|Mary McRae||Jul 21, 2010 8:52 pm|
|Subject:||[pmrm] Call for Participation: OASIS Privacy Management Reference Model (PMRM) TC|
|From:||Mary McRae (mary...@oasis-open.org)|
|Date:||Jul 21, 2010 8:52:06 pm|
To: OASIS members & interested parties
A new OASIS technical committee is being formed. The OASIS Privacy Management
Reference Model (PMRM) Technical Committee has been proposed by the members of
OASIS listed below. The TC name, statement of purpose, scope, list of
deliverables, audience, and language specified in the proposal will constitute
the TC's official charter. Submissions of technology for consideration by the
TC, and the beginning of technical discussions, may occur no sooner than the
TC's first meeting.
The eligibility requirements for becoming a participant in the TC at the
first meeting are:
(a) you must be an employee of an OASIS member organization or an individual
member of OASIS, and (b) you must join the Technical Committee, which members may do by using the
"Join this TC" button on the TC's home page at [a].
To be considered a voting member at the first meeting, you must:
(a) join the Technical Committee at least 7 days prior to the first meeting
(1 September 2010); and (b) you must attend the first meeting of the TC, at the time and date fixed
below (Wednesday, 8 September 2010 at 11:00AM EDT).
Of course, participants also may join the TC at a later time. OASIS and the TC
welcomes all interested parties.
Non-OASIS members who wish to participate may contact us about joining OASIS
[b]. In addition, the public may access the information resources maintained for
each TC: a mail list archive, document repository and public comments facility,
which will be linked from the TC's public home page at [c].
Please feel free to forward this announcement to any other appropriate lists.
OASIS is an open standards organization; we encourage your participation.
Mary P McRae Director, Standards Development Technical Committee Administrator OASIS: Advancing open standards for the information society email: mary...@oasis-open.org web: www.oasis-open.org twitter: @fiberartisan #oasisopen phone: 1.603.232.9090
CALL FOR PARTICIPATION OASIS Privacy Management Reference Model (PMRM) Technical Committee
TC NAME OASIS Privacy Management Reference Model (PMRM) Technical Committee
STATEMENT OF PURPOSE AND PROBLEM TO BE SOLVED
For purposes of this project, from a business and operational perspective,
"data privacy" is defined to mean the assured, proper, and consistent
collection, storage, processing, transmission, use, sharing, trans border
transfer, retention and disposition of Personal Information (PI) throughout its
life cycle, consistent with data protection principles, privacy and security
policy requirements, and the preferences of the individual, where applicable.
The principal purpose of the PMRM TC will be to develop and articulate a Privacy
Management Reference Model that describes a set of broadly-applicable data
privacy and security requirements and a set of implementable Services and
interactions for fulfilling those requirements.
Today, increased cross-border and cross-policy domain data flows, networked
information processing, federated systems, application outsourcing, social
networks, ubiquitous devices and cloud computing bring ever significant
challenges, risk, and management complexity to privacy management.
However, business process engineers, IT analysts, architects, and developers do
not have standards-based technical privacy and security frameworks or lifecycle
reference models that can enable development and implementation of privacy and
associated security requirements. Frequently, expressed as broad policy
objectives (fair information practices and principles), these objectives are far
removed from the rigorous requirements’ expressions needed by business sponsors,
business and system analysts, architects and developers.
Typical policy expressions provide little insight into how to actually implement
such policies, presenting frustration for policymakers (who expect business
systems to manage privacy and security rules) and design challenges for IT
architects and solution developers (who have few models to guide their work).
This becomes a greater problem in increasingly federated networks, systems and
An effective solution to privacy and security management and compliance
obligations in today’s IT-centric, networked systems, services and applications
environment would be a collection of privacy and security policy-configurable,
IT-based, systematic behaviors that faithfully satisfy the requirements of
privacy and security policies within a wide variety of contexts and
implementation use-case scenarios.
The purpose of the OASIS Privacy Management Reference Model is to aid in the
design and implementation of operational privacy and security management
The Reference Model is intended to serve as a guideline or template for
developing operational solutions to privacy issues, as an analytical tool for
assessing the completeness of proposed solutions, and as the basis for
establishing categories and groupings of privacy management controls. The
Reference Model will serve as an evaluation framework for implementations, but
will not itself be an implementation. It is intended to be used as a tool or
basis for development of further implementations and standards, which either
currently exist or would be developed independently.
