeting (system engineer, project manager, PSMO) Minutes reviewed by PSMO Full 1 day meeting (system engineer and project manager) 5 day work on report by system engineer reviewed by project manager 4h meeting (system engineer, project manager, PSM0) Minutes freviewed by PSMO Component Infrastructure e.g. wifi protocol Infrastructure e.g. cloud operating system TRL 1-3 Research prototype TRL 4-6 Living lab product TRL 7-9 Market Component in Application e.g. a user display Application e.g. a banking application Light Med Full 09/03/2015 Privacy and Security by Design Methodology I

SIPOC Summary A1 Functional description and high-level privacy analysis A1 Functional description and high-level privacy analysis Suppliers Inputs Process Outputs Customers Project managers, PSMOs Interviews or workshops with stakeholders Provide general description of system or business process Provide inventory of capabilities, applications and policy environment under review Define criteria for conformance of a system or business process with applicable privacy and security policy Prepare an initial PIA Functional description Inventory Privacy and security policy conformance criteria Preliminary PIA System engineers, DPA, End users Tools & Techniques UML, UP, RUP, OUM, user stories, interviews, narrative… Knowledge System’s domain, applicable legislation Responsible Project developer 09/03/2015 Privacy and Security by Design Methodology I

Exercise A1 Functional description and high-level privacy analysis Functional description: evaluation system Inventory description (level of granularity consistent with methodology scale): Tracking system, Evaluation system Criteria for conformance with applicable privacy and security policy. Initial privacy impact assessment 09/03/2015 Privacy and Security by Design Methodology I

A2 – Detailed Privacy Analysis

A2 Detailed Privacy Analysis
Detailed privacy analysis in order to provide an inventory of personal data, sub-systems, etc. that may be subject to privacy or security risks Based on OASIS/PMRM: 09/03/2015 Privacy and Security by Design Methodology I

Three main Activities A2 Detailed Privacy Analysis Identify relevant artefacts Stakeholders Systems Domains and domain owners Roles and responsibilities Touch points and data flows Identify personal data Specify privacy and security controls A2 Detailed Privacy Analysis Relevant Artefacts Personal Data Privacy and Security Controls 09/03/2015 Privacy and Security by Design Methodology I

Identify Relevant Artefacts
A2 Detailed Privacy Analysis Stakeholders create, manage, interact with, or otherwise subject to personal data e.g. student, professor, registration… System collection of components organized to accomplish a specific function or set of functions e.g. registration system Domain subject to the control of an owner. physical areas (e.g. class) logical areas (e.g. cloud computing environment) Roles and responsibilities assigned to specific participants and systems within a specific privacy domain e.g. class attendance system Data flows carry personal data and privacy constraints e.g. from user to course evaluation system Touch points Data flow crossing domains e.g. from user computer to cloud system 09/03/2015 Privacy and Security by Design Methodology I

Identify Personal Data
A2 Detailed Privacy Analysis Specify personal data collected, created, communicated, processed or stored within Privacy Domains or Systems Three types Incoming e.g. posting picture in social network Internally generated e.g. user profiling Outgoing e.g. selling data 09/03/2015 Privacy and Security by Design Methodology I

Privacy and Security (PS) Controls
A2 Detailed Privacy Analysis Objective: enforce PS policies associated with personal data Applies to all types of personal data Incoming Internally Generated Outgoing personal data How (cheat sheet) Consider each data protection and security principles Identify what can be applied to personal data 09/03/2015 Privacy and Security by Design Methodology I

Types of PS Controls A2 Detailed Privacy Analysis Inherited: inherited from Privacy Domains or Systems within privacy domains A social network provider should inherit consumer policy preferences Internal: mandated by internal Privacy Domain policies External: those which must be exported to other privacy domains or to systems within privacy domains A subcontractor of a social network provider should import its controls 09/03/2015 Privacy and Security by Design Methodology I

A2 Detailed Privacy Analysis Lightweight 4h meeting (system engineer and project manager) 2 day work on report by system engineerr Minutes reviewed by project manager Medium 4h meeting (system engineer and project manager) 4 day work on report by system engineer reviewed by project manager 2h meeting (system engineer, project manager, PSMO) Minutes reviewed by PSMO Full 1 day meeting (system engineer and project manager) 4h meeting (system engineer, project manager, PSM0) Component Infrastructure e.g. wifi protocol Infrastructure e.g. cloud operating system TRL 1-3 Research prototype TRL 4-6 Living lab product TRL 7-9 Market Component in Application e.g. a user display Application e.g. a banking application Light Med Full 09/03/2015 Privacy and Security by Design Methodology I

