Bohemia Ballroom 07 Dec 2017 14:00 - 15:00

Effective cyber threat intelligence sharing requires not only standardized structured information representation and transport mechanisms, but also actionable content and a context in which that content can be rapidly put to use. This in turn means that organizations considering participation in the CTI infrastructure must have a definitive understanding of the assets (data, people, applications, systems) that they must protect and the levels of risk associated with cyber attacks on particular assets.

From that understanding, business owners can make informed decisions about: the levels of sensitivity and priorities associated with particular assets; the threat landscape impacting those assets; potential vulnerabilities; and the business process and technical controls and associated functionality needed to manage cyber risks. The vendor and internal security analysts supporting these organizations then have information needed to focus on the specific targets of the attacks and take steps to deploy defenses more accurately and quickly.

Such an understanding is mandatory. Without it, organizations cannot adequately assess the costs and benefits of making investments in cyber security eco-systems and will have the information necessary to understand the consequences of attacks on their assets. A key component of this is a rigorous analysis, including the mapping of systems and applications and their data against data protection policies. But in today’s networked, cloud-based, and integrated data environments, and the huge growth of IoT, the work required to conduct and deliver such analysis is an order of magnitude greater than ever undertaken before.

Beyond this challenge, cyber security professionals will have significantly greater regulatory responsibilities beginning in May 2018 when the EU General Data Protection Regulation (GDPR) comes into force. The scope of this regulation is very broad, impacting organizations internationally that hold the personal information of EU residents. This would potentially include personally identifiable information (PII) shared for cyber security purposes. And so with the GDPR’s transition to operational compliance in 2018, cyber security professionals engaged in information/intelligence sharing will need to understand and address data protection policies, requirements and controls required by the GDPR.

Further, effective cyber security threat information sharing, particular with respect to exploit targets, campaigns, and incidents, will require a deeper understanding of data privacy and more attention to “non-traditional” vulnerabilities, threats and risks. For example, the GDPR’s clarification of data controller and data processor responsibilities and introduction of new requirements such as the right of erasure, granular consent management, and data protection by design, enlarge the risk management space for security and privacy officers, practitioners and business owners. An effective cyber threat information ecosystem must incorporate.

This panel will provide practical insights that can assist cyber security practitioners in a model and use case-based analytic methodology developed by the OASIS Privacy Management Reference Model (PMRM) technical committee that makes visible the PII that must be protected in specific systems and applications; the data privacy risks that must be managed; the security and privacy requirements, controls and functionality necessary to deliver compliant data protection; and risks associated with failures and/or attacks on that functionality.

This panel will provide actionable insights into:

  • Security - Privacy - Data Protection by Design: why “traditional” security paradigms are not sufficient to ensure effective data protection risk management.
  • Data discovery and mapping - bringing PII under control – a methodology for finding and managing the personal data an organization receives, processes, stores shares, transfers and retires
  • GDPR –what are its implications for understanding targets of attack and data protection risks?
  • How the GDPR’s mandates such as granular consent, the “right of erasure,” and shared responsibility across controller and processor domains, require a new understanding for the effective cyber security information sharing
  • How the OASIS Privacy Management Reference Model and Methodology (PMRM) and proposed open source tool can support organizations considering using or participating in cyber threat intelligence sharing
  • The PMRM methodology –why a comprehensive use-case data protection/privacy management analysis is essential for cyber security professionals
  • Implementation - a practical use case demonstrating the application of the PMRM methodology in a government system and the value of a privacy management analysis for addressing the complexity of networked applications, systems, and technical/regulatory boundaries.
  • Tools – an introduction to the OASIS PMRM Open Source Tool project.

Toolset Project
Principal Software Engineer
OASIS open standards board
Chair, PMRM Technical Committee


Discussion not started yet.