Difference between revisions of "Summit 2011 Working Sessions/Session073"

From OWASP
Jump to: navigation, search
(Mialing list property set to http://www.owasp.org/index.php/Talk:Summit_2011_Working_Sessions/Session073)
 
(15 intermediate revisions by 8 users not shown)
Line 2: Line 2:
 
|-
 
|-
  
| summit_session_attendee_name1 = Colin Watson
+
| summit_session_attendee_name1 = Matthew Chalmers
| summit_session_attendee_email1 =  
+
| summit_session_attendee_email1 = matthew.chalmers@owasp.org
| summit_session_attendee_company1= Watson Hall
+
| summit_session_attendee_username1 =  
 +
| summit_session_attendee_company1= [http://www.rockwellautomation.com/ http://www.rockwellautomation.com/lib/images/ralogo_web.gif]
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
  
 
| summit_session_attendee_name2 = Lorna Alamri
 
| summit_session_attendee_name2 = Lorna Alamri
 
| summit_session_attendee_email2 = lorna.alamri@owasp.org
 
| summit_session_attendee_email2 = lorna.alamri@owasp.org
 +
| summit_session_attendee_username2 =
 
| summit_session_attendee_company2=
 
| summit_session_attendee_company2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
Line 14: Line 16:
 
| summit_session_attendee_name3 = Achim Hoffmann
 
| summit_session_attendee_name3 = Achim Hoffmann
 
| summit_session_attendee_email3 = achim@owasp.org
 
| summit_session_attendee_email3 = achim@owasp.org
 +
| summit_session_attendee_username3 = Achim
 
| summit_session_attendee_company3= sic[!]sec
 
| summit_session_attendee_company3= sic[!]sec
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3= see items at [[Talk:Summit_2011_Working_Sessions/Session023#Emphasise_.22S.22_of_OWASP | Overhauling OWASP website]] session
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3= see items at [[Talk:Summit_2011_Working_Sessions/Session023#Emphasise_.22S.22_of_OWASP | Overhauling OWASP website]] session
Line 19: Line 22:
 
| summit_session_attendee_name4 = Elke Roth-Mandutz
 
| summit_session_attendee_name4 = Elke Roth-Mandutz
 
| summit_session_attendee_email4 = elke.roth-mandutz@ohm-hochschule.de
 
| summit_session_attendee_email4 = elke.roth-mandutz@ohm-hochschule.de
 +
| summit_session_attendee_username4 =
 
| summit_session_attendee_company4= GSO-University of Applied Sciences
 
| summit_session_attendee_company4= GSO-University of Applied Sciences
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4= web privacy research project
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4= web privacy research project
  
| summit_session_attendee_name5 =  
+
| summit_session_attendee_name5 = David Campbell
| summit_session_attendee_email5 =  
+
| summit_session_attendee_email5 = dcampbell@owasp.org
| summit_session_attendee_company5=
+
| summit_session_attendee_username5 =  
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=
+
| summit_session_attendee_company5=  
 +
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=  
  
| summit_session_attendee_name6 =  
+
| summit_session_attendee_name6 = Abraham Kang
 
| summit_session_attendee_email6 =  
 
| summit_session_attendee_email6 =  
 +
| summit_session_attendee_username6 =
 
| summit_session_attendee_company6=
 
| summit_session_attendee_company6=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
Line 34: Line 40:
 
| summit_session_attendee_name7 =  
 
| summit_session_attendee_name7 =  
 
| summit_session_attendee_email7 =  
 
| summit_session_attendee_email7 =  
 +
| summit_session_attendee_username7 =
 
| summit_session_attendee_company7=
 
| summit_session_attendee_company7=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
Line 39: Line 46:
 
| summit_session_attendee_name8 =  
 
| summit_session_attendee_name8 =  
 
| summit_session_attendee_email8 =  
 
| summit_session_attendee_email8 =  
 +
| summit_session_attendee_username8 =
 
| summit_session_attendee_company8=
 
| summit_session_attendee_company8=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
Line 44: Line 52:
 
| summit_session_attendee_name9 =  
 
| summit_session_attendee_name9 =  
 
| summit_session_attendee_email9 =  
 
| summit_session_attendee_email9 =  
 +
| summit_session_attendee_username9 =
 
| summit_session_attendee_company9=
 
| summit_session_attendee_company9=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
Line 49: Line 58:
 
| summit_session_attendee_name10 =  
 
| summit_session_attendee_name10 =  
 
| summit_session_attendee_email10 =  
 
| summit_session_attendee_email10 =  
 +
| summit_session_attendee_username10 =
 
| summit_session_attendee_company10=
 
| summit_session_attendee_company10=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
Line 54: Line 64:
 