SIPOC Summary A2 Detailed Privacy Analysis A2 Detailed Privacy Analysis Suppliers Inputs Process Outputs Customers Project Manager, Data Protection Authority, PSMOs Use case description Use case inventory Privacy Policy Conformance Criteria Preliminary PIA Identify stakeholders, systems, domains and domain owners, roles and responsibilities, touch Points and data flows Identify personal data in Privacy Domains and Systems Specify Required Privacy Controls Associated with personal data Stakeholders , Systems, Domains and Domain Owners, Roles and Responsibilities, Touch Points and Data Flows Personal dada Privacy Controls System engineer, Data subjects, DPA Tools & Techniques UML, UP, RUP, OUM, user stories, interviews, narrative… Knowledge System’s domain, applicable legislation and good practices Responsible Project developer 09/03/2015 Privacy and Security by Design Methodology I

Exercise A2 Detailed Privacy Analysis Identify relevant artefacts Stakeholders Systems Domains and domain owners Roles and responsibilities Touch points and data flows Identify personal data Specify privacy and security controls 09/03/2015 Privacy and Security by Design Methodology I

A3 – Privacy Requirements

A3 Privacy Requirements
Principles Guidelines Privacy controls This phase focuses on privacy requirement operationalisation map high-level, legal and user concerns into engineering requirements Three steps Principles (the high level concerns) Guidelines (specific goals) Privacy Controls (resulting engineering requirements) 09/03/2015 Privacy and Security by Design Methodology I

ISO Principles A3 Privacy Requirements Consent and choice Data subject chosses whether or not to allow the processing of personal data … Purpose legitimacy and specification Purpose(s) complies with applicable law and relies on a permissible legal basis … Collection limitation Limiting the collection of personal data to that which is within the bounds of applicable law and strictly necessary for the specified purpose… Data minimization Minimize the personal data which is processed and the number of privacy stakeholders and people to whom personal data is disclosed or who have access to it… Use, retention and disclosure limitation Limiting the use, retention and disclosure (including transfer) of personal data to that which is necessary in order to fulfil specific, explicit and legitimate purposes Accuracy and quality Ensuring that personal data processed is accurate, complete, up-to-date… Openness, transparency and notice Providing data subjects with clear and easily accessible information about the data controller’s policies, procedures and practices… Individual participation and access giving data subjects the ability to access and review their personal data… Accountability Documenting and communicating as appropriate all privacy-related policies, procedures and practices… Informing data subjects about privacy breaches that can lead to substantial damage to them… Information security Protecting personal data with appropriate controls at the operational, functional and strategic level to ensure the integrity, confidentiality and availability of the personal data Privacy compliance Verifying and demonstrating that the processing meets data protection and privacy safeguarding requirements by periodically conducting audits … 09/03/2015 Privacy and Security by Design Methodology I

PRIPARE Principles 1/2 A3 Privacy Requirements ISO 29100 PRIPARE 2 Purpose legitimacy and specification 3 Purpose specification and limitation (finality or legitimacy), Legitimacy of processing personal data must be ensured by basing data processing on consent, contract, legal obligation, etc. Personal data must be collected for specified, explicit and legitimate purposes 4 Purpose specification and limitation sensitive data, 1 Consent and choice 2 Data minimization and proportionality Limit the processing data and ensuring data avoidance and minimisation, processing only adequate and relevant personal data; 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 10 Limited conservation and retention Retention of data should be for the minimum period of time consistent with the purpose of the retention or other legal requirements 6 Accuracy and quality 1 Data quality Quality of data and transparency need to be ensured. Data should be accurate and kept up to date. 7 Openness, transparency and notice 5 Transparency and openness Compliance with the data subject’s right to be informed 09/03/2015 Privacy and Security by Design Methodology I

