Prof. Dr. Kai Rannenberg - EAID e.V. · 2019. 12. 20. · Standardisierung technologischer Datenschutzanforderungen Prof. Dr. Kai Rannenberg Deutsche Telekom Chair of Mobile Business

Standardisierung technologischer Datenschutzanforderungen

Prof Dr Kai RannenbergDeutsche Telekom Chair of

Mobile Business amp Multilateral SecurityGoethe University Frankfurt

wwwm-chairde

Technologischer Datenschutz ndashVorgaben der DatenschutzgrundverordnungBerlin 2017-03-02

ISOIEC JTC 1SC 27WG 5 Identity Management amp Privacy Technologies

2

WG 5 Identity Management amp Privacy TechnologiesAgenda

WG 5 within SC 27Example standardisation projectsStanding Documents Liaison organisationsMeeting schedulesConclusions amp Outlook


SC 27 ldquoIT Security Techniquesrdquowithin ISOIEC JTC1

3

ISO International

Organization for Standardization

IEC

International Electro-technical Commission

ISOIECJTC 1

Information Technology

SC 2Coded Character

Sets

SC 40IT Service Management

and IT Governancehellip hellipSC 27

Security Techniques


SC27 Working Groups

SC27Chair Walter Fumy (DE) Vice-chair Marijke De Soete (BE)

Secretariat Krystyna Passia (DIN)

WG1 (Information security management

systems)Convenor

Edward Humphreys (UK)

Vice-convenorDale Johnstone (AU)

WG2 (Cryptography and security mechanisms)

ConvenorTakeshi

Chikazawa (JP) Vice-convenor

Toshio Tatsuta (JP)

WG3 (Security Evaluation Testing and Specification)

Convenor Miguel Bantildeoacuten (ES)

Vice-convenorNaruki Kai (JP)

WG4 (Security controls and services)

Convenor Johann Amsenga (ZA)

Vice-convenorFranccedilois Lorek (FR)

WG5 (Identity management and

privacy technologies) Convenor

Kai Rannenberg (DE)Vice-convenor

Jan Schallaboumlck (DE)

SWG-T (Transversal Items)

Convenor (acting) Andreas Fuchsberger (DE)

Vice-convenor Laura Lindsay (US)


5

WGswithin ISOIEC JTC 1SC 27 ndash IT Security Techniques

WG 5Identity Management

amp Privacy Technologies

WG 1ISMS

WG 4Security Controls amp Services

WG 2Cryptography amp

Security Mechanisms

WG 3Security Evaluation

Product System Process Environment

Techniques

Guidelines

Assessment


6

hellip which is NOT Best Practice hellip

ldquoCollect as much information as

possible ndash and check about a use for it

laterrdquo


7

hellip and NOT privacy friendly



laterrdquo


8

A legacy Information (Security) Management Paradigm hellip



laterrdquo


9

Security amp Privacy aimto address systems in a holistic way

bdquoWir wollen nicht ein Stuumlck vom Kuchen wir wollen die ganze

Baumlckereildquo


SC 27Facts amp Figures

10

Participating countries (P-members) 54 Observing countries (O-members) 20 Projects 237 Projects under development 73 Published standards 164


11


Members Participating countries (P-members) 54 Observing countries (O-members) 20

Projects Projects 237 Projects under development 73 Published standards 164

Standing Documents SD6 Glossary of IT Security terminology SD7 Catalogue of SC 27 Projects and Standards SD11 Overview of SC 27 on wwwdindeenmetajtc1sc27downloads


12

WG 5 Identity Management amp Privacy TechnologiesScope

Development and maintenance of standards and guidelines addressing security aspects of Identity managementBiometrics andPrivacy


13

WG 5 Identity Management amp Privacy TechnologiesProject Overview

Frameworks amp Architectures A framework for identity management (ISOIEC 24760 (Parts 1-3) IS2011 IS2015 IS2016) Privacy framework (ISOIEC 29100 IS2011) Privacy architecture framework (ISOIEC 29101 IS2013) Entity authentication assurance framework (ISOIEC 29115 IS2013) A framework for access management (ISOIEC 29146 IS2016) Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly

Xbhsm) Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD) (together with WG 4)

Protection Concepts Biometric information protection (ISOIEC 24745 IS2011) Requirements for partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012) Privacy enhancing data de-identification techniques (ISOIEC 20889 CD) Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)

