Industrial Internet Security Framework v 1.0 | Page 130

Security Framework Annex A: Industrial Security Standards ISO/IEC 29100, ‘Privacy framework’ 1 provides a guideline that specifies a common privacy terminology, defines actors and roles in processing PII, describes privacy safeguarding considerations, and includes references to known privacy principles for Information technology. ISO/IEC 29101, ‘Privacy architecture framework’ 2 specifies concerns for information and communication systems processing PII, lists components for implementation of such systems and provides architectural views that contextualize these components. ISO/IEC 29190, ‘Privacy capability assessment model’ 3 provides high-level guidance to organizations about assessing their capability to manage privacy-related processes. ISO/IEC 27018, ‘Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors’4 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in accordance with principles described in ISO/IEC 29100. ISO/IEC 29134, ‘Privacy impact assessment–Guidelines’ 5 proposes a methodology to conduct assessments on the impact of privacy. NISTIR 8062, ‘Privacy Risk Management for Federal Information Systems’ 6 describes a privacy risk management framework focused on privacy engineering objectives and a privacy risk model. A.6.2 PRIVACY FRAMEWORKS A framework is a conceptual structure for organizing activities in pursuit of a specific goal; e.g., transatlantic data flow. The European Union and the United States have agreed on a new framework for transatlantic data flows called the ‘EU-US Privacy Shield’7, because the European Court of Justice declared the earlier Safe-Harbor framework invalid in October 2015. Privacy Shield strengthens cooperation between the US Federal Trade Commission and EU Data Protection Authorities, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield. At the time of writing this document, EU-US Privacy Shield is still a work in progress. A.6.3 PRIVACY REGULATIONS Many countries have published guidelines, standards or regulations to protect the Personally Identifiable Information (PII) and Protected Health Information (PHI) of their citizens. Notable See [ISO-29100] See [ISO-29101] 3 See [ISO-29190] 4 See [ISO-27018] 5 See [ISO-29134] 6 See [NISTIR-8062] 7 See [US-EU-Prv-Sh] 1 2 IIC:PUB:G4:V1.0:PB:20160926 - 130 -