PRIPARE Principles 2/2 A3 Privacy Requirements ISO 29100 PRIPARE 8 Individual participation and access 6 Right of access Compliance with the data subject’s right of access, rectification, erasure or blocking of data 7 Right to object Compliance with the data subject’s right to object 12 Right to erasure Taking all reasonable steps to have individuals' data erased, including by third parties without delay, for the personal data that was made public without legal justification. 9 Accountability 11 Accountability Demonstrable acknowledgement and assumption of responsibility for having in place appropriate policies and procedures, and promotion of good practices that include correction and remediation for failures and misconduct 10 Information Security 8 Confidentiality and security Preventing unauthorised access, logging of data processing, network and transport security and preventing accidental loss of data 11 Privacy compliance 9 Compliance with notification requirements Notification about data processing, prior compliance checking and documentation 13 Privacy and data protection by design Data protection to be embedded within the entire lifecycle of the technology 14 Privacy and data protection by default. privacy preferences are automatically set to its most privacy-preserving configuration. 09/03/2015 Privacy and Security by Design Methodology I

From Principle to Guidelines
A3 Privacy Requirements Each principle is decomposed into a fixed, mandatory set of guidelines, Guidelines provides specific goals identified to meet a principle Principle Guideline 1. Data quality G-1.1. Ensure the quality of personal data collected, created, used, maintained and shared G-1.2. Ensure data integrity of personal data 2. Data minimization and proportionality G-2.1 Avoid and minimise the use of personal data along its whole lifecycle G-2.2 Minimise personal data used in pre-production systems: 3… 09/03/2015 Privacy and Security by Design Methodology I

From Guidelines to Privacy Controls
A3 Privacy Requirements Guidelines refined into a set of privacy controls: technical and organisational measures incorporated into systems and organizations Principle Guideline Privacy control 2. Data minimization and proportionality G-2.1 Avoid and minimise use of personal data along whole lifecycle C When personal data is collected or retained, only allow those authorized and consented by the user C Periodically evaluate that all the personal data is identified… C When personal data is no longer needed, delete or anonymise it C-2.1.4… G-2.2 Minimise personal data used in pre-production systems C When doing testing, training and research: Apply procedures to minimise personal data C-2.2.2… 09/03/2015 Privacy and Security by Design Methodology I

PRIPARE Cheat Sheet A3 Privacy Requirements See annex C of PRIPARE D1.2 deliverable: Privacy and Security-by-design Methodology December 2014 09/03/2015 Privacy and Security by Design Methodology I

A3 Privacy Requirements Lightweight 4h meeting (system engineer and project manager) 2 day work on report by system engineerr Minutes reviewed by project manager Medium 4h meeting (system engineer and project manager) 4 day work on report by system engineer reviewed by project manager 2h meeting (system engineer, project manager, PSMO) Minutes reviewed by PSMO Full 1 day meeting (system engineer and project manager) 4h meeting (system engineer, project manager, PSM0) Component Infrastructure e.g. wifi protocol Infrastructure e.g. cloud operating system TRL 1-3 Research prototype TRL 4-6 Living lab product TRL 7-9 Market Component in Application e.g. a user display Application e.g. a banking application Light Med Full 09/03/2015 Privacy and Security by Design Methodology I

SIPOC Summary A3 Privacy Requirements A2 Detailed Privacy Analysis Suppliers Inputs Process Outputs Customer s Project Manager. Data Protection Authority. PSMOs. Business & System analysts. Functional description of the system. Stakeholders, Systems, Domains and Domain owners, Roles and Responsibilities, Touch Points and Data Flows. Privacy principles. Identify principles and guidelines. Determine applicability of privacy controls. Stakeholders, Systems, Domains and Domain Owners, Roles and Responsibilities, Touch Points and Data Flows. Personal data. Privacy Controls. System designer. Project managers. Tools & Techniques Family of guidelines and privacy controls Knowledge Guidelines, privacy controls, and mapping from principles to those. Responsible Business & System analysts 09/03/2015 Privacy and Security by Design Methodology I

Exercise A3 Privacy Requirements Guidelines Privacy controls 09/03/2015 Privacy and Security by Design Methodology I

A4 – Legal Compliance H Environment and Infrastructure

A4 Legal Compliance A4 Legal compliance Checks whether proposed system or business process complies with legislation. Requires an analysis of the project and the information flows and potential risks Measures whether the project or technology is compliant with privacy principles in relevant data protection legislation 09/03/2015 Privacy and Security by Design Methodology I

e.g. cloud operating system e.g. a banking application
A4 Resources Examples A4 Legal compliance Lightweight 1h meeting (project manager and PSMO) Minutes provided by PSMO Medium 4h meeting (system engineer and project manager) Report written by project manager Full 1h meeting (system engineer, project manager and PSMO) 2 day work(system engineer) PIA Report provided by system engineer Component Infrastructure e.g. wifi protocol Infrastructure e.g. cloud operating system TRL 1-3 Research prototype TRL 4-6 Living lab product TRL 7-9 Market Component in Application e.g. a user display Application e.g. a banking application Light Med Full 09/03/2015 Privacy and Security by Design Methodology I