SCOPE OF THE TC
The TC will accept as input the ISTPA Privacy Management Reference Model v2.0 -
and implementations - developed by the International Security, Trust and Privacy
Alliance (ISTPA). It is anticipated that this document will be contributed to
the TC for further elaboration and standardization at OASIS.
The TC is open to submission of other relevant work and encourages submissions,
particularly use cases appropriate for testing the lifecycle management aspects
of the Reference Model.
The PMRM will:
· Define a set of operationally-focused privacy requirements which can serve as
a reference for evaluating options for designing and implementing operational
privacy controls. These requirements will constitute a useful working set of
‘privacy guidelines’, which can both serve as general guidance, and as a feature
set against which the PMRM and any implementation can be tested.
· Define a structured format for describing privacy management Services, and
identify categories of functions that may be used in defining and executing the
· Define a set of privacy management Services to support and implement the
privacy requirements at a functional level. These Services will include some
capabilities that are typically implicit in privacy practices or principles
(such as policy management or interaction), but that are necessary if
information systems and processes are to be made privacy configurable and
· Establish an explicit relationship between security requirements and
supporting security services (such as confidentiality, integrity and
availability services) and the privacy management Services. Security services
and standards are essential to secure Personal Information; therefore, each
specific privacy management Service is expected to have its own security service
In order to refine the Privacy Management Reference Model, the TC may employ and
refine use cases supplied by other OASIS TCs and external organizations. The TC
may also consider hosting educational workshops and producing additional
supporting materials such as ‘best practices’ documents.
Specification of the performance of any particular security service, mechanism
or standard for the security of Personal Information is out of scope for this
TC. The Reference Model, however, will consider the applicability and
relationship of security services (confidentiality, including identity
management, authentication and access controls; integrity; and availability)
within the Reference Model, since the Reference Model incorporates security as a
component of privacy management services.
A LIST OF DELIVERABLES AND PROJECTED COMPLETION DATES
The key deliverables are the OASIS Privacy Management Reference Model and one or
more comprehensive Use Cases. Estimated completion date is 12 months after the
formation of this TC.
- Privacy Management Reference Model: Define a set of operational privacy
management Services. Each Service will consist of a set of
syntactically-structured and logically related Functions that implement that
Service. The Service/Function sets will be complete in the sense that all
arbitrary but rational sets of privacy requirements (e.g., principles,
practices, privacy legislation) can be re-defined in terms of the Services. In
that sense, the Reference Model will provide the basis for a high-level system
design, a privacy architecture, and a privacy management implementation that
solves the given set of privacy requirements.
- One or more comprehensive Use Cases: From a number of initial candidates
solicited from a cross-section of vertical industries and privacy-sensitive
environments, the TC will select one or more Use Cases and apply the Privacy
Management Reference Model to convert the Use Case requirements into a system
design for an implementation. Ideally, the Use Cases will fully exploit the set
of operational Services.
As part of the Use Case development, two additional items are applicable:
· Selection of one or more formal methodologies for expressing Use Cases, and.
· Profiles of the PMRM applied to selected specific environments (such as Cloud
Computing, Health IT, e-Gov, and/or the Smart Grid) that could be used to derive
architectures for implementing the PMRM.
Any additional deliverables will be produced after the main deliverables have
been finalized. However, additional, representative use cases can be developed
in parallel with the Reference Model.
IPR MODE UNDER WHICH TC WILL OPERATE This TC will operate under the Non-Assertion Mode of the OASIS IPR Policy.
ANTICIPATED AUDIENCE OR USERS OF THE WORK
privacy and security consultants, auditors, IT systems architects and designers
of systems that collect, store, process, use, share, transport across borders,
exchange, secure, retain or destroy Personal Information. In addition, other
OASIS TCs and external organizations and standards bodies may find the PMRM
useful in developing privacy management use cases in their context.
LANGUAGE IN WHICH THE TC WILL CONDUCT BUSINESS The TC will conduct its business in English.
(NON-NORMATIVE) INFORMATION REGARDING THE STARTUP OF THE TC: Similar or applicable work being done and level of liaison
Since most prior work related to privacy management implementation focuses on
specific aspects, like policy expression languages or security controls for
privacy, the PMRM is unprecedented in defining privacy management services for
an arbitrary set of privacy requirements.
