Auto-ISAC Community Call · 2019-08-23 · TLP WHITE: May be shared within the Auto-ISAC Community....
Transcript of Auto-ISAC Community Call · 2019-08-23 · TLP WHITE: May be shared within the Auto-ISAC Community....
123 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Auto-ISAC
Special Community Call
28 August 2019
223 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Agenda
Time (ET) Topic
11:00Welcome
➢Purpose, Participants, and Engagement
11:05
Featured Speakers
➢Naomi Lefkovitz, Privacy Policy Advisor,
Information Technology Lab at the National
Institute of Standards and Technology, U.S.
Department of Commerce
11:45Around the Room
➢Sharing around the virtual room
11:55 Closing Remarks
Welcome
323 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Welcome - Auto-ISAC Community Call!
Welcome
Purpose: These monthly Auto-ISAC Community Meetings are an
opportunity for you, our Members & connected vehicle ecosystem
partners, to:
✓ Stay informed of Auto-ISAC activities
✓ Share information on key vehicle cybersecurity topics
✓ Learn about exciting initiatives within the automotive
community from our featured speakers
Participants: Auto-ISAC Members, Potential Members, Partners,
Academia, Industry Stakeholders, and Government Agencies
Classification Level: TLP GREEN: may be shared within the Auto-
ISAC Community, and “off the record”
❖ Featured speakers are not endorsed by Auto-ISAC nor do the speakers
speak on behalf of Auto-ISAC
How to Connect: For further info, questions, or to add other POCs to
the invite, please contact Auto-ISAC Membership Engagement Lead Kim
Kalinyak ([email protected])
423 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Welcome to Today’s Speaker
Featured Speaker
Abstract: Auto-ISAC invites you to join the National Institute of Standards and Technology (NIST) for a discussion on the Privacy
Framework, led by Naomi Lefkovitz (Senior Privacy Policy Advisor at NIST and Manager of the Privacy Engineering Program). NIST is
developing this voluntary framework, in collaboration with private and public sector stakeholders, to help organizations: better identify, assess,
manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust
in products and services. Join this discussion to share your input on the latest content in the evolving development of this tool, and to learn
about the process to date and how to become an early adopter.
Naomi Lefkovitz- is the Senior Privacy Policy Advisor in the Information
Technology Lab at the National Institute of Standards and Technology, U.S.
Department of Commerce. She leads the privacy engineering program, which
focuses on developing privacy risk management processes and integrating
solutions for protecting individuals’ privacy into information technologies,
including digital identity services, IoT, smart cities, big data, mobile, and
artificial intelligence. She also leads the development team for the NIST
Privacy Framework. FierceGovernmentIT named Ms. Lefkovitz on their 2013
“Fierce15” list of the most forward-thinking people working within government
information technology, and she is a 2014 and 2018 Federal 100 Awards
winner. Before joining NIST, she was the Director for Privacy and Civil Liberties
in the Cybersecurity Directorate of the National Security Council in the
Executive Office of the President. Her portfolio included the National Strategy
for Trusted Identities in Cyberspace as well as addressing the privacy and civil
liberties impact of the Obama Administration’s cybersecurity initiatives and
programs. Prior to her tenure in the Obama Administration, Ms. Lefkovitz was a
senior attorney with the Division of Privacy and Identity Protection at the
Federal Trade Commission. Her responsibilities focused primarily on policy
matters, including legislation, rulemakings, and business and consumer
education in the areas of identity theft, data security and privacy. At the outset
of her career, she was Assistant General Counsel at CDnow, Inc., an early
online music retailer. Ms. Lefkovitz holds a B.A. with honors in French
Literature from Bryn Mawr College and a J.D. with honors from Temple
University School of Law.
NIST Privacy Framework8.28.2019
Process to Date
Feedback encouraged and promoted throughout the process
ONGOI NG ENGA GEMENT
October 16, 2018
Austin, TX
November 14, 2018 –
January 14, 2019
February 27, 2019
April 30, 2019
May 13-14, 2019
Atlanta, GA
July 8-9, 2019
Boise, ID
June 26, 2019
Workshop #1
Request for Information
(RFI)
RFI Analysis & Framework
Outline
Framework Discussion
Draft
Workshop #2
Workshop #3
Supplemental Materials
Purpose, value, & scope
Relationship Between Cybersecurity and Privacy Risk
Cybersecurit
y Risks
Privacy
Risks
arise from
unauthorized
activity
arise as a
byproduct of
authorized data
processing
data
security
(including
unauthorized
use &
disclosure)
Data: A representation of information, including digital and non-digital formats, with the potential for adverse consequences for individuals when processed
Data Action: A system/product/service operation that processes data
Data Processing: An operation or set of operations performed upon data across the full data life cycle, including but not limited to collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal
Privacy Risk: The likelihood that individuals will experience problems resulting from data processing, and the impact should they occur
Privacy Risk and Organizational Risk
Problem Individual
arises from
data
processing
experiences
direct impact(e.g., embarrassment,
economic loss)
Organization
experiences secondary
impact(e.g., customer
abandonment,
noncompliance costs, harm to
reputation)
Privacy Framework Value
Organizations can use the Privacy Framework for:
• Shared lexicon
• Making ethical decisions when designing or deploying
products and services
• Avoiding losses of trust that damage reputations and
can slow adoption or cause abandonment of
products and services.
