|
Research
As a federally funded research and development center (FFRDC), research is an important part of what we do at MITRE. Several of our recent privacy research efforts are discussed below. In addition more information is available about the MITRE Research Program.
ePETs
Much of MITRE's privacy-related research focuses on enterprise privacy-enhancing technologies (ePETs). ePETs are data stewardship tools that help organizations achieve their business goals while appropriately managing personally identifiable information (PII) throughout the information life cycle of collection, processing, use, disclosure, retention, and destruction. Much PET research to date has focused on tools to help individuals protect their privacy, typically by preventing the collection of PII in the first place. However, large and complex organizations—in some cases with significant regulatory compliance requirements—need tools to help them manage the large amounts of PII they acquire in the process of carrying out their missions. MITRE ePET research aims to help sponsors better understand and leverage existing ePETs and also seeks to develop new or more effective ePETs and related techniques.
Multiple activities have helped MITRE guide sponsors' use of ePETs. These include efforts to map classes of ePETs to categories of privacy-related business processes, either directly or via intermediaries such as use cases. Such mappings can guide ePET selection and deployment by matching particular types of tools with the processes they can potentially support. This has been accompanied by capability assessments of certain classes of ePETs, including components of data loss prevention (DLP) solutions and data desensitization tools, which transform data sets in various ways so as to reduce privacy risk. MITRE's Privacy Lab is working with these tools to develop guidelines for de-identifying PII and to generate a large set of realistic but fake PII as a resource for testing, training, and other purposes.
PII Risk Management
Part of the difficulty with protecting PII is being able to identify it in the first place and protect it commensurate with its sensitivity. Adequate guidance is currently not widely available to assist government organizations with identifying PII, categorizing it according to the level of sensitivity, and ensuring that appropriate privacy controls are employed based on sensitivity. To read more about our research project in this area, see Personally Identifiable Information Risk Management.
IM-PLUS: Information Management with Privacy, Lineage, Uncertainty, and Security
MITRE's sponsors often gather vast quantities of information from many sources. Users must understand data lineage (i.e., where the information came from and the processes that acted upon that data) and data uncertainty to determine whether the information is useful and trustworthy. Lineage and uncertainty information are subject to the security and privacy concerns of our military, intelligence, law enforcement, and biomedical research sponsors. In particular, lineage information plays an important role in mission assurance in the face of sophisticated cyber-attack. We extend prior research on data lineage and workflows to include Web information, and processing chains used in data fusion applications. We are analyzing interactions among privacy, lineage, uncertainty, and security requirements to exploit shared efficiencies, highlight trade-offs, and support the user's decisions in interpreting and trusting the data. To read more about our research project in this area, see IM-PLUS: Information Management with Privacy, Lineage, Uncertainty, and Security.
For more information or discussion about this material, please Contact Us.
|
|
