Privacy auditing and compliance checking are reactive approaches, definitely important but of little help when violations occur and the “privacy” of people has been compromised (e.g. their personal data has been misused, identity thefts, etc.). More effort is required to enforce privacy policies, in particular by introducing more automation (and integration with current enterprise identity management solutions …).
At HP Labs we have been researching for years in this direction. Some relevant projects have focused on:
In the context of the PRIME project, various Privacy Enhancing Approaches and Technologies have also been researched and developed.
More recently, the Identity Governance Framework (IGF) effort has introduced use cases, approaches and criteria to deal with data governance and enforce privacy both in enterprises and federated identity management contexts.
I argue that the decision on the “actual blend” of policy enforcement and auditing/compliance checking should be the outcome of a “risk analysis” process, which must keep into account the specific enterprise context and the assets to be protected.
No comments:
Post a Comment