Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com
Using Information Technologies to Empower and Transform
This presentation supported by Gail Magnuson, President, Gail Magnuson LLC
Peter F BrownIndependent Consultant
The Privacy Management Reference Model and Methodology from OASIS:
Using the Privacy Management Reference Model and Methodology to Explore Do Not Track Design
Introduction to PMRMIAPP Cleveland KnowledgeNet Presentation
Gail A Magnuson, CIPP US President, Gail Magnuson [email protected] 2012
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
A Model and a Methodology
2
The model provides a common conceptual framework and vocabulary to help people cooperate across disciplines and organizational boundaries…
…and the methodology provides a common set of tasks to achieve a privacy architecture and privacy management analysis
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
The PMRM Model
3
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
The PMRM Methodology
4
Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com
Using Information Technologies to Empower and Transform
This presentation supported by Gail Magnuson, President, Gail Magnuson LLC
Peter F BrownIndependent Consultant
The Methodology in Detail
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
Detailed Privacy Analysis
1.High-Level Privacy Analysis and Use Case
6
Scop
e General Description of Services & Applications En
viro
nmen
t
Business Use Case Inventory
App
licab
le R
equi
rem
ents Privacy
Conformance Criteria
Impa
ct A
sses
smen
ts Privacy Assessment PreparationPrivacy Impact AssessmentsPrivacy Maturity AssessmentsCompliance ReviewsAccountability Model Assessments
Application and Business Process Descriptions Applicable Privacy Policies, Practices, Laws & Regulations
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
Domains
2.Detailed Privacy Use Case Analysis
7
Scope:High-Level Privacy AnalysisHigh-Level Use Case Description
Systems
Roles & Responsibilities Actors
Touch Points
Owners
Identify all the following:
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
1st Party WebsiteBrower(s) or DNT
2.US DNT & EU Cookie Touch Points & Data Flows
8
System aTo
uch
Poin
t
Touch Point
Touc
h Po
int
System b
System c
3rd Party Websites
System d
Big Data Vendor(s)
System e
Browser(s) or DNT
System a
Touch Point
Touch Point
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
3.Identify PI and Privacy Controls
9
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
4.Services Supporting Privacy Controls
10
Privacy Controls are usually stated in the form of a policy declaration or requirement and not in a way that is immediately actionable or implementable.
Services provide the ‘bridge’ between requirement and implementation by providing privacy constraints on system-level actions governing the flow of PI between touch points
8 key PMRM Services identified in the initial work:
Agreement
Usage
Validation
Security
Certification
Enforcement
Interaction
Access
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
4.Map Privacy Controls to Services
11
Ag E
I
Ac
Ac
U V E
U V S C I
Incoming PI
Internally Generated PI
Inherited Privacy Controls
Internal Privacy Controls
PMRM Services Required
Outgoing PI Exported Privacy Controls
AcU V S C I
IU V E
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
4.Map Services to Systems
12
Ag E Ac
IU V E
AcU V S C I
PMRM Services Used
AcU V S C I
Business Processes and Technical Mechanisms Required by System
A B C D E
B C E F
A C D G H
C E G H
Risk Assessment
© Peter F Brown, 2012 All Rights Reserved with annotations provided with permission by Gail Magnuson LLC
A Model and a Methodology
13
The model provides a common conceptual framework and vocabulary to help people cooperate across disciplines and organizational boundaries…
…and the methodology provides a common set of tasks to achieve a privacy architecture and privacy management analysis
Presentation annotated by Gail Magnuson LLC with permission from www.peterfbrown.com
The OASIS Privacy Management Reference Model and Methodology
Introduction to PMRM
► [email protected]► www.peterfbrown.com► PensivePeter.wordpress.com► @PensivePeter
PMRM Draft Specification:http://docs.oasis-open.org/pmrm/PMRM/v1.0/csd01/PMRM-v1.0-csd01.docPMRM Committee Home Page:http://www.oasis-open.org/committees/pmrmUSAToday EU Cookie Law Overview with Chris Wolf Interview:http://content.usatoday.com/communities/technologylive/post/2011/09/europe-taking-much-stricter-stance-on-do-not-track-rules/1#.UFiEBrJlR5U