O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

de

Wp6 public Slide 1 Wp6 public Slide 2 Wp6 public Slide 3 Wp6 public Slide 4 Wp6 public Slide 5 Wp6 public Slide 6 Wp6 public Slide 7 Wp6 public Slide 8 Wp6 public Slide 9 Wp6 public Slide 10 Wp6 public Slide 11 Wp6 public Slide 12 Wp6 public Slide 13 Wp6 public Slide 14 Wp6 public Slide 15 Wp6 public Slide 16 Wp6 public Slide 17 Wp6 public Slide 18 Wp6 public Slide 19 Wp6 public Slide 20
Próximos SlideShares
What to Upload to SlideShare
Avançar
Transfira para ler offline e ver em ecrã inteiro.

0 gostaram

Compartilhar

Baixar para ler offline

Wp6 public

Baixar para ler offline

Assurance tool OpenCert for Privacy and Data Protection

  • Seja a primeira pessoa a gostar disto

Wp6 public

  1. 1. Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering Alejandra Ruiz, Jabier Martinez, Javier Puelles, Izaskun Santamaria (Tecnalia) Yod Samuel Martin, Jacobo Quintáns, Juan Carlos Yelmo (UPM) Guillaume Mockly, Estibaliz Arzoz Fernández, Amelie Gyrard, Antonio Kung (Trialog) Assurance Tool and Method (WP6) This project has received funding from the European Union's Horizon 2020 programme under Grant Agreement No 787034. 11/06/2021
  2. 2. Supplier Chain Component Release Module Assurance Case Development (Independent) Safety Assessment Safety Assessment Certification Liaison Product Engineering “Project” Quality Management Implementation Validation & Verification Design Introduction & Objectives WP6 2 Assurance “Project” Assurance Case Development Evidence Management Assurance Process Management Compliance Management Standards & Regulations Information Management Interpretation Standards Specification Privacy Assessment (Independent) Privacy Assessment Product Engineering “Project” Quality Management Implementation Validation & Verification Design Product Engineering Privacy Reference Frameworks
  3. 3. Introduction & Objectives  WP6 Methods and tools for assurance  Participants: Tecnalia (leader), Trialog, UPM  Duration: M10 – M33  Objectives:  A method to demonstrate compliance with privacy and data protection regulation, including the systematic capture and recording of evidences, their association to requirements and artefacts, their traceability to the GDPR and other regulations and standards, and the argumentation of compliance derived from the evidences.  A standard metamodel to represent the relevant terms to GDPR compliance, including relevant processes, roles...etc.  A computer-readable knowledge base which contains models of the normative framework that represent GDPR and other regulation (e.g. WP29 guidance) as well as other data protection standards and mappings between one another, and assurance patterns.  A software tool, developed by extending OpenCert, which implements the functions needed to support the method and which hosts the knowledge base.  Output:  Specification of the method and tool: D6.1, D6.2 and D6.3  Method releases: D6.4 and D6.5  Tool releases: D6.6 and D6.7  Knowledge base: D6.8 WP6 3
  4. 4. Results: Outline  Demonstrated feasibility of  using state-of-the-art assurance principles for privacy engineering  modelling privacy regulations as reference framework models  handling ecosystems of privacy reference frameworks  providing reusable privacy assurance patterns Tool-supported WP6 4
  5. 5. Results  Using state-of-the-art assurance principles for privacy engineering A privacy assurance case, is a structured argument supported by a body of evidence, which provides a convincing and valid justification that a system meets its assurance requirements, for a given application in a given operating environment * WP6 5 *Adapted to privacy from the safety world: Denney et al. “Hierarchical Safety Cases.” In NASA Formal Methods, 2013
  6. 6. Results  Using state-of-the-art assurance principles for privacy engineering WP6 6 GPDR Art. 5: Principles relating to processing of personal data Paragraph 1  Lawfulness, fairness and transparency  Purpose limitation  Data minimisation  Accuracy  Storage limitation  Integrity and confidentiality
  7. 7. Supplier Chain Component Release Module Assurance Case Development (Independent) Safety Assessment Safety Assessment Certification Liaison Product Engineering “Project” Quality Management Implementation Validation & Verification Design Results  Using state-of-the-art assurance principles for privacy engineering WP6 7 Assurance “Project” Assurance Case Development Evidence Management Assurance Process Management Compliance Management Standards & Regulations Information Management Interpretation Standards Specification Privacy Assessment (Independent) Privacy Assessment Product Engineering “Project” Quality Management Implementation Validation & Verification Design Model-based solutions for Privacy assurance projects