SIPOC Summary A4 Legal compliance A2 Detailed Privacy Analysis Suppliers Inputs Process Outputs Customer s Project managers, legal staff, PSMOs/Dat a protection authorities Project description Relevant legislation Soft law Analysing the project to make sure it is compliant, including ‘soft law’ e.g. EDPS and Article 29 Compliance analysis Project manager, system engineer Tools & Techniques Privacy principle checklist/table threats, vulnerabilities, risks & solutions Knowledge Knowledge and understanding of relevant privacy legislation, Article 29 opinions, EDPS opinions, national legislation Responsible Project manager supported by legal staff 09/03/2015 Privacy and Security by Design Methodology I

Exercise A4 Legal compliance European legislation … 09/03/2015 Privacy and Security by Design Methodology I

A5 – Risk Management H Environment and Infrastructure

Risk management A5 Risk management Risk management is the identification, assessment, and prioritization of risks (defined in ISO as the effect of uncertainty on objectives) A generic process identify, characterize threats assess the vulnerability of critical assets to specific threats determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets) identify ways to reduce those risks prioritize risk reduction measures based on a strategy 09/03/2015 Privacy and Security by Design Methodology I

Risk management A5 Risk management There are many risk management processes and standards ICT security risk: confidential business data is revealed EBIOS, TVRA… Disaster risks: a tsunami threatens a powerplant Bow-tie… Privacy risk: picture of user is made public CNIL, LINDDUN They use the same generic process but Use different knowledge references or cheat sheets (e.g. STRIDE, LINDDUN…) Take different viewpoint: threat viewpoint, feared viewpoint 09/03/2015 Privacy and Security by Design Methodology I

STRIDE Security Threats Cheat Sheet
A5 Risk management Property Description Threat Authentication The identity of users is established (or you’re willing to accept anonymous users). Spoofing Integrity Data and system resources are only changed in appropriate ways by appropriate people. Tampering Nonrepudiation Users can’t perform an action and later deny performing it. Repudiation Confidentiality Data is only available to the people intended to access it. Information disclosure Availability Systems are ready when needed and perform acceptably. Denial Of Service Authorization Users are explicitly allowed or denied access to resources. Elevation of privilege 09/03/2015 Privacy and Security by Design Methodology I

LINDDUN Privacy Threats Cheat Sheet
A5 Risk management Type Property Description Threat Hard privacy Unlinkability Hiding the link between two or more actions, identities, and pieces of information. Linkability Anonymity Hiding the link between an identity and an action or a piece of information Identifiability Plausible deniability Ability to deny having performed an action that other parties can neither confirm nor contradict Non-repudiation Undetectability and unobservability Hiding the user’s actvities Detectability Security Confidentiality Hiding the data content or controlled release of data content Disclosure of information Soft Privacy Content awareness User’s consciousness regarding his own data Unawareness Policy and consent compliance Data controller to inform the data subject about the system’s privacy policy, or allow the data subject to specify consents in compliance with legislation Non compliance 09/03/2015 Privacy and Security by Design Methodology I

CNIL Viewpoint (Feared Events)
A5 Risk management From CNIL methodology document 09/03/2015 Privacy and Security by Design Methodology I

CNIL Risk Analysis A5 Risk management For each feared event LI: Level of identification Negligible = 1 Limited = 2 Significant = 3 Maximum = 4 PE: Prejudicial effect LI+PE: Severity Negligible < 5 Limited = 5 Significant = 6 Maximum > 6 For each threat AV: Asset vulnerability Negligible = 1 Limited = 2 Significant = 3 Maximum = 4 CE: Capability to exploit AV+CE: Likelihood Negligible < 5 Limited = 5 Significant = 6 Maximum > 6 09/03/2015 Privacy and Security by Design Methodology I

Risk = f(Severity, Likelihood)
A5 Risk management Absolutely avoided or reduced Must be avoided or reduced reduced These risks may be taken Negligible Likelihood Limited Significant Maximum Likelihood Severity Maximum 09/03/2015 Privacy and Security by Design Methodology I