The TC may elect to form liaisons as appropriate with relevant OASIS TCs and
outside organizations, including:
§ OASIS Blue Member Section (for Smart Grid projects)
§ Other OASIS IDtrust Member Section TCs (for Use Cases)
§ SOA Reference Model TC (for service models)
§ ISO/IEC JTC1 Subcommittee 27 – Information technology - Security techniques
§ ITU-T Study Group 17 on Security
§ ISO TC 68 Subcommittee 7 on Financial Services Data Privacy
§ International Association of Privacy Professionals
§ Open Geospatial Consortium, contact: Carl Reed, cre...@opengeospatial.org
§ US SmartGrid Interoperability Program (SGIP) Cybersecurity Committee
§ Healthcare Information Technology Standards Panel (HITSP): Security, Privacy
and Infrastructure Domain Technical Committee § Kantara Initiative § Liaison with ISO SC27/WG5 (on identity management and privacy) § A global de jure standards organization such as ITU or ISO/IEC JTC1
First meeting: Date: Wednesday, 8 September 2010 Time: 11:00AM EDT Location (in person or by telephone): Telephone Sponsor: ISTPA and CA Technologies
Meeting schedule and Sponsor: Weekly teleconferences, time/date TBD, periodic
face-to-face in conjunction with the OASIS IDtrust Member Section meetings;
possible face-to-face meeting (with teleconference option) coincident with the
OASIS Identity Management 2010 Conference, 27-28 October, at the World Bank -
Washington, DC; sponsors: CA Technologies and ISTPA
Names, electronic mail addresses, and membership affiliations of supporting
Minimum Membership (proposers): John Sabo, John...@ca.com, CA Technologies Michael Willett, mwil...@nc.rr.com, ISTPA Erika McCallister, Erik...@nist.gov, NIST Rolly Chambers, RLCh...@smithcurrie.com, American Bar Association Bill Tabor, bta...@protexx.com, WidePoint Corporation Drummond Reed, dire...@informationcard.net, Information Card Foundation Peter Brown, pete...@justbrown.net, (individual) John Bradley, john...@wingaa.com, (individual) Michele Drgon, mich...@dataprobity.com, (individual) Gail Magnuson, gail...@gmail.com, (individual) John Moehrke, John...@med.ge.com, (individual)
For each OASIS Organizational Member above, name, electronic mail address,
membership affiliation, and statement of support
John Sabo, John...@ca.com Director, Global Government Relations CA Technologies and President: ISTPA
As the Primary Representative to OASIS of the International Security, Trust, and
Privacy Alliance (ISTPA), I approve the Charter. ISTPA is pleased to be able to
contribute our Privacy Management Reference Model v2.0 to the technical
committee. We believe that the new PMRM TC will undertake important
standardization work in lifecycle privacy management and compliance.
Rolly Chambers, RLCh...@smithcurrie.com, American Bar Association I'm assuming you realize the ABA approves.
Paul Lipton, paul...@ca.com
VP, Industry Standards and Open Source, CA Technologies
As CA Primary Representative, I approve the PMRM TC Charter and CA’s inclusion
(in the person of John Sabo) as a named co-proposer. Also, my compliments on the
quality of the charter itself. It has come along nicely, if I may be so bold.
David Flater, dfla...@nist.gov
National Institute of Standards and Technology
As the NIST primary representative to OASIS, I approve the final draft of the
PMRM TC charter.
Bill Tabor, bta...@protexx.com I am the Primary Rep for Widepoint and I approve.
Drummond Reed, dire...@informationcard.net
I am the primary rep for the Information Card Foundation, and I approve the
PMRM TC Charter.
Convener: ISTPA (Michael Willett)
Member Section: IDtrust
Contributions of existing technical work: ISTPA Privacy Management Reference Model V2.0: http://www.istpa.org/pdfs/ISTPAPrivacyManagementReferenceModelV2%200.pdf
Draft Frequently Asked Questions (FAQ) document: TBD (Willett)
Proposed working title and acronym for the specification(s): OASIS Privacy
Management Reference Model (PMRM), pronounced ‘pimrim’.
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php