| summit_session_attendee_name11 =  
 
| summit_session_attendee_name11 =  
 
| summit_session_attendee_email11 =  
 
| summit_session_attendee_email11 =  
 +
| summit_session_attendee_username11 =
 
| summit_session_attendee_company11=
 
| summit_session_attendee_company11=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
Line 59: Line 70:
 
| summit_session_attendee_name12 =  
 
| summit_session_attendee_name12 =  
 
| summit_session_attendee_email12 =  
 
| summit_session_attendee_email12 =  
 +
| summit_session_attendee_username12 =
 
| summit_session_attendee_company12=
 
| summit_session_attendee_company12=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
Line 64: Line 76:
 
| summit_session_attendee_name13 =  
 
| summit_session_attendee_name13 =  
 
| summit_session_attendee_email13 =  
 
| summit_session_attendee_email13 =  
 +
| summit_session_attendee_username13 =
 
| summit_session_attendee_company13=
 
| summit_session_attendee_company13=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
Line 69: Line 82:
 
| summit_session_attendee_name14 =  
 
| summit_session_attendee_name14 =  
 
| summit_session_attendee_email14 =  
 
| summit_session_attendee_email14 =  
 +
| summit_session_attendee_username14 =
 
| summit_session_attendee_company14=
 
| summit_session_attendee_company14=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=  
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=  
Line 74: Line 88:
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_email15 =  
 
| summit_session_attendee_email15 =  
 +
| summit_session_attendee_username15 =
 
| summit_session_attendee_company15=
 
| summit_session_attendee_company15=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
Line 79: Line 94:
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_email16 =  
 
| summit_session_attendee_email16 =  
 +
| summit_session_attendee_username16 =
 
| summit_session_attendee_company16=
 
| summit_session_attendee_company16=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
Line 84: Line 100:
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_email17 =  
 
| summit_session_attendee_email17 =  
 +
| summit_session_attendee_username17 =
 
| summit_session_attendee_company17=
 
| summit_session_attendee_company17=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
Line 89: Line 106:
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_email18 =  
 
| summit_session_attendee_email18 =  
 +
| summit_session_attendee_username18 =
 
| summit_session_attendee_company18=
 
| summit_session_attendee_company18=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
Line 94: Line 112:
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_email19 =  
 
| summit_session_attendee_email19 =  
 +
| summit_session_attendee_username19 =
 
| summit_session_attendee_company19=
 
| summit_session_attendee_company19=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
Line 99: Line 118:
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_email20 =  
 
| summit_session_attendee_email20 =  
 +
| summit_session_attendee_username20 =
 
| summit_session_attendee_company20=
 
| summit_session_attendee_company20=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
Line 107: Line 127:
 
| summit_session_name = Privacy - Personal Data/PII, Legislation and OWASP
 
| summit_session_name = Privacy - Personal Data/PII, Legislation and OWASP
 
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session073
 
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session073
| mailing_list =
+
| mailing_list = Please use discussion page http://www.owasp.org/index.php/Talk:Summit_2011_Working_Sessions/Session073
  
 
|-
 
|-
Line 116: Line 136:
  
 
Privacy is a growing area of concern in the US, and might have greater awareness & understanding in the EU than security.  Should OWASP say more about protecting personal data? Security is just one aspect of data protection, but many data breaches have been the result of application vulnerabilities.
 
Privacy is a growing area of concern in the US, and might have greater awareness & understanding in the EU than security.  Should OWASP say more about protecting personal data? Security is just one aspect of data protection, but many data breaches have been the result of application vulnerabilities.
 +
 +
This session will begin by working through [http://www.owasp.org/index.php/Industry:FTC_Protecting_Consumer_Privacy#Draft_Text_version_2 OWASP's draft response] to the FTC's staff report "Protecting Consumer Privacy in an Era of Rapid Change - A Framework for Businesses and Policymakers" to complete it and use this as a way to draw out ideas.
  
 
This session will be useful for project leaders, as well as anyone in sectors collecting, processing or storing personal data (e.g. of consumers, citizens and employees).
 