Guidance on Context and Assessment Authentication context for biometrics (ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model (ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISOIEC 27018

IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058| ISOIEC 29151 FDIS) (formerly Xgpim) Guidelines for online privacy notice and consent (ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements (ISOIEC 27552 WD)


14

WG 5 Identity Management amp Privacy TechnologiesPrivacyPII standards in SC 27WG 5 and WG 1 (2017-01)


15

WG 5 Identity Management amp Privacy TechnologiesProgramme of Work

Frameworks amp Architectures (1)A framework for identity management

(ISOIEC 24760)Part 1 Terminology and concepts (IS2011 freely

available AMD DAM)Part 2 Reference framework and requirements

(IS2015)Part 3 Practice (IS2016)

Privacy framework (ISOIEC 29100 IS2011 freely available)Privacy architecture framework (ISOIEC 29101 IS2013)


16








ISOIEC IS 291002011Privacy principles

1 Consent and choice 2 Purpose legitimacy and specification 3 Collection limitation 4 Data minimization 5 Use retention and disclosure limitation 6 Accuracy and quality 7 Openness transparency and notice 8 Individual participation and access 9 Accountability 10 Information security 11 Privacy compliance

17


18








19

Identity Management (IdM)An early approach

bdquoFear not for I have redeemed youI have called you by name you are minerdquo [Isaiah 431]

bdquoΜη φοβου διοτι εγω σε ελυτρωσασε εκαλεσα με το ονομα σου εμου εισαιldquo[Ησαιαν 431]

bdquoNo temas porque yo te he redimido te he llamado por tu nombre miacuteo eres tuacuteldquo[Isaiacuteas 43 1 ]

bdquoFuumlrchte dich nicht denn ich habe dich erloumlstich habe dich bei deinem Namen gerufen du bist meinldquo[Jesaja 431]


20

Identity Management (IdM)2 sides of a medal with enormous economic potential

People live their life in different roles (professional

private volunteer) using different identities

(pseudonyms) email accounts SIM cards eBay trade names chat names 2ndLife names hellip)

Partial identitieshelp to protect

privacy especially anonymity personal securitysafety

enable reputation building at the same time

Identity management systems support users using role based

identities help to present the ldquorightrdquo identity

in the right context

Organisations aim to sort out User Accounts in different IT

systems Authentication Rights management Access control

Unified identitieshelp to ease administration manage customer relations

Identity management systems ease single-sign-on by unify

accounts solve the problems of multiple

passwords


21





Differentiated identitieshelp to protect




identities help to present the ldquorightrdquo

identity in the right context



Partial identitieshelp to ease administration manage customer relations



passwords


22

WG 5 Identity Management amp Privacy TechnologiesIdentity Management standards in SC 27WG 5 (2017-01)


23








24


Frameworks amp Architectures (2)Entity authentication assurance framework(ISOIEC 29115 IS2013 AMD DAM) A framework for access management (ISOIEC 29146 IS2016)Telebiometric authentication framework using biometric hardware security module (ITU-T X1085 | ISOIEC 17922 FDIS) (formerly Xbhsm)Big data reference architecture ndash Part 4 Security and privacy fabric (ISOIEC 20547-4 WD)(together with WG 4)


25


Protection ConceptsBiometric information protection(ISOIEC 24745 IS2011)Requirements on partially anonymous partially unlinkable authentication (ISOIEC 29191 IS2012)Privacy enhancing data de-identification techniques (ISOIEC 20889 CD)Requirements for attribute-based unlinkable entity authentication (ISOIEC 27551 WD)


26


Guidance on Context and Assessment Authentication context for biometrics

(ISOIEC 24761 IS2009Cor 12013 Revision CD) Privacy capability assessment model

(ISOIEC 29190 IS2015) Code of practice for protection of personally identifiable information (PII) in public

clouds acting as PII processors(ISOIEC 27018 IS2014) Identity proofing (ISOIEC 29003 DIS) Privacy impact assessment ndash methodology (ISOIEC 29134 FDIS) Code of practice for PII protection (ITU-T X1058 | ISOIEC 29151 FDIS) (formerly

Xgpim) Guidelines for online privacy notice and consent

(ISOIEC 29184 WD) Privacy engineering (ISOIEC 27550 WD) Enhancement to ISOIEC 27001 for privacy management ndash Requirements

