View
2
Download
0
Category
Preview:
Citation preview
Standardisierung technologischer Datenschutzanforderungen
Prof Dr Kai RannenbergDeutsche Telekom Chair of
Mobile Business amp Multilateral SecurityGoethe University Frankfurt
wwwm-chairde
Technologischer Datenschutz ndashVorgaben der DatenschutzgrundverordnungBerlin 2017-03-02
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
2
WG 5 Identity Management amp Privacy TechnologiesAgenda
WG 5 within SC 27Example standardisation projectsStanding Documents Liaison organisationsMeeting schedulesConclusions amp Outlook
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27 ldquoIT Security Techniquesrdquowithin ISOIEC JTC1
3
ISO International
Organization for Standardization
IEC
International Electro-technical Commission
ISOIECJTC 1
Information Technology
SC 2Coded Character
Sets
SC 40IT Service Management
and IT Governancehellip hellipSC 27
Security Techniques
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC27 Working Groups
SC27Chair Walter Fumy (DE) Vice-chair Marijke De Soete (BE)
Secretariat Krystyna Passia (DIN)
WG1 (Information security management
systems)Convenor
Edward Humphreys (UK)
Vice-convenorDale Johnstone (AU)
WG2 (Cryptography and security mechanisms)
ConvenorTakeshi
Chikazawa (JP) Vice-convenor
Toshio Tatsuta (JP)
WG3 (Security Evaluation Testing and Specification)
Convenor Miguel Bantildeoacuten (ES)
Vice-convenorNaruki Kai (JP)
WG4 (Security controls and services)
Convenor Johann Amsenga (ZA)
Vice-convenorFranccedilois Lorek (FR)
WG5 (Identity management and
privacy technologies) Convenor
Kai Rannenberg (DE)Vice-convenor
Jan Schallaboumlck (DE)
SWG-T (Transversal Items)
Convenor (acting) Andreas Fuchsberger (DE)
Vice-convenor Laura Lindsay (US)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
5
WGswithin ISOIEC JTC 1SC 27 ndash IT Security Techniques
WG 5Identity Management
amp Privacy Technologies
WG 1ISMS
WG 4Security Controls amp Services
WG 2Cryptography amp
Security Mechanisms
WG 3Security Evaluation
Product System Process Environment
Techniques
Guidelines
Assessment
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
6
hellip which is NOT Best Practice hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
7
hellip and NOT privacy friendly
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
8
A legacy Information (Security) Management Paradigm hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
2
WG 5 Identity Management amp Privacy TechnologiesAgenda
WG 5 within SC 27Example standardisation projectsStanding Documents Liaison organisationsMeeting schedulesConclusions amp Outlook
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27 ldquoIT Security Techniquesrdquowithin ISOIEC JTC1
3
ISO International
Organization for Standardization
IEC
International Electro-technical Commission
ISOIECJTC 1
Information Technology
SC 2Coded Character
Sets
SC 40IT Service Management
and IT Governancehellip hellipSC 27
Security Techniques
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC27 Working Groups
SC27Chair Walter Fumy (DE) Vice-chair Marijke De Soete (BE)
Secretariat Krystyna Passia (DIN)
WG1 (Information security management
systems)Convenor
Edward Humphreys (UK)
Vice-convenorDale Johnstone (AU)
WG2 (Cryptography and security mechanisms)
ConvenorTakeshi
Chikazawa (JP) Vice-convenor
Toshio Tatsuta (JP)
WG3 (Security Evaluation Testing and Specification)
Convenor Miguel Bantildeoacuten (ES)
Vice-convenorNaruki Kai (JP)
WG4 (Security controls and services)
Convenor Johann Amsenga (ZA)
Vice-convenorFranccedilois Lorek (FR)
WG5 (Identity management and
privacy technologies) Convenor
Kai Rannenberg (DE)Vice-convenor
Jan Schallaboumlck (DE)
SWG-T (Transversal Items)
Convenor (acting) Andreas Fuchsberger (DE)
Vice-convenor Laura Lindsay (US)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
5
WGswithin ISOIEC JTC 1SC 27 ndash IT Security Techniques
WG 5Identity Management
amp Privacy Technologies
WG 1ISMS
WG 4Security Controls amp Services
WG 2Cryptography amp
Security Mechanisms
WG 3Security Evaluation
Product System Process Environment
Techniques
Guidelines
Assessment
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
6
hellip which is NOT Best Practice hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
7
hellip and NOT privacy friendly
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
8
A legacy Information (Security) Management Paradigm hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27 ldquoIT Security Techniquesrdquowithin ISOIEC JTC1
3
ISO International
Organization for Standardization
IEC
International Electro-technical Commission
ISOIECJTC 1
Information Technology
SC 2Coded Character
Sets
SC 40IT Service Management
and IT Governancehellip hellipSC 27
Security Techniques
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC27 Working Groups
SC27Chair Walter Fumy (DE) Vice-chair Marijke De Soete (BE)
Secretariat Krystyna Passia (DIN)
WG1 (Information security management
systems)Convenor
Edward Humphreys (UK)
Vice-convenorDale Johnstone (AU)
WG2 (Cryptography and security mechanisms)
ConvenorTakeshi
Chikazawa (JP) Vice-convenor
Toshio Tatsuta (JP)
WG3 (Security Evaluation Testing and Specification)
Convenor Miguel Bantildeoacuten (ES)
Vice-convenorNaruki Kai (JP)
WG4 (Security controls and services)
Convenor Johann Amsenga (ZA)
