Assurance tool presentation for end users.

1.
Methods and Tools for GDPR Compliance through
Privacy and Data
Protection 4 Engineering
Methods and tools for
privacy and data protection
assurance
Tecnalia, UPM
10/03/2020

2. 2
Outline
➢Privacy and data protection assurance
❑ Problem and context
➢Proposed method
❑ GDPR modelling
❑ Assurance cases
❑ Evidence accountability
➢Tool support for the method
❑ Eclipse OpenCert
10/03/2020 2

3. 3
10/03/2020 3
GDPR
Article 5
Principles
relating to
processing of
personal data

4. 4
Methods and Tools for Assurance
A method to support the systematic capture,
traceability and argumentation of evidence so as
to demonstrate compliance with GDPR (and
comply with the principle of accountability), and
a tool to guide and partially automate that
method
10/03/2020 4

5. 5
Assurance - Definition
10/03/2020 5
Assurance grounds for confidence that the other four security
goals (integrity, availability, confidentiality, and accountability)
have been adequately met by a specific implementation.
“Adequately met” includes:
1
Functionality that performs correctly,
2
Sufficient protection against unintentional errors (by users or software),
and
3
Sufficient resistance to intentional penetration or by-pass.
[NIST Special Publication 800-27 Rev A]

6. 6
Problem and context
➢GDPR became mandatory in May 2018, but the legal approach is not enough, we
need to come along with technical measures.
❑How is GDPR translated into operational work items and activities for the development
project?
❑Do we have a method for systematic capture of evidences and their association with GDPR
derived requirements and artefacts?
❑How can we track evidence evolution?
❑Do we have a method to provide a clear argumentation about compliance?
10/03/2020 6

7. 7
Context
10/03/2020 7
(Independent )
Safety Assessment
Safety
Assessment
Certification
Liaison
Privacy
Assessment
(Independent)
Privacy Assessment

8. 7
Context
10/03/2020 7
Product Engineering
“Project”
Quality
Management
Implementation
Validation &
Verification
Design
(Independent )
Safety Assessment
Safety
Assessment
Certification
Liaison
Privacy
Assessment
(Independent)
Privacy Assessment

9. 7
Context
10/03/2020 7
Product Engineering
“Project”
Quality
Management
Implementation
Validation &
Verification
Design
(Independent )
Safety Assessment
Safety
Assessment
Certification
Liaison
Privacy
Assessment
(Independent)
Privacy Assessment
Standards & Regulations
Information Management
Interpretation
Standards
Specification

10. 7
Context
10/03/2020 7
Supplier Chain
Component
Release
Module Assurance
Case Development
Product Engineering
“Project”
Quality
Management
Implementation
Validation &
Verification
Design
(Independent )
Safety Assessment
Safety
Assessment
Certification
Liaison
Privacy
Assessment
(Independent)
Privacy Assessment
Standards & Regulations
Information Management
Interpretation
Standards
Specification

11. 7
Context
10/03/2020 7
Supplier Chain
Component
Release
Module Assurance
Case Development
Product Engineering
“Project”
Quality
Management
Implementation
Validation &
Verification
Design
(Independent )
Safety Assessment
Safety
Assessment
Certification
Liaison
Privacy
Assessment
(Independent)
Privacy Assessment
Assurance
“Project”
Assurance Case
Development
Evidence
Management Assurance Process
Management
Compliance
Management
Standards & Regulations
Information Management
Interpretation
Standards
Specification

12. 8
➢This is Alex. She is a system
engineer who works as the
technical lead in a company
➢She is NOT a lawyer and she finds
GDPR hard to interpret
➢She has identified 3 privacy related
standards:
❑ GDPR
❑ 27001
❑ NIST
➢What has PDP4E to offer for her
work?
8
10/03/2020

13. 9
Modelling standards
➢Modelling standards provides:
❑An unambiguous way to show the explicit process for standards compliance
❑A systematic way for the different roles to share the same view on standards compliance
❑Mappings between concepts and terminology between standards
❑Models to capture the context in which concepts apply in the standards
❑A way to see where things match, and also identify gaps
➢Main challenges behind
❑GDPR is not a technical standard developed by engineers but by lawyers
❑There is not an explicit process behind
❑Standards ecosystems
▪ Legal à GDPR
▪ Good practices à 27001
▪ Implementation standards à NIST
10/03/2020 9