(ISOIEC 27552 WD)


27


Exkurs DIN 66398Die Norm fuumlr Loumlschkonzepte

bdquoLeitlinie zur Entwicklung eines Loumlschkonzepts mit Ableitung von Loumlschfristen fuumlr personenbezogene Datenldquo Ausgabe 2016-05

Empfehlungen fuumlr die Inhalte den Aufbau und die Zuordnung von Verantwortung in einem Loumlschkonzept fuumlr personenbezogene Daten

Insbesondere Vorgehensweisen mit denen effizient Loumlschfristen und Loumlschregeln fuumlr verschiedene Datenarten bestimmt werden koumlnnen

Basierend auf dem Loumlschkonzept von ua Toll Collect Gliederung

Motivation Elemente eines Loumlschkonzepts Loumlschklassen Datenarten und Loumlschregeln Umsetzungsvorgaben Verantwortlichkeiten

wwwdin-66398de

28


29


New Work Item Proposal

ISOIEC 29100 Privacy framework ndashAmendment 1


30


Study Periods

PII protection considerations for smartphone App providersPrivacy in smart citiesGuidelines for privacy in Internet of Things (IoT)Editorial inconsistencies in ISOIEC 29100 Information technology ndash Security techniques ndashPrivacy frameworkCode of Practice solution for different types of PII processors Identity related standards landscape


31


Standing Documents

WG 5 Roadmap(WG 5 SD1)

Privacy References List(WG 5 SD2) (public)

Standards Privacy Assessment (SPA)(WG 5 SD4) (public)


Standards Privacy Assessment (SPA SD4)SPA or not SPA

32

No SPANeeded

No

No

Yes

Yes

Yes

No

PrivacyConsiderations

SPANeeded

Q1 Will stdor spec process personal data OR

will it create a link toPII

Q3Will deployment of the std

or spec be used in a network device by an individual

Q2Will std or spec

generatePII


ISO deliverables

33


Standards Privacy Assessment (SPA SD4)Application at standards development milestones

Study Period and New Work Item Proposal Include an explanation of relevant privacy fundamentals privacy goals and the SPA process Identify a Privacy Champion in the project team

Working Draft As the project team creates functionality data flows are analyzed and categorized areas for Privacy Engineering are identified privacy requirements are identified threats are identified safeguards are defined and findings documented in SPA report

Committee Draft or Proposed Draft TR The Standard or Specification Editor and project team ensure that the Privacy Considerations address all issues and mitigation steps identified during the SPA process

Draft International Standard Final Draft International Standard or Draft TR The ISO publication staff and Standard or Specification Editor verify Privacy Considerations consistence with rules for International Standards

Maintenance of StandardTR Deployment may lead to the reporting of privacy issues To address in a timely manner through change requests

34


Standards Privacy Assessment (SPA SD4)Summary of SPA Process Intent

35

IdentifyPrinciples

IdentifyRequirements

AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles

Privacy Safeguarding Requirements

Privacy Threats amp Vulnerabilities

Privacy Safeguards

Acceptable Risk

If unacceptablerisk remainsrepeat until acceptableremaining level of risk


36

WG 5 Identity Management amp Privacy TechnologiesRoadmap


37

WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration

With organizations and committees dealing with specific requirements and guidelines for services and applications eg

ISOIEC JTC 1ISO

CENETSIITU-T

Further organisations with specific application needs andor expertise


38

WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration ndash within ISO and IEC

JTC 1SC 17WG 4 Integrated circuit card with contacts

JTC 1SC 37Biometrics

JTC 1SC 38Distributed application platforms and services (DAPS)

ISO TC 215WG 4Health Informatics Security


39

WG 5 Identity Management amp Privacy TechnologiesLiaisons and collaboration ndash with ITU-T

ITU-T SG 13Future networks including mobile and NGN

ITU-T SG 17Security

ETSITC Cyber


40

WG 5 Identity Management amp Privacy TechnologiesExample Liaisons and collaboration

(ISC)2 - International Information Systems Security Certification Consortium

ABC4Trust Article 29 Working Party of Data Protection Authorities in the

European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy

Commissioners


41

WG 5 Identity Management amp Privacy TechnologiesRecent and next meetings

2016-10-23 ndash 2016-10-27 Abu Dhabi (UAE) WG 5 Meeting

2017-04-18 ndash 2017-04-22 Hamilton (New Zealand) WG 5 Meeting 2017-04-24 ndash 2017-04-25 Hamilton (New Zealand) SC 27 Plenary