Vice-convenorFranccedilois Lorek (FR)
WG5 (Identity management and
privacy technologies) Convenor
Kai Rannenberg (DE)Vice-convenor
Jan Schallaboumlck (DE)
SWG-T (Transversal Items)
Convenor (acting) Andreas Fuchsberger (DE)
Vice-convenor Laura Lindsay (US)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
5
WGswithin ISOIEC JTC 1SC 27 ndash IT Security Techniques
WG 5Identity Management
amp Privacy Technologies
WG 1ISMS
WG 4Security Controls amp Services
WG 2Cryptography amp
Security Mechanisms
WG 3Security Evaluation
Product System Process Environment
Techniques
Guidelines
Assessment
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
6
hellip which is NOT Best Practice hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
7
hellip and NOT privacy friendly
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
8
A legacy Information (Security) Management Paradigm hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC27 Working Groups
SC27Chair Walter Fumy (DE) Vice-chair Marijke De Soete (BE)
Secretariat Krystyna Passia (DIN)
WG1 (Information security management
systems)Convenor
Edward Humphreys (UK)
Vice-convenorDale Johnstone (AU)
WG2 (Cryptography and security mechanisms)
ConvenorTakeshi
Chikazawa (JP) Vice-convenor
Toshio Tatsuta (JP)
WG3 (Security Evaluation Testing and Specification)
Convenor Miguel Bantildeoacuten (ES)
Vice-convenorNaruki Kai (JP)
WG4 (Security controls and services)
Convenor Johann Amsenga (ZA)
Vice-convenorFranccedilois Lorek (FR)
WG5 (Identity management and
privacy technologies) Convenor
Kai Rannenberg (DE)Vice-convenor
Jan Schallaboumlck (DE)
SWG-T (Transversal Items)
Convenor (acting) Andreas Fuchsberger (DE)
Vice-convenor Laura Lindsay (US)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
5
WGswithin ISOIEC JTC 1SC 27 ndash IT Security Techniques
WG 5Identity Management
amp Privacy Technologies
WG 1ISMS
WG 4Security Controls amp Services
WG 2Cryptography amp
Security Mechanisms
WG 3Security Evaluation
Product System Process Environment
Techniques
Guidelines
Assessment
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
6
hellip which is NOT Best Practice hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
7
hellip and NOT privacy friendly
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
8
A legacy Information (Security) Management Paradigm hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
5
WGswithin ISOIEC JTC 1SC 27 ndash IT Security Techniques
WG 5Identity Management
amp Privacy Technologies
WG 1ISMS
WG 4Security Controls amp Services
WG 2Cryptography amp
Security Mechanisms
WG 3Security Evaluation
Product System Process Environment
Techniques
Guidelines
Assessment
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
6
hellip which is NOT Best Practice hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
7
hellip and NOT privacy friendly
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
8
A legacy Information (Security) Management Paradigm hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
6
hellip which is NOT Best Practice hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
7
hellip and NOT privacy friendly
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
8
A legacy Information (Security) Management Paradigm hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
7
hellip and NOT privacy friendly
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
8
A legacy Information (Security) Management Paradigm hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
8
A legacy Information (Security) Management Paradigm hellip
ldquoCollect as much information as
possible ndash and check about a use for it
laterrdquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
9
Security amp Privacy aimto address systems in a holistic way
bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze
Baumlckereildquo
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
SC 27Facts amp Figures
10
Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
11
SC 27Facts amp Figures
Members Participating countries (P-members) 54 Observing countries (O-members) 20
Projects Projects 237 Projects under development 73 Published standards 164
Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
12
WG 5 Identity Management amp Privacy TechnologiesScope
Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
13
WG 5 Identity Management amp Privacy TechnologiesProject Overview
Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly
Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)
Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018
IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
14
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
15
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
16
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISOIEC IS 291002011Privacy principles
1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance
17
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
18
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
19
Identity Management (IdM)An early approach
bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]
bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]
bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]
bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
20