14. 10
Assurance method concepts
➢Prescriptive Knowledge Management is the assurance area
concerned with the specification and handling of standards’
and normative information, as well as any other information
derived from or based on them (interpretations, tailoring,
mapping between standards, etc.) This is done by means of
reference assurance frameworks.
10/03/2020 10

15. 11
Assurance method concepts
➢Equivalence mappings
10/03/2020 11
RefFramework
Model
(e.g. GDPR)
Icon Element
Activity
Role
Artefact
Input (Artefact to Activity)
Output (Activity to Artefact)
Participation (Role to Activity)
Precedence (Activity to Activity)
N/A (box
within box)
Containment (Activity to Activity)
RefFramework
Model
(e.g. 27001)
Equivalence
Map Model
RefFramework
Model
(e.g. NIST)
Equivalence
Map Model
Regulation Modelling Equivalences Modelling

16. 11
Assurance method concepts
➢Equivalence mappings
10/03/2020 11
RefFramework
Model
(e.g. GDPR)
Icon Element
Activity
Role
Artefact
Input (Artefact to Activity)
Output (Activity to Artefact)
Participation (Role to Activity)
Precedence (Activity to Activity)
N/A (box
within box)
Containment (Activity to Activity)
RefFramework
Model
(e.g. 27001)
Equivalence
Map Model
RefFramework
Model
(e.g. NIST)
Equivalence
Map Model
Regulation Modelling Equivalences Modelling
➢Model Instantiation for a specific project

17. 11
Assurance method concepts
➢Equivalence mappings
10/03/2020 11
RefFramework
Model
(e.g. GDPR)
Icon Element
Activity
Role
Artefact
Input (Artefact to Activity)
Output (Activity to Artefact)
Participation (Role to Activity)
Precedence (Activity to Activity)
N/A (box
within box)
Containment (Activity to Activity)
RefFramework
Model
(e.g. 27001)
Equivalence
Map Model
RefFramework
Model
(e.g. NIST)
Equivalence
Map Model
Baseline
Model
(e.g. Smart Grid)
Baseline
Model
(e.g. Connected
vehicle)
Assurance Project (e.g. Smart Grids or Connected vehicle)
Regulation Modelling Equivalences Modelling
➢Model Instantiation for a specific project

18. 11
Assurance method concepts
➢Equivalence mappings
10/03/2020 11
RefFramework
Model
(e.g. GDPR)
Icon Element
Activity
Role
Artefact
Input (Artefact to Activity)
Output (Activity to Artefact)
Participation (Role to Activity)
Precedence (Activity to Activity)
N/A (box
within box)
Containment (Activity to Activity)
RefFramework
Model
(e.g. 27001)
Equivalence
Map Model
RefFramework
Model
(e.g. NIST)
Equivalence
Map Model
Baseline
Model
(e.g. Smart Grid)
Baseline
Model
(e.g. Connected
vehicle)
Assurance Project (e.g. Smart Grids or Connected vehicle)
Tailoring
(RefFramework subset)
Regulation Modelling Equivalences Modelling
➢Model Instantiation for a specific project

19. 11
Assurance method concepts
➢Equivalence mappings
10/03/2020 11
RefFramework
Model
(e.g. GDPR)
Icon Element
Activity
Role
Artefact
Input (Artefact to Activity)
Output (Activity to Artefact)
Participation (Role to Activity)
Precedence (Activity to Activity)
N/A (box
within box)
Containment (Activity to Activity)
RefFramework
Model
(e.g. 27001)
Equivalence
Map Model
RefFramework
Model
(e.g. NIST)
Equivalence
Map Model
Baseline
Model
(e.g. Smart Grid)
Baseline
Model
(e.g. Connected
vehicle)
Assurance Project (e.g. Smart Grids or Connected vehicle)
Tailoring
(RefFramework subset)
Tailoring
(RefFramework subset)
Regulation Modelling Equivalences Modelling
➢Model Instantiation for a specific project

20. 12
10/03/2020 12
➢Alex is part of a team
➢How can they provide justification for compliance?
➢How can they trace the evidences with the supporting requirements and the
proposed treatments to solve privacy concerns?
➢Is there a way to reproduce and systematize good practices for compliance
and the rationale behind?

