Standards contributing to the protection of citizen’s ... · ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies Standards contributing to the protection of

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

Standards contributing to the protection of citizen’s privacy and personal data

Work in ISO/IEC JTC 1/SC 27

ETSI Security weekSecurity Workshop

2015-06-23Sophia-Antipolis, France

Prof. Dr. Kai RannenbergConvenor ISO/IEC JTC 1/SC 27/WG 5

[email protected] Telekom Chair of Mobile Business & Multilateral Security

Goethe University Frankfurt


2

Agenda

SC 27 and WG 5 within ISO/IEC JTC 1 Privacy Standardisation A typical obstacle WG 5 projects (against the obstacles)Privacy-friendly Identity ManagementPrivacy Framework…

Next SC 27 and WG 5 meetings


3

SC 27 within ISO/IEC JTC/1

Joint Technical Committee 1 “Information Technology”

Subcommittee 27 „IT Security Techniques“


4

SC 27 Facts & Figures

Members: P-members: 51 O-members: 20

Projects Total no of projects: 230 No of active projects: 84 Current number of published standards: 146

Standing Documents SD6 Glossary of IT Security terminology

(http://www.jtc1sc27.din.de/sbe/SD6) SD7 Catalogue of SC 27 Projects and Standards

(http://www.jtc1sc27.din.de/sbe/SD7 SD11 Overview of SC 27

(http://www.jtc1sc27.din.de/sbe/SD11)


5

WGs within ISO/IEC JTC 1/SC 27 –IT Security Techniques

WG 5Identity Management

& Privacy Technologies

WG 1ISMS

WG 4Security Controls & Services

WG 2Cryptography &

Security Mechanisms

WG 3Security Evaluation

Product System Process Environment

Techniques

Guidelines

Assessment

6

SC27 Working Groups

SC27Chair: Walter Fumy (DE), Vice-chair: Marijke De Soete (BE),

Secretariat: Krystyna Passia (DIN)

WG1 (Information security management

systems)Convenor:

Edward Humphreys (UK)

Vice-convenor:Dale Johnstone (AU)

WG2 (Cryptography and security mechanisms)

Convenor:Takeshi

Chikazawa (JP) Vice-convenor:

Toshio Tatsuta (JP)

WG3 (Security Evaluation, Testing and Specification)

Convenor: Miguel Bañón (ES)

Vice-convenor:Naruki Kai (JP)

WG4 (Security controls and services)

Convenor: Johann Amsenga (ZA)

Vice-convenor:François Lorek (FR)

WG5 (Identity management and

privacy technologies) Convenor:

Kai Rannenberg (DE)Vice-convenor:

Jan Schallaböck (DE)

SWG-M (Management)

Convenor Faud Khan (CA)

Vice-convenor Anders Carlstedt (SE)

SWG-T (Transversal Items)

Convenor Andreas Fuchsberger (UK)

Vice-convenor Laura Lindsay (US)

© copyright ISO/IEC JTC 1/SC 27, 2015 This is an SC27 public document and is distributed as is for the sole purpose of awareness and promotion of SC 27 standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in other documents / presentations

requires prior permission of the ISO/IEC JTC 1 SC27 Secretariat ([email protected])


A legacy Information ManagementParadigm …

„Collect as much information as

possible – and check about a use for it

later“7


… which is NOT Best Practice …



later“8


… and not consumer friendly



later“9


10

Agenda

SC 27 and WG 5 within ISO/IEC JTC 1 Privacy Standardisation A typical obstacle WG 5 projects (against the obstacles)Privacy-friendly Identity ManagementPrivacy Framework…

Next SC 27 and WG 5 meetings


11

WG 5 Identity Management & Privacy TechnologiesProject Overview

Frameworks & Architectures A framework for identity management (ISO/IEC 24760 (Parts 1-3), IS:2011, IS:2015, DIS) Privacy framework (ISO/IEC 29100, IS:2011) Privacy architecture framework (ISO/IEC 29101, IS:2013) Entity authentication assurance framework (ISO/IEC 29115, IS:2013) A framework for access management (ISO/IEC 29146, DIS) Telebiometric authentication framework using biometric hardware security module (ITU-T X.1085 |

