123 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Auto-ISAC

Special Community Call

28 August 2019

223 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Agenda

Time (ET) Topic

11:00Welcome

➢Purpose, Participants, and Engagement

11:05

Featured Speakers

➢Naomi Lefkovitz, Privacy Policy Advisor,

Information Technology Lab at the National

Institute of Standards and Technology, U.S.

Department of Commerce

11:45Around the Room

➢Sharing around the virtual room

11:55 Closing Remarks

Welcome

323 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Welcome - Auto-ISAC Community Call!

Welcome

Purpose: These monthly Auto-ISAC Community Meetings are an

opportunity for you, our Members & connected vehicle ecosystem

partners, to:

✓ Stay informed of Auto-ISAC activities

✓ Share information on key vehicle cybersecurity topics

✓ Learn about exciting initiatives within the automotive

community from our featured speakers

Participants: Auto-ISAC Members, Potential Members, Partners,

Academia, Industry Stakeholders, and Government Agencies

Classification Level: TLP GREEN: may be shared within the Auto-

ISAC Community, and “off the record”

❖ Featured speakers are not endorsed by Auto-ISAC nor do the speakers

speak on behalf of Auto-ISAC

How to Connect: For further info, questions, or to add other POCs to

the invite, please contact Auto-ISAC Membership Engagement Lead Kim

Kalinyak (kimkalinyak@automotiveisac.com)

423 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Welcome to Today’s Speaker

Featured Speaker

Abstract: Auto-ISAC invites you to join the National Institute of Standards and Technology (NIST) for a discussion on the Privacy

Framework, led by Naomi Lefkovitz (Senior Privacy Policy Advisor at NIST and Manager of the Privacy Engineering Program). NIST is

developing this voluntary framework, in collaboration with private and public sector stakeholders, to help organizations: better identify, assess,

manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust

in products and services. Join this discussion to share your input on the latest content in the evolving development of this tool, and to learn

about the process to date and how to become an early adopter.

Naomi Lefkovitz- is the Senior Privacy Policy Advisor in the Information

Technology Lab at the National Institute of Standards and Technology, U.S.

Department of Commerce. She leads the privacy engineering program, which

focuses on developing privacy risk management processes and integrating

solutions for protecting individuals’ privacy into information technologies,

including digital identity services, IoT, smart cities, big data, mobile, and

artificial intelligence. She also leads the development team for the NIST

Privacy Framework. FierceGovernmentIT named Ms. Lefkovitz on their 2013

“Fierce15” list of the most forward-thinking people working within government

information technology, and she is a 2014 and 2018 Federal 100 Awards

winner. Before joining NIST, she was the Director for Privacy and Civil Liberties

in the Cybersecurity Directorate of the National Security Council in the

Executive Office of the President. Her portfolio included the National Strategy

for Trusted Identities in Cyberspace as well as addressing the privacy and civil

liberties impact of the Obama Administration’s cybersecurity initiatives and

programs. Prior to her tenure in the Obama Administration, Ms. Lefkovitz was a

senior attorney with the Division of Privacy and Identity Protection at the

Federal Trade Commission. Her responsibilities focused primarily on policy

matters, including legislation, rulemakings, and business and consumer

education in the areas of identity theft, data security and privacy. At the outset

of her career, she was Assistant General Counsel at CDnow, Inc., an early

online music retailer. Ms. Lefkovitz holds a B.A. with honors in French

Literature from Bryn Mawr College and a J.D. with honors from Temple

University School of Law.

NIST Privacy Framework8.28.2019

Process to Date

Feedback encouraged and promoted throughout the process

ONGOI NG ENGA GEMENT

October 16, 2018

Austin, TX

November 14, 2018 –

January 14, 2019

February 27, 2019

April 30, 2019

May 13-14, 2019

Atlanta, GA

July 8-9, 2019

Boise, ID

June 26, 2019

Workshop #1

Request for Information

(RFI)

RFI Analysis & Framework

Outline

Framework Discussion

Draft

Workshop #2

Workshop #3

Supplemental Materials

Purpose, value, & scope

Relationship Between Cybersecurity and Privacy Risk

Cybersecurit

y Risks

Privacy

Risks

arise from

unauthorized

activity

arise as a

byproduct of

authorized data

processing

data

security

(including

unauthorized

use &

disclosure)

Data: A representation of information, including digital and non-digital formats, with the potential for adverse consequences for individuals when processed

Data Action: A system/product/service operation that processes data

Data Processing: An operation or set of operations performed upon data across the full data life cycle, including but not limited to collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal

Privacy Risk: The likelihood that individuals will experience problems resulting from data processing, and the impact should they occur

Privacy Risk and Organizational Risk

Problem Individual

arises from

data

processing

experiences

direct impact(e.g., embarrassment,

economic loss)

Organization

experiences secondary

impact(e.g., customer

abandonment,

noncompliance costs, harm to

reputation)

Privacy Framework Value

Organizations can use the Privacy Framework for:

• Shared lexicon

• Making ethical decisions when designing or deploying

products and services

• Avoiding losses of trust that damage reputations and

can slow adoption or cause abandonment of

products and services.

