Industrial Internet Security Framework v 1.0 | Page 130
Security Framework
Annex A: Industrial Security Standards
ISO/IEC 29100, ‘Privacy framework’ 1 provides a guideline that specifies a common privacy
terminology, defines actors and roles in processing PII, describes privacy safeguarding
considerations, and includes references to known privacy principles for Information technology.
ISO/IEC 29101, ‘Privacy architecture framework’ 2 specifies concerns for information and
communication systems processing PII, lists components for implementation of such systems and
provides architectural views that contextualize these components.
ISO/IEC 29190, ‘Privacy capability assessment model’ 3 provides high-level guidance to
organizations about assessing their capability to manage privacy-related processes.
ISO/IEC 27018, ‘Code of practice for protection of personally identifiable information (PII) in
public clouds acting as PII processors’4 establishes commonly accepted control objectives,
controls and guidelines for implementing measures to protect PII in accordance with principles
described in ISO/IEC 29100.
ISO/IEC 29134, ‘Privacy impact assessment–Guidelines’ 5 proposes a methodology to conduct
assessments on the impact of privacy.
NISTIR 8062, ‘Privacy Risk Management for Federal Information Systems’ 6 describes a privacy risk
management framework focused on privacy engineering objectives and a privacy risk model.
A.6.2 PRIVACY FRAMEWORKS
A framework is a conceptual structure for organizing activities in pursuit of a specific goal; e.g.,
transatlantic data flow. The European Union and the United States have agreed on a new
framework for transatlantic data flows called the ‘EU-US Privacy Shield’7, because the European
Court of Justice declared the earlier Safe-Harbor framework invalid in October 2015. Privacy
Shield strengthens cooperation between the US Federal Trade Commission and EU Data
Protection Authorities, providing independent, vigorous enforcement of the data protection
requirements set forth in the Privacy Shield. At the time of writing this document, EU-US Privacy
Shield is still a work in progress.
A.6.3 PRIVACY REGULATIONS
Many countries have published guidelines, standards or regulations to protect the Personally
Identifiable Information (PII) and Protected Health Information (PHI) of their citizens. Notable
See [ISO-29100]
See [ISO-29101]
3
See [ISO-29190]
4
See [ISO-27018]
5
See [ISO-29134]
6
See [NISTIR-8062]
7
See [US-EU-Prv-Sh]
1
2
IIC:PUB:G4:V1.0:PB:20160926
- 130 -