ISO/IEC 17922, CD) (formerly X.bhsm)

Protection Concepts Biometric information protection (ISO/IEC 24745, IS:2011) Requirements for partially anonymous, partially unlinkable authentication (ISO/IEC 29191, IS:2012)

Guidance on Context and Assessment Authentication context for biometrics (ISO/IEC 24761, IS:2009/Cor 1:2013) Privacy capability assessment model (ISO/IEC 29190, FDIS) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII

processors (ISO/IEC 27018, IS:2014) Identity proofing (ISO/IEC 29003, CD) Privacy impact assessment – methodology (ISO/IEC 29134, CD) Code of practice for PII protection (ITU-T X.gpim | ISO/IEC 29151, CD)


12

WG 5 Identity Management & Privacy TechnologiesSelected Projects

Frameworks & Architectures A framework for identity management (ISO/IEC 24760 (Parts 1-3), IS:2011,

IS:2015, DIS) Privacy framework (ISO/IEC 29100, IS:2011)

Protection Concepts Biometric information protection (ISO/IEC 24745, IS:2011) Requirements for partially anonymous, partially unlinkable authentication

(ISO/IEC 29191, IS:2012)

Guidance on Context and Assessment Code of practice for protection of personally identifiable information (PII) in

public clouds acting as PII processors (ISO/IEC 27018, IS:2014) Privacy impact assessment – methodology (ISO/IEC 29134, CD) Privacy capability assessment model (ISO/IEC 29190, FDIS) Code of practice for PII protection (ITU-T X.gpim | ISO/IEC 29151, CD)


13

WG 5 Identity Management & Privacy TechnologiesProgramme of Work

Frameworks & ArchitecturesA framework for identity management

(ISO/IEC 24760)Part 1: Terminology and concepts (IS:2011, freely

available)Part 2: Reference framework and requirements

(IS:2015)Part 3: Practice (DIS)

Privacy framework (ISO/IEC 29100, IS:2011, freely available)Privacy architecture framework (ISO/IEC 29101, IS:2013)


14

Identity Management (IdM)2 sides of a medal with enormous economic potential

People live their life in different roles (professional,

private, volunteer) using different identities

(pseudonyms): email accounts, SIM cards, eBay trade names, chat names, Facebook names, …)

Differentiated identitieshelp to protect

privacy, especially anonymity personal security/safety

enable reputation building at the same time

Identity management systems support users using role based

identities help to present the “right” identity

in the right context

Organisations aim to sort out User Accounts in different IT

systems Authentication Rights management Access control

Unified identitieshelp to ease administration manage customer relations

Identity management systems ease single-sign-on by unify

accounts solve the problems of multiple

passwords


15

Identity Management (IdM)2 sides of a medal with enormous economic potential

People live their life in different roles (professional,

private, volunteer) using different identities

(pseudonyms): email accounts, SIM cards, eBay trade names, chat names, Facebook names, …)

Differentiated identitieshelp to protect

privacy, especially anonymity personal security/safety

enable reputation building at the same time

Identity management systems support users using role based

identities help to present the “right”

identity in the right context

Organisations aim to sort out User Accounts in different IT

systems Authentication Rights management Access control

Unified identitieshelp to ease administration manage customer relations

Identity management systems ease single-sign-on by unify

accounts solve the problems of multiple

passwords


Partial Identities in ISO/IEC 24760

16 Based on [Clauß, Köhntopp 2001]


17


Frameworks & ArchitecturesA framework for identity management

(ISO/IEC 24760)Part 1: Terminology and concepts (IS:2011, freely

available)Part 2: Reference framework and requirements

(IS:2015)Part 3: Practice (DIS)

Privacy framework (ISO/IEC 29100, IS:2011, freely available)Privacy architecture framework (ISO/IEC 29101, IS:2013)


18

ISO/IEC 29100:2011Privacy framework

For the protection of personally identifiable information within ICT systems:Specifies a common privacy terminology;Defines the actors and their roles in processing personally identifiable information;Describes privacy safeguarding considerations;Provides references to known privacy principlesfor ICT.


