Extending HP Identity Management Solutions to Enforce Privacy Policies and Obligations for Regulatory Compliance by Enterprises ♦

This paper describes issues and requirements related to privacy management as an aspect of improved governance in enterprises. It focuses on the privacy enforcement aspect, in particular related to privacy-aware access control and enforcement of privacy obligations: this is still a green field and, at the same time, is a key aspect to be taken into account to ensure compliance both with regulations and an enterprise’s IT governance objectives. We introduce our HP Labs work in these areas: core concepts are described along with our policy enforcement models and related technologies. Two prototypes have been built as a proof of concept to: (1) enforce privacy policies on personal data by extending HP Select Access; (2) manage and enforce privacy obligations on personal data, integrated with HP Select Identity. We describe their technical capabilities and our next steps.

[1]  Siani Pearson,et al.  Towards Accountable Management of Privacy and Identity Information , 2003, ESORICS.

[2]  Günter Karjoth,et al.  A privacy policy model for enterprises , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[3]  Michael Waidner,et al.  Privacy-enabled services for enterprises , 2002, Proceedings. 13th International Workshop on Database and Expert Systems Applications.

[4]  H. P Gassmann,et al.  OECD guidelines governing the protection of privacy and transborder flows of personal data , 1981 .

[5]  Marco Casassa Mont,et al.  Dealing with Privacy Obligations: Important Aspects and Technical Approaches , 2004, TrustBus.

[6]  Marco Casassa Mont,et al.  Dealing with Privacy Obligations in Enterprises , 2004, ISSE.

[7]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[8]  Sushil Jajodia,et al.  Obligation monitoring in policy management , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[9]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[10]  Marco Casassa Mont,et al.  Privacy Enforcement with HP Select Access for Regulatory Compliance , 2005 .

[11]  Michael Waidner,et al.  Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data , 2002, Privacy Enhancing Technologies.