Really good reference item, Rich. I'll include in the new revised version of the ETSI TC CYBER Threat Sharing Technical Report, TR 103 331. It might also be worth considering if these related privacy filtering functions might be imported as a work item in TC CTI to meet the requirements of the Cybersecurity Act of 2015. The attached slide excises out those requirements. A similar requirement exists in the EU NISD, and having a common filtering specification would be helpful. The OASIS publication of this material as a specification could facilitate its use globally. --tony On 2016-05-11 8:55 AM, Struse, Richard wrote: The DHS NPPD Privacy Office has done extensive work on this area in support of our Automated Indicator Initiative (AIS) -
https://www.us-cert.gov/ais . In addition to a formal Privacy Impact Assessment (PIA)-
https://www.us-cert.gov/sites/default/files/ais_files/PIA_NPPD-AIS.pdf , this has included a data-element-level analysis of potential PII concerns. From:
cti@lists.oasis-open.org [ mailto:
cti@lists.oasis-open.org ] On Behalf Of Modlin, Julie K. Sent: Wednesday, May 11, 2016 8:27 AM To: '
cti@lists.oasis-open.org ' Cc: Rick Howard <
rhoward@paloaltonetworks.com> (
rhoward@paloaltonetworks.com );
salgeier@it-isac.org Subject: [cti] ISAO Privacy and Security SWG CTI TC STIX/TAXII Community, The Information Sharing and Analysis Organizations (ISAO) Working Group Sub-working Group 4 (SWG4) on Privacy and Security is drafting guidance documents for the emerging ISAO Community. They requested that we reach out to the STIX/TAXII community for information on whether some STIX fields are at a higher risk for containing personal information (privacy risk) or containing information that might pose a security risk (e.g. expose network details that might be taken advantage of). If there are any summaries of security and privacy risks that may have been discussed during the development of STIX and TAXII, they would also be useful. The SWG4 draft documents are available for direct review and comment (
https://www.isao.org/products/drafts/ ) but I am happy to gather thoughts from the CTI TC list and submit them to the SWG. Thanks so much, Julie Modlin Enhance Shared Situational Awareness (ESSA) Systems Engineering Team Johns Hopkins Applied Physics Laboratory MP6-S324 443-778-6989 / Baltimore 240-228-6989 / Washington Office hours: 8:00 to 2:00 Mon - Thur Attachment: _cybersecurity_act_reference-model_1.1_privacy.pptx Description: application/vnd.openxmlformats-officedocument.presentationml.presentation