Risk-based & flexible

Privacy & Cybersecurity Framework Alignment

Core provides an increasingly granular set of

activities and outcomes that enable an

organizational dialogue about managing privacy risk

Profiles are a selection of specific Functions,

Categories, and Subcategories from the Core that

the organization has prioritized to help it manage

privacy riskCURRENT

TARGET

Implementation Tiers how an organization views

privacy risk and whether it has sufficient processes

and resources in place to manage that risk and

achieve its Target Profile

CATEGORIES SUBCATEGORIESFUNCTION

CONTROL-P (CT-P): Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.

CT.DM-P4: Data elements can be accessed for deletion.

CT.DM-P5: Data are transmitted using standardized formats.

Data Management (CT.DM-P): Data are managed consistent with the organization's risk strategy to protect individuals’ privacy and increase manageability and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization).

Example from the Core

PROTECT

RECOVERDETECT RESPOND

COMMUNICATECONTROL

IDENTIFY GOVERNIDENTIFY GOVERN

PROTECT CONTROL COMMUNICATE

RESPONDDETECT RECOVER

Separated CoreIntegrated Core

Two Proposed Cores

Flexible Implementation

Not a checklist: organizations may not need to achieve every outcome or activity reflected in the Core

Partial achievement: organizations are not obligated to achieve an outcome in its entirety

Bundling: organizations may need to consider multiple outcomes in combination to appropriately manage privacy risk

Order: table format of Core is not intended to suggest an implementation order or degree of importance

Accessibility & efficacy for bridging communication

gaps

Finding Yourself in the Core

Cross-functional Collaboration

• Organizational or industry sector goals

• Legal/regulatory requirements & industry best practices

• Organization’s risk management priorities

• Privacy needs of individuals

CURRENT PROFILECORE TARGET PROFILE

Identify-P

Govern-P

Control-P

Communicate-P

Protect-P

Identify-P

Govern-P

Protect-P

Identify-P

Govern-P

Control-P

Communicate-P

Protect-P

Hypothetical Partial Profile

GovernGovernance

Processes and Procedures

GV.PP-P5: Legal, regulatory, and

contractual requirements...

CT.DM-P1: Data elements can be

accessed for review.

Identity Management,

Authentication, and Access Control

CT.DM-P4: Data elements can be

accessed for deletion.

PR.DP-P6: Data are destroyed

according to policy.

CT.DM-P6: Metadata containing processing

permissions...

ID.DE-P3: Contracts with data processing

ecosystem parties are used...

Identify

Inventory and Mapping

ID.IM-P8: Data processing is mapped...

Risk Assessment

PR.PP-P1: Data are processed in an unobservable or

unlinkable manner.Key:

Current Profile

Target Profile

Gap areas & needs

Laying the Groundwork for the Future

Seeking to improve and overcome challenges around:

• Mechanisms to provide confidence

• Emerging technologies

• Privacy risk assessment

• Privacy workforce

• Re-identification risk

• Technical standards

Adopt me!

• Trial run – share insights as feedback

• V1 use pledge – lead on privacy

• NIST repository – provide use cases and informative references

Resources

Website

https://www.nist.gov/privacyframework

Mailing List

https://groups.google.com/a/list.nist.gov/forum/#!forum/privacyframework

Contact Us

PrivacyFramework@nist.gov

@NISTcyber #PrivacyFramework

2423 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Open Discussion

Around the Room

Any questions about the

Auto-ISAC or future topics

for discussion?

25

Save the Date!

Auto-ISAC 2019 Automotive Cybersecurity Summit

“The Auto-ISAC summit provides a unique experience to learn about

automotive cybersecurity information sharing, collaboration, and

organization. The ISAC summit fills a gap among automotive cybersecurity

workshops and ideally complements more technical workshops such as

escar.” – Summit Attendee

October 23-24, 2019 in Plano, Texas

https://www.automotiveisac.com/auto-isac-summit/

2623 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.

Our contact info

Faye FrancyExecutive Director

20 F Street NW, Suite 700

Washington, DC 20001

703-861-5417

fayefrancy@automotiveisac.com

Kim KalinyakMembership Engagement

Lead

20 F Street NW, Suite 700

Washington, DC 20001

240-422-9008

kimkalinyak@automotiveisac.com

Josh PosterProgram Operations

Manager

20 F Street NW, Suite 700

Washington, DC 20001

joshposter@automotiveisac.com

Jessica EttsSenior Intel Coordinator

20 F Street NW, Suite 700

Washington, DC 20001

jessicaetts@automotiveisac.com