21. 13
Assurance cases approach
➢Assurance cases were originally used to show that systems satisfied their safety-
critical properties. In this usage, they were (and are) called safety cases.
10/03/2020 13

22. 13
Assurance cases approach
➢Assurance cases were originally used to show that systems satisfied their safety-
critical properties. In this usage, they were (and are) called safety cases.
An assurance case consists of documented body of evidence that
provides a convincing and valid argument that a specified set of critical
claims regarding a system´s properties are adequately justified for a
given application in a given environment.
10/03/2020 13

23. 13
Assurance cases approach
➢Assurance cases were originally used to show that systems satisfied their safety-
critical properties. In this usage, they were (and are) called safety cases.
An assurance case consists of documented body of evidence that
provides a convincing and valid argument that a specified set of critical
claims regarding a system´s properties are adequately justified for a
given application in a given environment.
➢Main problems:
- It is easy to present long reports referencing evidences but with no real connection on how those
evidences relates with the safety requirements à lack of clarity
- Some times the reports offers argumentation without evidences that support it à unconvincing
- It is hard to inform third parties the rationale behind some developments
10/03/2020 13

24. 13
Assurance cases approach
➢Assurance cases were originally used to show that systems satisfied their safety-
critical properties. In this usage, they were (and are) called safety cases.
An assurance case consists of documented body of evidence that
provides a convincing and valid argument that a specified set of critical
claims regarding a system´s properties are adequately justified for a
given application in a given environment.
Assurance cases put in relation
evidences and objectives
➢Main problems:
- It is easy to present long reports referencing evidences but with no real connection on how those
evidences relates with the safety requirements à lack of clarity
- Some times the reports offers argumentation without evidences that support it à unconvincing
- It is hard to inform third parties the rationale behind some developments
10/03/2020 13

25. 14
Privacy argument fragment
➢Within the limits defined in [scope] the application [system description] is
privacy ensured because all identified threats [system threats] and requirements
[privacy requirements] have been addressed. Threats have been sufficiently
controlled and mitigated [Risk reduction measures] according to the privacy risk
exposure [Risk assessment]. Evidence [Privacy analysis/test] is provided that
demonstrated the effectiveness and sufficiency of these measures. Appropriate
roles, responsibilities and methods were defined throughout the development of
this system [Development process justification] [Privacy management system]
and defined future operation
10/03/2020 14

26. 14
Privacy argument fragment
➢Within the limits defined in [scope] the application [system description] is
privacy ensured because all identified threats [system threats] and requirements
[privacy requirements] have been addressed. Threats have been sufficiently
controlled and mitigated [Risk reduction measures] according to the privacy risk
exposure [Risk assessment]. Evidence [Privacy analysis/test] is provided that
demonstrated the effectiveness and sufficiency of these measures. Appropriate
roles, responsibilities and methods were defined throughout the development of
this system [Development process justification] [Privacy management system]
and defined future operation
10/03/2020 14

27. 15
Argument decomposition
10/03/2020 15
Context Goal
Strategy
Solution
Justification
J
Assumption
A
Solved by
In the context of
Graphical notation GSN

28. 16
10/03/2020 16

29. 16
10/03/2020 16
Security Requirements & Objectives

30. 16
10/03/2020 16
Security Requirements & Objectives
Security Evidence

31. 16
10/03/2020 16
Security Requirements & Objectives
Security Evidence
Security Argument

32. 17
Evidence model and compliance models
➢Information required to characterize evidence artefacts
❑Who produced it
❑Revision and configuration management
❑“Trustworthiness”
➢Links to :
❑Engineering process results,
❑Standard objectives/requirements,
❑And to argument claims
10/03/2020 17

33. 18
Evidence management
Determine the
evidence to
provide
Collect
evidence item
information
Specify traceability
between
evidence items
Evaluate evidence
item
Is the
evidence
adequate? Yes
No
Address issues
10/03/2020 18

34. 19
Assurance management concepts
➢Assurance Project Management, determines the baseline elements of an
assurance project from reference assurance frameworks
➢Evidence Management whose information is mapped to baseline elements
for specifying compliance with a reference assurance framework (information
to collect)
➢Argumentation Management, which can refer to compliance with a reference
assurance framework (compliance argument)
10/03/2020 19