Absolutely avoided or reduced These risks may be taken
Example A5 Risk management Feared event: Alice attendance is made public Level of identification Maximum = 4 Prejudicial effect Significant = 3 Severity Maximum = 7 Threat: Some one hacks into the attendance management system and retrieves the log of attendance Asset vulnerability Capacity to exploit Likelihood Significant = 6 Absolutely avoided or reduced Must be avoided or reduced reduced These risks may be taken Negligible Likelihood Limited Significant Maximum Likelihood Severity Maximum 09/03/2015 Privacy and Security by Design Methodology I

LINDDUN Methodology 1 Define Data Flow Diagram
A5 Risk management 1 Define Data Flow Diagram 2 Map privacy threats to DFD elements 3 Identify threat scenarios 4 Threat prioritisation 5 Extract privacy requirements Select corresponding PETS 09/03/2015 Privacy and Security by Design Methodology I

Step 1: Define Data Flow Diagram
A5 Risk management 1. User Entity Process 2. Attendance Manager Data store Data flow 3. Attendance data 09/03/2015 Privacy and Security by Design Methodology I

Step 2: Map privacy threats to DFD elements
A5 Risk management Threat Target L I N D U Data store Attendance data x Data flow User data stream X Data base data stream Process Attendance manager Entity User 09/03/2015 Privacy and Security by Design Methodology I

Step 3: Identify threats scenarios (e.g. using privacy threat tree patterns) A5 Risk management No Access protection? Attendance data store not encrypted? From 09/03/2015 Privacy and Security by Design Methodology I

Other steps A5 Risk management Step 4: Assign priorities E.g. use CNIL formulas Step 5: Extract privacy requirements Threats (misuse cases) Caused by (leaf nodes) Mitigated by (requirements) Attempting access to attendance data Data is intelligible because it is not encrypted Encryption No protection for access Password based access From LINDUN tutorial 09/03/2015 Privacy and Security by Design Methodology I

e.g. cloud operating system e.g. a banking application
A5 Resources Examples A5 Risk management Lightweight 2 day work Review by project manager Medium 2 week work In-depth review by project manager Review by PSMO Full 2 month effort Several reviews by project manager In-depth review by PSMO Component Infrastructure e.g. wifi protocol Infrastructure e.g. cloud operating system TRL 1-3 Research prototype TRL 4-6 Living lab product TRL 7-9 Market Component in Application e.g. a user display Application e.g. a banking application Light Med Full 09/03/2015 Privacy and Security by Design Methodology I

SIPOC Summary 54 Risk management Risk Analysis Suppliers Inputs Process Outputs Customers Project managers, PSMOs, DPA Context Assets at stake Step 1: identify feared events Step 2: identify threats Step 3: identify risks Step 4: identify measures Feared events Feared threats Initial risks Privacy & Security controls (measures) Remaining risks System developer PSMOs owner Tools & Techniques CNIL Reference LINDDUN Reference Knowledge Risk analysis methodologies, privacy threats Responsible Privacy expert 09/03/2015 Privacy and Security by Design Methodology I

References A5 Risk management CNIL (French data protection agency ) LINDDUN (PhD work from Kim Wuyts – Jan 2015) 09/03/2015 Privacy and Security by Design Methodology I

Exercise A5 Risk management Some privacy threats Anonymity Confidentiality of attendance data Some security threats Integrity of data 09/03/2015 Privacy and Security by Design Methodology I

B – Design H Environment and Infrastructure

B Design The HOW a plan or drawing produced to show the look and function or workings of a building, garment, or other object before it is made (Oxford dictionary) process of defining the hardware and software architecture, components, modules, interfaces, and data for a system to satisfy specified requirements ( 09/03/2015 Privacy and Security by Design Methodology I

Design Process B Design B Design B1 Privacy Enhancing Architectures B2 Privacy Enhancing Detailed Design Two phases Architecture Structure and behavior of system Global viewpoint Detailed Design: Techniques used Local viewpoint One of the most important aspects that must be taken into account during this phase is the involvement and consultation of internal and external stakeholders (including data subjects and end users) in order to identify privacy and security risks based on their own expertise and particular interests 09/03/2015 Privacy and Security by Design Methodology I

