Download presentation
Presentation is loading. Please wait.
Published byMadlyn Stanley Modified over 9 years ago
1
United States Department of Justice www.it.ojp.gov/global Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg, Chair, Global Technical Privacy Task Team and Dr. Alan Harbitter, IJIS Institute 10/31/2007
2
United States Department of Justice www.it.ojp.gov/global Topics Approach Overview Privacy Policy Technical Framework and Components Applying the Framework to a Simple Use Case Implementing the Framework Task Progress Summary
3
United States Department of Justice www.it.ojp.gov/global Underlying Principles and Assumptions Do not invent new technology Focus on the domain-specific components required for interoperability (e.g., standards, specific metadata) For now, focus on access rather than collection Assume that there is a written policy in place Briefly, we are going to –Identify technologies to translate written privacy policy in machine-readable form –Define the pieces necessary to link justice information systems to that policy
4
United States Department of Justice www.it.ojp.gov/global Global Privacy Task Team Approach 1.Review the Global Privacy and Information Quality Working Group “Privacy Policy Development Guide and Implementation Templates” for Business Requirements 2.Draft Technical Requirements from Business Requirements 3.Validate Technical Requirements against sample use cases
5
United States Department of Justice www.it.ojp.gov/global Global Privacy Task Team Approach (continued) 4.Define a Technical Framework for Implementing Privacy Policy 5.Identify metadata to support electronic privacy policy implementations 6.Review vendor products, market maturity for designing and deploying policy services 7.Provide a Summary of Design/Implementation Guidelines, Technical Framework, Standards, and Recommendations for Next Steps
6
United States Department of Justice Technical Framework Audit trail Environmental conditions Written policy Obligations Actions: release, modify, access, delete, … Response message Content metadata Electronic policy statements (dynamic, federated) PEP PDP Request message Identity credentials PEP: Policy Enforcement Point PDP: Policy Decision Point
7
United States Department of Justice www.it.ojp.gov/global Electronic Policy Rules General authorization policy rule –Perform outcomes in response to requests by user categories to perform actions on data categories under conditions for valid business purpose(s) subject to prior agreement to [optional] obligations (metadata in bold italics)
8
United States Department of Justice www.it.ojp.gov/global Example Electronic Privacy Policy Rule Specific to justice applications –Allow (oc) law enforcement ORIs (uc) to perform Updates (a) on criminal history records (dc) under the condition where the ORI is the record owner (c) for criminal history reporting (p) requiring logging of actions (o) uc:User categories a:Actions dc:Data categories c:Conditions p:Purposes o:Obligations Oc:Outcome
9
United States Department of Justice Simple Use Case: A Cross-Jurisdictional Traffic Stop
10
United States Department of Justice www.it.ojp.gov/global More Implementation Considerations Level of authorization granularity impacts cost and complexity –Coarse-grained authorization—user categories including attributes such as user role, user certifications, user organization/membership, … are evaluated to grant/deny access to an application/database/portal –Fine-grained authorization—user categories and data categories are evaluated to restrict access to specific records within a database or specific functions within an application Industry support –There are commercial products available to implement each component of the framework
11
United States Department of Justice www.it.ojp.gov/global More Implementation Considerations (continued) Open standards support –WS-Federation built upon WS-Policy Framework WS-Trust WS-SecureConversation WS-Security –WS-MetaDataExchange –XACML (Policy Assertion Language (PAL)) –WS-SecurityPolicy Domain-specific vocabulary –NIEM/GJXDM privacy and data quality metadata additions
12
United States Department of Justice www.it.ojp.gov/global Implementation Cost Considerations Balance cost, risk, and complexity –Human MOU with no technical implementation standards –Low-hanging fruit such as encryption of portable media (memory sticks, laptops, etc.) –Larger investment and support required for fine- grained than for coarse-grained authorization
13
United States Department of Justice www.it.ojp.gov/global It’s Not All Technology Training and outreach Legal research of laws governing privacy and disclosure requirements Establishment of information stewards and policy decision makers –Confidentiality of personal information –Appropriate Use Practices –Appropriate dissemination policy –Physical security measures –Procedural measures –Policy on portable devices/media –Separation of security administration roles
14
United States Department of Justice www.it.ojp.gov/global Global Tech Privacy Team Status Update First draft report delivery—June 2007 Global Working Groups, GESC, and IJIS reviews— July/August 2007 Final draft—executive review and ready for release in fall 2007 Follow-up and next steps—currently under consideration by GAC GESC: Global Executive Steering Committee IJIS: Integrated Justice Information System Institute
15
United States Department of Justice www.it.ojp.gov/global Next Steps Action items and assignments –Privacy Policy Pilot Projects Global Security Working Group (GSWG) Global Privacy Information Quality Working Group (GPIQWG) –Continued integration with Justice Reference Architecture (JRA) Global Infrastructure Standards Working Group (GISWG) –Mature metadata and integrate with NIEM/GJXDM/GFIPM XML Structure Task Force (XSTF)
16
United States Department of Justice www.it.ojp.gov/global Recommendations Adopt the Privacy Policy Technical Framework Adopt the common set of standards and metadata that are specific to the justice domain and aligned with current initiatives Develop a transition strategy for moving to enterprise electronic policy services
17
United States Department of Justice www.it.ojp.gov/global Questions?
18
United States Department of Justice www.it.ojp.gov/global GAC Recommendations 1.Adopt Implementing Privacy Policy in Justice Information Sharing: A Technical Framework 2.Recommend as resource Implementing Privacy Policy in Justice Information Sharing: A Technical Framework Executive Summary Flyer 3.Recommend as resource Global Federated Identity and Privilege Management Executive Summary Flyer
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.