The Inner Circle

Expand all | Collapse all

Privacy for Security Professionals Survey

  • 1.  Privacy for Security Professionals Survey

    Posted Nov 25, 2020 01:19:00 PM
    Hi All,

    Cloud Security Alliance continues to work diligently to determine how we can add maximum value to addressing privacy issues without being duplicative of other groups and efforts. A working thesis is that we can provide the most benefit by contextualizing privacy issues for cybersecurity professionals. We would like to consult with you about a CSA initiative in this light. It is intended to help bridge the gap between security pros and privacy pros.

    Organizations are increasingly spending significant time on privacy compliance issues. In a single organization, privacy pros and security pros may be tasked with implementing the same requirements for the same product, within the same deadline. They are likely to work on that assignment from a different angle, and with different objectives. There may be occasional frustrations when their methods or priorities appear incompatible.

    We have designed a "Privacy for Security Pros" dictionary to help technologists better understand the perspective and constraints of their privacy colleagues.

    This Privacy for Security Pros Dictionary is intended to help illustrate the objectives underlying dense privacy laws, and communicate in a pragmatic manner the potential role of IT or security pros in helping their organization meet these compliance objectives.

    This document is not a compliance tool, a guide or an exhaustive analysis of any specific data protection law or regulation. It is not intended to provide a checklist, a compilation of best practices, or other form of guidance for ensuring compliance with any privacy or data protection law.

    Our goal in requesting your comments is to hear your reactions, understand whether this dictionary could be of use to our profession, and if not, collect your suggestions on whether different tool might be more useful to improve communications between technologists and their privacy colleagues.

    1. Please review our Privacy - Security Dictionary here
    2. Then, take our survey to provide your comments here

    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA

  • 2.  RE: Privacy for Security Professionals Survey

    Posted Nov 26, 2020 08:38:00 AM
    I agree with the need to conceptualize privacy issues. IEEE P7005 did this with generic informative use cases to illustrate examples of how to implement the normative requirements. P7005 "Employer data governance" will be submitted for ballot in January 2021. The generic use cases used model-based systems engineering (MBSE) implemented by OMG's SysML language to develop the use cases. The advantage of using MBSE is the results are well defined in terms of the problem domain specification of stakeholder needs, use cases, system context, and measures of effectiveness.

    Using this black-box approach we had the base to examine in more detailed internal workings of the functions to develop a logical architecture and exposing the requirements for interfaces and measures of effectiveness for subsystems. This white-box approach provided the means to expose the normative system requirements supported by analysis of system behavior and system structure for candidate use case solutions.

    There are many excellent MBSE commercial tools available.  P7005 selected No Magics' Cameo tool suite because it provided an excellent graphical capability to ensure a coherent and consistent representation of all views.

    Dennis Holstein
    Managing Director * CEO
    OPUS Consulting Group