35. 20
Evidence model
➢Information or objective artefacts being offered in support of one or more claims
[SACM]
➢Overall, there are two types of privacy evidence
❑Compliance(process)-based evidence vs. product-based evidence
➢Traceability (and dependency) exists between pieces of evidence
➢Artefacts can be defined at several granularity levels
❑Reqs. specification document vs. single requirement
Artefact Evidence Claim
used as supports
10/03/2020 20

36. 21
Concepts for accountability
Evidences
Model
Compliance
Map Model
Argumentation
model
Baseline
Model
(e.g. SmartGrid)
Assurance Project (e.g. Smart Grids or Connected vehicle)
What is plan to Do What has Been Done
Compliance maps are the responsable for tracing
standard derived artefacts
10/03/2020 21

37. 22
Tool support for the method
10/03/2020 22
https://www.eclipse.org/opencert/

38. 23
Assurance
Project
Definition
Assurance Case
Management
Evidence
Management
Compliance
Management
Reporting
Regulation Modelling Equivalences Modelling
Assurance methodology
10/03/2020 23

39. 24
Tool support for the method
Evidence
Management
Prescriptive
Knowledge
Management
Privacy
Argumentation
Management
Assurance Project
Lifecycle
Management
Project
Repository
Measurement
&
Transparency
Assurance Configuration
Management
System Management
Standards &
Understandings
Argument
Patterns
Risk Control
Product
Engineering
Tools
Requirements,
Models
Link
Connect
10/03/2020 24

40. 24
Tool support for the method
Evidence
Management
Prescriptive
Knowledge
Management
Privacy
Argumentation
Management
Assurance Project
Lifecycle
Management
Project
Repository
Measurement
&
Transparency
Assurance Configuration
Management
System Management
Standards &
Understandings
Argument
Patterns
Risk Control
Product
Engineering
Tools
Requirements,
Models
Link
Connect
10/03/2020 24

41. 24
Tool support for the method
Evidence
Management
Prescriptive
Knowledge
Management
Privacy
Argumentation
Management
Assurance Project
Lifecycle
Management
Project
Repository
Measurement
&
Transparency
Assurance Configuration
Management
System Management
Standards &
Understandings
Argument
Patterns
Risk Control
Product
Engineering
Tools
Requirements,
Models
Link
Connect
10/03/2020 24

42. 24
Tool support for the method
Evidence
Management
Prescriptive
Knowledge
Management
Privacy
Argumentation
Management
Assurance Project
Lifecycle
Management
Project
Repository
Measurement
&
Transparency
Assurance Configuration
Management
System Management
Standards &
Understandings
Argument
Patterns
Risk Control
Product
Engineering
Tools
Requirements,
Models
Link
Connect
10/03/2020 24

43. 24
Tool support for the method
Evidence
Management
Prescriptive
Knowledge
Management
Privacy
Argumentation
Management
Assurance Project
Lifecycle
Management
Project
Repository
Measurement
&
Transparency
Assurance Configuration
Management
System Management
Standards &
Understandings
Argument
Patterns
Risk Control
Product
Engineering
Tools
Requirements,
Models
Link
Connect
10/03/2020 24

44. 24
Tool support for the method
Evidence
Management
Prescriptive
Knowledge
Management
Privacy
Argumentation
Management
Assurance Project
Lifecycle
Management
Project
Repository
Measurement
&
Transparency
Assurance Configuration
Management
System Management
Standards &
Understandings
Argument
Patterns
Risk Control
Product
Engineering
Tools
Requirements,
Models
Link
Connect
10/03/2020 24

45. 25
10/03/2020 25

46. 26
10/03/2020 26

47. 27
10/03/2020 27

48. 28
10/03/2020 28

49. 29
10/03/2020 29

50. 30
10/03/2020 30

51.
Methods and Tools for GDPR Compliance through
Privacy and Data
Protection 4 Engineering
Reference frameworks
Explicit evidences
Explicit and clear argumentation
Explicit traceability to reference
frameworks
Jabier Martinez (Tecnalia)
jabier.martinez@tecnalia.com