2017-10-30 ndash 2017-11-03 Berlin (Germany) WG 5 Meeting

2018-04-09 ndash 2018-04-13 TBD (China) WG 5 Meeting 2018-04-16 ndash 2018-04-17 TBD (China) SC 27 Plenary


Conclusions amp Outlook

Several projects completed so a landscape is developingMany more projects to do hellip Every new project is a hellipnew global challenge(cultural) learning experience

Privacy by design is a leading paradigm for WG 5 standardization but standardizing it in itself seems difficult

42


43

wwwdindeenmetajtc1sc27downloads SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards amp ProjectsWG 5SD2 Privacy Documents References ListWG 5SD4 Standards Privacy Assessment (SPA)

wwwisoorgobpui ISO Online Browsing Platform (OBP)

httpstandardsisoorgittfPubliclyAvailableStandardsindexhtml Freely available standards eg

ISOIEC 24760-12011 ldquoA framework for identity management --Part 1 Terminology and conceptsrdquo ISOIEC 291002011 ldquoPrivacy frameworkrdquo

KaiRannenbergm-chairde

WG 5 Identity Management amp Privacy TechnologiesFurther Reading


44

Thank you very much for yourattention and interest

WG 5 Identity Management amp Privacy Technologies


2

WG 5 Identity Management amp Privacy TechnologiesAgenda

WG 5 within SC 27Example standardisation projectsStanding Documents Liaison organisationsMeeting schedulesConclusions amp Outlook



3

ISO International


IEC


ISOIECJTC 1


SC 2Coded Character

Sets



Security Techniques


SC27 Working Groups




systems)Convenor




ConvenorTakeshi


Toshio Tatsuta (JP)















5




WG 1ISMS



Security Mechanisms



Techniques

Guidelines

Assessment


6




laterrdquo


7




laterrdquo


8




laterrdquo


9



Baumlckereildquo



10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44





3

ISO International


IEC


ISOIECJTC 1


SC 2Coded Character

Sets



Security Techniques


SC27 Working Groups




systems)Convenor




ConvenorTakeshi


Toshio Tatsuta (JP)















5




WG 1ISMS



Security Mechanisms



Techniques

Guidelines

Assessment


6




laterrdquo


7




laterrdquo


8




laterrdquo


9



Baumlckereildquo



10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




SC27 Working Groups




systems)Convenor




ConvenorTakeshi


Toshio Tatsuta (JP)















5




WG 1ISMS



Security Mechanisms



Techniques

Guidelines

Assessment


6




laterrdquo


7




laterrdquo


8




laterrdquo


9



Baumlckereildquo



10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




5




WG 1ISMS



Security Mechanisms



Techniques

Guidelines

Assessment


6




laterrdquo


7




laterrdquo


8




laterrdquo


9



Baumlckereildquo



10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




6




laterrdquo


7




laterrdquo


8




laterrdquo


9



Baumlckereildquo



10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




7




laterrdquo


8




laterrdquo


9



Baumlckereildquo



10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




8




laterrdquo


9



Baumlckereildquo



10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




9



Baumlckereildquo



10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44





10



11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




11






12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




12




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




13








14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




14



15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




15








16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




16










17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44






17


18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




18








19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




19







20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




20
















passwords


21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




21
















passwords


22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




22



23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




23








24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




24




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




25




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




26








(ISOIEC 27552 WD)


27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




27








wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44









wwwdin-66398de

28


29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




29





30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




30


Study Periods



31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




31


Standing Documents






32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44





32

No SPANeeded

No

No

Yes

Yes

Yes

No


SPANeeded





Q2Will std or spec

generatePII


ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




ISO deliverables

33








34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44










34



35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44





35

IdentifyPrinciples


AnalyzeThreats

IdentifyPrivacy

Safeguards

DetermineResidual

Risk

Privacy Principles



Privacy Safeguards

Acceptable Risk



36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




36



37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




37



ISOIEC JTC 1ISO

CENETSIITU-T



38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




38







39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




39



ITU-T SG 17Security

ETSITC Cyber


40





Commissioners


41










42


43








44




40





Commissioners


41










42


43








44




41










42


43








44







42


43








44




43








44




44

