SESSION ID: LAB4-R08 Privacy Engineering Demystified – You too can be a Privacy Engineer Michele D. Guel Distinguished Engineer Security Business Group Cisco @MicheleDGuel Deepika Gupta Security Architect/ Technical Leader Security & Trust Organization Cisco @deepika00gupta Khadija Amin Cloud Security Architect, Collaboration Security Cisco @khadijamin #RSAC #RSAC Workshop Flow Facilitator intro Table set-up & Handouts Ice Breaker Activity Privacy Engineering Foundations Class Exercises (5) Class Discussion & Wrap This Photo by Unknown Author is licensed under CC BY-SA 2 #RSAC Ice Breaker Activiti (5 minutes) Introduce yourself and share one of your favorite and trusted mobile apps you use on a regular basis. Provide one example of personal information you have provided to this app. Discuss why you trust the app to protect your information Pick first person to lead (we’ll rotate clock-wise as we go through exercises) 3 #RSAC The basics of Privacy Engineering #RSAC Foundational Terminology GDPR GAPP CCPA Privacy Policy Data Controller Data Processing Data Element …others Data Owner Data Steward See table handout for definitions 5 The privacy landscape has changed … and so must our design processes 1980 OECD Guidelines 1995+ 2013 Privacy By Design Updated OECD Guidelines #RSAC 2020 California Consumer Privacy Protection (CCPA) 1995 European Union Data Directive Baby GDPR 2011 Privacy by Redesign 2018 General Data Protection Regulation GDPR Beyond 2020 More to come #RSAC The Impact of GDPR… 1998 EUDR 2018 GDPR This Photo by Unknown Author is licensed under CC BY-NC-ND This Photo by Unknown Author is licensed under CC BY-SA Baby Shark Bite Megalodon Shark Chomp Need more motivation? #RSAC #RSAC Class Discussion: Share some examples of design flaws that may lead to regulatory fines. Security and Privacy Differences #RSAC Legal Basis Data Context Data Minimization Confidentiality Security Protection of personal information Integrity Individual Rights Privacy Transparency Collection/Use Limitations Availability Proportionality 10 #RSAC What is Privacy Engineering? “A methodology to design, build, and manage “things” that process PII in a manner that provides appropriate levels of privacy throughout the lifecycle of the data that is processed.” 11 Privacy Engineering as part of the secure development lifecycle • • • • Privacy policy Privacy requirements Privacy controls Review & update with required remediation • Monitor for changes in privacy regulation Operationalize privacy controls Plan Monitor Operate • Publish Privacy Data Sheet • Update Privacy Policy if needed Launch 12 • • • • Scope the data Identify privacy policy Identify requirements Write user stories #RSAC Develop • Identify risk, threat and vulnerabilities • Determine and embed PEP and PETs • Begin PIA and update as needed Validate • Validate controls through testing. • Update PIA if needed • Develop Privacy Data Sheet Privacy Engineering “Framework” The technical architecture and controls should address the following areas: Data Context Security Legal Basis Transparency Accountability and Operational Requirements Use Limitations Collection Limitations Data Minimization Onward Transfer Retention and Deletion Proportionality Individual Rights 13 #RSAC #RSAC Use Case Overview and Class Exercises Use Case Overview – HealthyAndFreshForU App Health food ordering mobile application. Subscribe to multiple health food markets and fast (but healthy) food restaurants. Requires registration and profile creation. Customize your profile based on dietary goals, favorite foods and dietary or allergy restrictions. 15 #RSAC Basic Application Requirements #RSAC Authenticated login (username/password). Profile must contain: – Full name, email address and mobile contact number Profile may contain: – DOB, food favorites, food allergy information, dietary restrictions, billing address, credit card information, preferred food providers, preferred delivery vendor, repeat order information Each order must specify: – Mobile phone, delivery address, credit card information, name of person to receive order. User must choose email or txt for receipt. 16 Workshop Exercises – Focus on first two phases Plan Phase: – Exercise 1: Scope the data and write the data inventory – Exercise 2: Review use case diagram & develop requirements – Exercise 3: Create user stories Develo