19

ISO/IEC 29100:2011 Privacy framework11 Privacy principles

(1) Consent and choice (2) Purpose legitimacy and specification (3) Collection limitation (4) Data minimization (5) Use, retention and disclosure limitation (6) Accuracy and quality (7) Openness, transparency and notice (8) Individual participation and access (9) Accountability (10) Information security (11) Privacy compliance


20

WG 5 Identity Management & Privacy TechnologiesPrivacy/PII standards in SC 27/WG 5 and elsewhere


21


Study PeriodsUser friendly online privacy notices and consent Anonymous attribute assurancePrivacy engineering frameworkA privacy-respecting identity management scheme using attribute-based credentials(together with WG 2)On the adoption and usage of ISO/IEC 29115 and its interaction with ISO/IEC 29003


22

WG 5 Identity Management & Privacy TechnologiesSP User friendly online privacy notices and consent

From the terms of referenceHow could a project in this area contribute toUser friendliness andUser experience?

When are notices sufficient?When is an explicit consent is required?Rather a guideline or use of normative languages?


23


New Work Item ProposalPrivacy enhancing data de-identification

techniques


24

WG 5 Identity Management & Privacy TechnologiesLiaisons and collaboration

With organizations and committees dealing with specific requirements and guidelines for services and applications, e.g.:

ISO/IEC JTC 1ISO

CENETSIITU-T

Further organisations with specific application needs and/or expertise


25

WG 5 Identity Management & Privacy TechnologiesExample Liaisons and collaboration – within ISO and IEC

JTC 1/SC 17/WG 4 Integrated circuit card with contacts

JTC 1/SC 37Biometrics

JTC 1/SC 38Distributed application platforms and services (DAPS)

ISO TC 215/WG 4Health Informatics Security


26

WG 5 Identity Management & Privacy TechnologiesLiaisons and collaboration – with ITU-T

ITU-T SG 13Future networks including mobile and NGN

ITU-T SG 17Security


27

WG 5 Identity Management & Privacy TechnologiesExample Liaisons and collaboration

(ISC)2 - International Information Systems Security Certification Consortium

ABC4Trust Article 29 Working Party of Data Protection Authorities in the

European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) FIDIS (Future of Identity in the Information Society) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy

Commissioners


28

Next meetings

2015-10-26 – 2013-10-30 Jaipur (India): WG 5 Meeting

2016-04-11 – 2016-04-15 Tampa, Florida (USA): WG 5 Meeting

2016-04-18 – 2016-04-19 Tampa, Florida (USA): SC 27 Plenary


29

www.jtc1sc27.din.de/enSD6 Glossary of IT Security TerminologySD7 Catalogue of SC 27 Standards & ProjectsWG 5/SD2 Privacy Documents References ListWG 5/SD4 Standard Privacy Assessment (SPA)

www.iso.org/obp/ui ISO Online Browsing Platform (OBP)

http://standards.iso.org/ittf/PubliclyAvailableStandards/index.htmlFreely available standards, e.g. ISO/IEC 24760-1:2011

“A framework for identity management -- Part 1: Terminology and concepts”

[email protected]

WG 5 Identity Management & Privacy TechnologiesFurther Reading


30

Thank you very much for yourattention and interest

WG 5 Identity Management & Privacy Technologies

31

JTC 1/SC 27 Mission

SC 27 is an internationally recognised centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Their work covers the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

Information Security Management Systems (ISMS), requirements, controls and conformance assessment, accreditation and auditing requirements in the area of information security;

Cryptographic mechanisms; Security evaluation criteria and methodology; Security services; Security aspects of identity management, biometrics and privacy.


32

ISO/IEC 29100:2011 Privacy framework11 Privacy principles

(1) Consent and choice (2) Purpose legitimacy and specification (3) Collection limitation (4) Data minimization (5) Use, retention and disclosure limitation (6) Accuracy and quality (7) Openness, transparency and notice (8) Individual participation and access (9) Accountability (10) Information security (11) Privacy compliance