EnCoRe: Towards a Holistic Approach to Privacy

by Nick Papanikolaou, Sadie Creese, Michael Goldsmith, Marco Casassa Mont, Siani Pearson
Abstract:
Privacy requirements for IT systems and solutions arise from a variety of sources, including legislation, sector-specific regulation, organisational guidelines, social and user expectations. In this paper we present and discuss a holistic approach to the management of privacy – explored in the context of the EnCoRe project – which takes into account the need to deal with these different types of policies, at different levels of abstraction as well as risk assessment methods to assess them based on specific threats, needs and constraints. We discuss examples of privacy requirements and related policies coming from different sources. We then present how a privacy-aware risk assessment approach (which leverages and extends traditional security-driven risk assessment approaches) can be used to analyse these policies, assess their compliance to requirements, identify gaps and mandate the adoption of specific controls. We explain its relevance and implications in an employee data case study, involving the management of privacy consent and revocation. This is work in progress, carried out in the context of the EnCoRe collaborative project.
Reference:
EnCoRe: Towards a Holistic Approach to Privacy (Nick Papanikolaou, Sadie Creese, Michael Goldsmith, Marco Casassa Mont, Siani Pearson), In Proceedings of International Conference on Security and Cryptography (SECRYPT 2010), 2010.
Bibtex Entry:
@INPROCEEDINGS{Papanikolaou2010d,
  author = {Nick Papanikolaou and Sadie Creese and Michael Goldsmith and Marco
	{Casassa Mont} and Siani Pearson},
  title = {{EnCoRe}: Towards a Holistic Approach to Privacy},
  booktitle = {Proceedings of International Conference on Security and Cryptography
	(SECRYPT 2010)},
  year = {2010},
  address = {Athens, Greece},
  month = jul,
  abstract = {Privacy requirements for IT systems and solutions arise from a variety
	of sources, including legislation, sector-specific regulation, organisational
	guidelines, social and user expectations. In this paper we present
	and discuss a holistic approach to the management of privacy - explored
	in the context of the EnCoRe project - which takes into account the
	need to deal with these different types of policies, at different
	levels of abstraction as well as risk assessment methods to assess
	them based on specific threats, needs and constraints. We discuss
	examples of privacy requirements and related policies coming from
	different sources. We then present how a privacy-aware risk assessment
	approach (which leverages and extends traditional security-driven
	risk assessment approaches) can be used to analyse these policies,
	assess their compliance to requirements, identify gaps and mandate
	the adoption of specific controls. We explain its relevance and implications
	in an employee data case study, involving the management of privacy
	consent and revocation. This is work in progress, carried out in
	the context of the EnCoRe collaborative project.},
  owner = {Nick},
  timestamp = {2010.06.20},
  url = {../files/ieee-secrypt.pdf}
}