This session will be useful for project leaders, as well as anyone in sectors collecting, processing or storing personal data (e.g. of consumers, citizens and employees).
Line 138: Line 160:
 
|-
 
|-
  
| summit_session_objective_name1= Discuss whether OWASP needs to be more proactive about privacy
+
| summit_session_objective_name1= Identify privacy enhancing & verification aspects of existing tools and documents
  
| summit_session_objective_name2 = Define how we build privacy matters into existing tools and resources
+
| summit_session_objective_name2 = Create a one-page OWASP projects-to-privacy cross reference factsheet
  
| summit_session_objective_name3 = Identify gaps
+
| summit_session_objective_name3 =  
  
 
| summit_session_objective_name4 =  
 
| summit_session_objective_name4 =  
Line 162: Line 184:
 
|-
 
|-
  
| working_session_additional_details = The protection of personal data has been an important concern of organisations, especuially in Europe where European legislation has driven continent-wide adoption.  In North America, the US HIPAA and Canadian Privacy Act have driven privacy initiatives.  With the adoption of principles and processes such as "privacy by design", "privacy impact assessments" and "building privacy in", backed with strong regulation, organizations are having to make privacy a central part of their business practices.  Growing public concern about use of their personal data, mis-use by organizations and personal data breaches are leading to increased, rather than decreased government intervention in this area.  Privacy issues are nothing new, but some more recent examples are:
+
| working_session_additional_details = The protection of personal data has been an important concern of organisations, especuially in Europe where European legislation has driven continent-wide adoption.  In North America, the US HIPAA and Canadian Privacy Act have driven privacy initiatives.  With the adoption of principles and processes such as "privacy by design", "privacy impact assessments" and "building privacy in", backed with strong regulation, organizations are having to make privacy a central part of their business practices.  Growing public concern about use of their personal data, mis-use by organizations and personal data breaches are leading to increased, rather than decreased government intervention in this area.  Individuals themselves are more aware of their powers and there are growing trends such as vendor relationship management, where organisations need to take an external, rather than internal, viewpoint.  Privacy issues are nothing new, but some more recent examples are:
  
 
* [http://www.ftc.gov/opa/2010/12/privacyreport.shtm US Federal Trade Commission (FTC) Preliminary Staff Report on Privacy], 12 December 2010
 
* [http://www.ftc.gov/opa/2010/12/privacyreport.shtm US Federal Trade Commission (FTC) Preliminary Staff Report on Privacy], 12 December 2010
Line 168: Line 190:
 
* [http://news.cnet.com/8301-31921_3-20025950-281.html?part=rss&subj=news&tag=2547-1_3-0-20  Members Appointed to US Privacy and Civil Liberties Oversight Board], 16 December 2010  
 
* [http://news.cnet.com/8301-31921_3-20025950-281.html?part=rss&subj=news&tag=2547-1_3-0-20  Members Appointed to US Privacy and Civil Liberties Oversight Board], 16 December 2010  
 
* [http://www.commerce.gov/news/press-releases/2010/12/16/commerce-department-unveils-policy-framework-protecting-consumer-privUS Department of Commerce Publishes Green Paper Recommending Creation of a Privacy 'Bill of Rights' for Internet Users], 16 December 2010   
 
* [http://www.commerce.gov/news/press-releases/2010/12/16/commerce-department-unveils-policy-framework-protecting-consumer-privUS Department of Commerce Publishes Green Paper Recommending Creation of a Privacy 'Bill of Rights' for Internet Users], 16 December 2010   
 +
* [http://www.huntonprivacyblog.com/2011/01/articles/european-union-1/department-of-commerce-official-holds-briefing-on-eu-data-protection-forum/index.html Department of Commerce Official Holds Briefing on EU Data Protection Forum], 11 January 2011
  
 
Can we map projects (tools and sections in resources) to business drivers such as "privacy"?
 
Can we map projects (tools and sections in resources) to business drivers such as "privacy"?
  
Privacy aspects are referred to through the wiki (including projects):
+
Privacy aspects are referred to through the OWASP wiki (including projects):
  
 
[[File:Owasp-org-privacy-counts.png]]
 
[[File:Owasp-org-privacy-counts.png]]
Line 183: Line 206:
 
|-
 
|-
  
|summit_session_deliverable_name1 =  
+
|summit_session_deliverable_name1 = Complete and approve OWASP's response to the FTC's staff report "Protecting Consumer Privacy in an Era of Rapid Change - A Framework for Businesses and Policymakers"
|summit_session_deliverable_url_1 =
+
  
|summit_session_deliverable_name2 =  
+
|summit_session_deliverable_name2 = A white paper discussing how the privacy ecosystem overlaps with the OWASP ecosystem and whether there should be more bridges built between them.
|summit_session_deliverable_url_2 =
+
  
 
|summit_session_deliverable_name3 =  
 
|summit_session_deliverable_name3 =  
|summit_session_deliverable_url_3 =
 
  
 