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Partial identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
21
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional
private volunteer) using different identities
(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)
Differentiated identitieshelp to protect
privacy especially anonymity personal securitysafety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the ldquorightrdquo
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Partial identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
22
WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
23
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (1)A framework for identity management
(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely
available AMD DAM)Part 2 Reference framework and requirements
(IS2015)Part 3 Practice (IS2016)
Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
24
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
25
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
26
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Guidance on Context and Assessment Authentication context for biometrics
(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model
(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly
Xgpim) Guidelines for online privacy notice and consent
(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements
(ISOIEC 27552 WD)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
27
WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte
bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05
Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten
Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen
Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung
Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten
wwwdin-66398de
28
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
29
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
New Work Item Proposal
ISOIEC 29100 Privacy framework ndashAmendment 1
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
30
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Study Periods
PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
31
WG 5 Identity Management amp Privacy TechnologiesProgramme of Work
Standing Documents
WG 5 Roadmap(WG 5 SD1)
Privacy References List(WG 5 SD2) (public)
Standards Privacy Assessment (SPA)(WG 5 SD4) (public)
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)SPA or not SPA
32
No SPANeeded
No
No
Yes
Yes
Yes
No
PrivacyConsiderations
SPANeeded
Q1 Will stdor spec process personal data OR
will it create a link toPII
Q3Will deployment of the std
or spec be used in a network device by an individual
Q2Will std or spec
generatePII
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
ISO deliverables
33
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Application at standards development milestones
Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team
Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report
Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process
Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards
Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests
34
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent
35
IdentifyPrinciples
IdentifyRequirements
AnalyzeThreats
IdentifyPrivacy
Safeguards
DetermineResidual
Risk
Privacy Principles
Privacy Safeguarding Requirements
Privacy Threats amp Vulnerabilities
Privacy Safeguards
Acceptable Risk
If unacceptablerisk remainsrepeat until acceptableremaining level of risk
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
36
WG 5 Identity Management amp Privacy TechnologiesRoadmap
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
37
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications eg
ISOIEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs andor expertise
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
38
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC
JTC 1SC 17WG 4 Integrated circuit card with contacts
JTC 1SC 37Biometrics
JTC 1SC 38Distributed application platforms and services (DAPS)
ISO TC 215WG 4Health Informatics Security
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
39
WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ETSITC Cyber
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
40
WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
41
WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings
2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting
2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary
2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting
2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
Conclusions amp Outlook
Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience
Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult
42
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
43
wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)
wwwisoorgobpui ISO Online Browsing Platform (OBP)
httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg
ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo
KaiRannenbergm-chairde
WG 5 Identity Management amp Privacy TechnologiesFurther Reading
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies
44
Thank you very much for yourattention and interest
WG 5 Identity Management amp Privacy Technologies
Recommended