  8. 8. Results  Modelling privacy regulations as reference framework models Diversity of reference frameworks  Process-based  Requirements-based  Evidence-based  Legal text Objectives for modelling: Abstraction and Formalization WP6 8 Privacy reference frameworks modelled as development processes General and Application-domain-specific
  9. 9. Results  Handling ecosystems of privacy reference frameworks Several privacy reference frameworks apply (and increasing) WP6 9 Mapping models GDPR Art. 35 and 36: Data protection impact assessment and prior consultation Data Protection Impact Assessment template for Smart Grid and Smart Metering ISO/IEC 29134 Information technology — Security techniques — Guidelines for privacy impact assessment
  10. 10. Assurance Project Definition Assurance Case Management Evidence Management Compliance Management Reporting Results Providing reusable privacy assurance patterns WP6 10 RefFrameworks Modelling Equivalences Modelling
  11. 11. Results Providing reusable privacy assurance patterns Patterns:  the process of the ref framework is followed  the expected evidences are considered  to connect privacy controls with its expected assurance needs Reusable privacy assurance patterns contain conditions and parts to be refined They need to be instantiated and refined WP6 11 Manually created knowledge base, and automatic model transformations
  12. 12. Results WP6 12 Evidence Management Prescriptive Knowledge Management Privacy Argumentation Management Assurance Project Lifecycle Management Project Repository Measurement & Transparency Assurance Configuration Management System Management Standards & Understandings Argument Patterns Risk Control (WP3) Product Engineering Tools (WP4, WP5) Link Connect Providing reusable privacy assurance patterns
  13. 13. Results: Overall method WP6 13 Assurance Project Definition Assurance Case Management Evidence Management Compliance Management Reporting RefFrameworks Modelling Equivalences Modelling Reference Framework models Mapping models Goal Structuring Notation models Evidence models
  14. 14. Results: Tool features and improvements WP6 14 Assurance Project Definition Assurance Case Management Evidence Management Compliance Management Reporting RefFrameworks Modelling Equivalences Modelling Reference Framework models Mapping models Goal Structuring Notation models Evidence models (EPL-2) https://gitlab.eclipse.org/eclipse/opencert/opencert/-/tree/release/2.0
  15. 15. Results: Knowledge base Privacy Reference Frameworks  General  GDPR Data Protection Impact Assessments (DPIA) covering Art. 35 and 36, and WP29 DPIA guidance  ISO/IEC 29134:2017 (Information technology - Security techniques - Guidelines for privacy impact assessment)  Case studies  ISO/SAE 21434 Road vehicles — Cybersecurity engineering. Process for risk assessment  EU Smart Grid Data Protection Impact Assessment (DPIA) template WP6 15
  16. 16. Results: Knowledge base Mapping models  ISO/IEC 29134:2017 (Information technology - Security techniques - Guidelines for privacy impact assessment) to GDPR Data Protection Impact Assessments (DPIA)  D7.9 Alignment of Smart Grid DPIA to GDPR DPIA and ISO/IEC 29134:2017 WP6 16
  17. 17. Results: Knowledge base Privacy Assurance Patterns  General  GDPR DPIA argumentation patterns (13 based on Recital 75, Art. 35 and 36)  NIST SP 800-53 rev 5, Control SI-18 - Information disposal  NIST SP 800-53 rev 5, Control SI-20 - De-identification  Case studies  Connected vehicle: Correct pseudonym management (internally using NIST Control SI-20 pattern)  SmartGrid: Pre-assessment on the need to conduct a DPIA is completed. Smart Grid DPIA template  Automatically generated assurance patterns: e.g., Data Protection Risk Assessment is completed from SmartGrid DPIA template reference framework WP6 17
  18. 18. Results: Knowledge base  Public  https://gitlab.eclipse.org/eclipse/opencert/opencert/- /tree/release/2.0/examples/privacy Private  Reference frameworks and mapping models of standards or documents which are not freely distributed: Derivative works with high amount of information and text from the original work  ISO/IEC 29134:2017 and its mapping model to GPDR  ISO/SAE 21434 WP6 18
  19. 19. Conclusions and further steps beyond the project WP6 19 Using state-of-the-art assurance principles for privacy engineering Modelling privacy regulations as reference framework models Handling ecosystems of privacy reference frameworks Providing reusable privacy assurance patterns Tool-supported Model-based Open source and flexible KB available Community uptake (Industry and Research) More automation support
  20. 20. Methods and Tools for GDPR Compliance through Privacy and Data Protection 4 Engineering For more information, visit: www.pdp4e-project.eu Thank you for your attention This project has received funding from the European Union's Horizon 2020 programme under Grant Agreement No 787034.

Assurance tool OpenCert for Privacy and Data Protection

Vistos

Vistos totais

56

No Slideshare

0

De incorporações

0

Número de incorporações

0

Ações

Baixados

0

Compartilhados

0

Comentários

0

Curtir

0

×