How to Structure Process
B Design Need for smaller grains of concern Operational service approach Privacy concerns categorised into services For each service figure out technical solutions Example : PMRM Strategy approach Privacy concerns categorised into strategies For each strategy figure out technical solutions Examples Antonio Kung. PEARs: Privacy Enhancing ARchitectures. In Privacy Technologies and Policy – Second Annual Privacy Forum, APF 2014, Athens, Greece, May 20-21, Proceedings, pages 18–29, 2014 Jaap-Henk Hoepman. Privacy design strategies. In ICT Systems Security and Privacy Protection - 29th IFIP TC 11 International Conference, SEC 2014, Marrakech, Morocco, June 2-4, Proceedings, pages 446–459, 2014 Design Approach Operational Services (e.g. PMRM, Pripare) Strategies (e.g. Kung, Hoepman) One of the most important aspects that must be taken into account during this phase is the involvement and consultation of internal and external stakeholders (including data subjects and end users) in order to identify privacy and security risks based on their own expertise and particular interests 09/03/2015 Privacy and Security by Design Methodology I

Operational Service Approach
B Design Example cheat sheet Service Purpose From OASIS PMRM Agreement Management of permissions and rules Usage Controlling personal data usage Validation Checking personal data Certification Checking stakeholders credentials Enforcement Monitor operations and react to exceptions Security Safeguard privacy information and operations Interaction Information presentation and communication Access Data subject access to their personal data From PRIPARE Accountability Log and audit management One of the most important aspects that must be taken into account during this phase is the involvement and consultation of internal and external stakeholders (including data subjects and end users) in order to identify privacy and security risks based on their own expertise and particular interests 09/03/2015 Privacy and Security by Design Methodology I

Strategy Approach B Design Example cheat sheet (Kung) Strategy Tactics Examples 1 Minimization Collection of personal information should be kept to a strict minimum Anonymize credentials (e.g. Direct anonymous attestation) Limit processing perimeter (e.g. client processing, P2P processing) 2 Enforcement Provide maximum protection of personal data during operation Enforce data protection policies (collection, access and usage, collection, retention) Protect processing (e.g. storage, communication, execution, resources) 3 Transparency and accountability Maximum transparency provided to stakeholders on the way privacy preservation is ensured Log data transaction Log modifications (policies, crypto, protection) Protect log data 4 Modifiability Cope with evolution needs Change Policy Change Crypto Strength and method Change Protection Strength 09/03/2015 Privacy and Security by Design Methodology I

Strategy Approach B Design Example cheat sheet (Hoepman) Example cheat sheet (Hoepman) Strategy Patterns Examples 1 Minimization Amount of processed personal data restricted to the minimal amount possible select before you collect anonymisation / pseudonyms 2 Hide Personal data, and their interrelationships, hidden from plain view Storage and transit encryption of data mix networks hide traffic patterns attribute based credentials 3 Separate Personal data processed in a distributed fashion, in separate compartments whenever possible Not known 4 Aggregate Personal data processed at highest level of aggregation and with least possible detail in which it is (still) useful aggregation over time (used in smart metering) dynamic location granularity (used in location based services) k-anonymity differential privacy 5 Inform Transparency platform for privacy preferrences Data breach notification 6 Control Data subjects provided agency over the processing of their personal data User centric identity management End-to-end encryption support control 7 Enforce Privacy policy compatible with legal requirements to be enforced Access control Sticky policies and privacy rights management 8 Demonstrate Demonstrate compliance with privacy policy and any applicable legal requirements privacy management systems use of logging and auditing 09/03/2015 Privacy and Security by Design Methodology I

Comparing Kung and Hoepman
B Design Hoepman Kung 1 Minimization 2 Hide 2 Enforcement 3 Separate 4 Aggregate 5 Inform 3 Transparency and accountability 6 Control 7 Enforce 8 Demonstrate Kung Hoepman 1 Minimization 3 Separate 4 Aggregate 2 Enforcement 2 Hide 7 Enforce 3 Transparency and accountability 5 Inform 6 Control 7 Demonstrate 4 Modifiability 09/03/2015 Privacy and Security by Design Methodology I

That’s all Folks for today
09/03/2015 Privacy and Security by Design Methodology I

Pripare Educational Material by Pripare Project is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License. 09/03/2015 Privacy and Security by Design Methodology I

Privacy-by-design Methodology

Similar presentations

Presentation on theme: "Privacy-by-design Methodology"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Privacy-by-design Methodology

Similar presentations

Presentation on theme: "Privacy-by-design Methodology"— Presentation transcript:

Similar presentations

About project

Feedback