Risk-based & flexible
Privacy & Cybersecurity Framework Alignment
Core provides an increasingly granular set of
activities and outcomes that enable an
organizational dialogue about managing privacy risk
Profiles are a selection of specific Functions,
Categories, and Subcategories from the Core that
the organization has prioritized to help it manage
privacy riskCURRENT
TARGET
Implementation Tiers how an organization views
privacy risk and whether it has sufficient processes
and resources in place to manage that risk and
achieve its Target Profile
CATEGORIES SUBCATEGORIESFUNCTION
CONTROL-P (CT-P): Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
CT.DM-P4: Data elements can be accessed for deletion.
CT.DM-P5: Data are transmitted using standardized formats.
Data Management (CT.DM-P): Data are managed consistent with the organization's risk strategy to protect individuals’ privacy and increase manageability and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization).
Example from the Core
PROTECT
RECOVERDETECT RESPOND
COMMUNICATECONTROL
IDENTIFY GOVERNIDENTIFY GOVERN
PROTECT CONTROL COMMUNICATE
RESPONDDETECT RECOVER
Separated CoreIntegrated Core
Two Proposed Cores
Flexible Implementation
Not a checklist: organizations may not need to achieve every outcome or activity reflected in the Core
Partial achievement: organizations are not obligated to achieve an outcome in its entirety
Bundling: organizations may need to consider multiple outcomes in combination to appropriately manage privacy risk
Order: table format of Core is not intended to suggest an implementation order or degree of importance
Accessibility & efficacy for bridging communication
gaps
Finding Yourself in the Core
Cross-functional Collaboration
• Organizational or industry sector goals
• Legal/regulatory requirements & industry best practices
• Organization’s risk management priorities
• Privacy needs of individuals
CURRENT PROFILECORE TARGET PROFILE
Identify-P
Govern-P
Control-P
Communicate-P
Protect-P
Identify-P
Govern-P
Protect-P
Identify-P
Govern-P
Control-P
Communicate-P
Protect-P
Hypothetical Partial Profile
GovernGovernance
Processes and Procedures
GV.PP-P5: Legal, regulatory, and
contractual requirements...
CT.DM-P1: Data elements can be
accessed for review.
Identity Management,
Authentication, and Access Control
CT.DM-P4: Data elements can be
accessed for deletion.
PR.DP-P6: Data are destroyed
according to policy.
CT.DM-P6: Metadata containing processing
permissions...
ID.DE-P3: Contracts with data processing
ecosystem parties are used...
Identify
Inventory and Mapping
ID.IM-P8: Data processing is mapped...
Risk Assessment
PR.PP-P1: Data are processed in an unobservable or
unlinkable manner.Key:
Current Profile
Target Profile
Gap areas & needs
Laying the Groundwork for the Future
Seeking to improve and overcome challenges around:
• Mechanisms to provide confidence
• Emerging technologies
• Privacy risk assessment
• Privacy workforce
• Re-identification risk
• Technical standards
Adopt me!
• Trial run – share insights as feedback
• V1 use pledge – lead on privacy
• NIST repository – provide use cases and informative references
Resources
Website
https://www.nist.gov/privacyframework
Mailing List
https://groups.google.com/a/list.nist.gov/forum/#!forum/privacyframework
Contact Us
@NISTcyber #PrivacyFramework
2423 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Open Discussion
Around the Room
Any questions about the
Auto-ISAC or future topics
for discussion?
25
Save the Date!
Auto-ISAC 2019 Automotive Cybersecurity Summit
“The Auto-ISAC summit provides a unique experience to learn about
automotive cybersecurity information sharing, collaboration, and
organization. The ISAC summit fills a gap among automotive cybersecurity
workshops and ideally complements more technical workshops such as
escar.” – Summit Attendee
October 23-24, 2019 in Plano, Texas
https://www.automotiveisac.com/auto-isac-summit/
2623 August 2019TLP WHITE: May be shared within the Auto-ISAC Community.
Our contact info
Faye FrancyExecutive Director
20 F Street NW, Suite 700
Washington, DC 20001
703-861-5417
Kim KalinyakMembership Engagement
Lead
20 F Street NW, Suite 700
Washington, DC 20001
240-422-9008
Josh PosterProgram Operations
Manager
20 F Street NW, Suite 700
Washington, DC 20001
Jessica EttsSenior Intel Coordinator
20 F Street NW, Suite 700
Washington, DC 20001