|summit_session_deliverable_name4 =  
 
|summit_session_deliverable_name4 =  
|summit_session_deliverable_url_4 =
 
  
 
|summit_session_deliverable_name5 =  
 
|summit_session_deliverable_name5 =  
|summit_session_deliverable_url_5 =  
+
 
 +
|summit_session_deliverable_name6 =
 +
 
 +
|summit_session_deliverable_name7 =
 +
 
 +
|summit_session_deliverable_name8 =
  
 
|-
 
|-
  
 
| summit_session_leader_name1 = Colin Watson
 
| summit_session_leader_name1 = Colin Watson
| summit_session_leader_email1 = colin.watson(at)owasp.org
+
| summit_session_leader_email1 =  
  
 
| summit_session_leader_name2 =  
 
| summit_session_leader_name2 =  
 
| summit_session_leader_email2 =  
 
| summit_session_leader_email2 =  
 +
| summit_session_leader_username2 =
  
 
| summit_session_leader_name3 =  
 
| summit_session_leader_name3 =  
 
| summit_session_leader_email3 =  
 
| summit_session_leader_email3 =  
 +
| summit_session_leader_username3 =
 
|-
 
|-
  
 
| operational_leader_name1 =
 
| operational_leader_name1 =
 
| operational_leader_email1 =
 
| operational_leader_email1 =
 +
| operational_leader_username1 =
  
 
|-
 
|-

Latest revision as of 07:06, 5 March 2011

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. owasp.jpg Privacy - Personal Data/PII, Legislation and OWASP
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Short Work Session Description Banner-privacypush-1.png

Privacy is a growing area of concern in the US, and might have greater awareness & understanding in the EU than security. Should OWASP say more about protecting personal data? Security is just one aspect of data protection, but many data breaches have been the result of application vulnerabilities.

This session will begin by working through OWASP's draft response to the FTC's staff report "Protecting Consumer Privacy in an Era of Rapid Change - A Framework for Businesses and Policymakers" to complete it and use this as a way to draw out ideas.

This session will be useful for project leaders, as well as anyone in sectors collecting, processing or storing personal data (e.g. of consumers, citizens and employees).

Related Projects (if any)


Email Contacts & Roles Chair
Colin Watson

Operational Manager
Mailing list
Please use discussion page http://www.owasp.org/index.php/Talk:Summit_2011_Working_Sessions/Session073
WORKING SESSION SPECIFICS
Objectives
  1. Identify privacy enhancing & verification aspects of existing tools and documents
  2. Create a one-page OWASP projects-to-privacy cross reference factsheet

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time


Discussion Model
participants and attendees

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS
The protection of personal data has been an important concern of organisations, especuially in Europe where European legislation has driven continent-wide adoption. In North America, the US HIPAA and Canadian Privacy Act have driven privacy initiatives. With the adoption of principles and processes such as "privacy by design", "privacy impact assessments" and "building privacy in", backed with strong regulation, organizations are having to make privacy a central part of their business practices. Growing public concern about use of their personal data, mis-use by organizations and personal data breaches are leading to increased, rather than decreased government intervention in this area. Individuals themselves are more aware of their powers and there are growing trends such as vendor relationship management, where organisations need to take an external, rather than internal, viewpoint. Privacy issues are nothing new, but some more recent examples are:

Can we map projects (tools and sections in resources) to business drivers such as "privacy"?

Privacy aspects are referred to through the OWASP wiki (including projects):

Owasp-org-privacy-counts.png

But there is not any central guide, and perhaps what there is, does not have enough depth. ASVS includes a whole verification topic about data protection and the ASDR has a page on privacy as a "vulnerability". The OWASP Top ten 2010 mentions personal data in the context of insecure cryptographic storage, but privacy protection is of course much wider than encrypting data. It is of course much wider than application security:

Privacy-context.png

But is OWASP offering the correct guidance in this area? Should OWASP be doing more?

WORKING SESSION OUTCOMES / DELIVERABLES
Proposed by Working Group Approved by OWASP Board

Complete and approve OWASP's response to the FTC's staff report "Protecting Consumer Privacy in an Era of Rapid Change - A Framework for Businesses and Policymakers"

After the Board Meeting - fill in here.

A white paper discussing how the privacy ecosystem overlaps with the OWASP ecosystem and whether there should be more bridges built between them.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
Matthew Chalmers @
ralogo_web.gif

Lorna Alamri @


Achim Hoffmann @
sic[!]sec
see items at Overhauling OWASP website session
Elke Roth-Mandutz @
GSO-University of Applied Sciences
web privacy research project
David Campbell @


Abraham Kang