March 5, 2015 Meeting Page: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
m (2 revisions imported: Initial Upload of old pages from IDESG Wiki)
 
(No difference)

Latest revision as of 04:02, 28 June 2018

SECURITY COMMITTEE MEETING NOTES - draft

Meeting Date: March 5, 2015

Attendees

  • Aaron Guzman
  • Adam Migus
  • Andrew Hughes
  • Ann Racuya-Robbins
  • Jeff Shultz
  • Linda Braun, Global Inventures
  • Martin Smith
  • Paul Knight
  • Paul Laurent
  • Ryan Galluzzo
  • Sal D’Agostino
  • Seetharama Durbha


Meeting Notes

  • Seetharama and Ryan led the call. Action: Adam Madlin to post all minutes provided by Linda to the wiki.
  • Notes taken by Linda Braun
  • Requirements
    • Ryan started by reviewing Requirement #10. He said this requirement was discussed on 2/26/2015 and again during a call with a small group on 3/3/2015.
    • Requirement #10: Outcome based requirement statement, updated to: Service provider employs secure authentication on protocols for the purpose of demonstrating user control of the issued token. Group agreed to move onto the next requirement as there was not full agreement in the wording.
    • Requirement #11: Ryan read FMO comments: If we have no quantitative way to demonstrate comparative determinations of strength then we cannot use this requirement. This may need to be a requirement for a second factor. Users are able to choose a multi factor authentication option.
    • The team considered the following outcome based requirement statement during the discussion.
      • Service providers must consider shared secret authentication methods as weak when conducting risk analysis or access control.
      • User is able to choose the authentication mechanism and should be given guidance to make a risk based choice.
      • Users are able to choose a multi factor authentication option.
      • Comment: user should be able to choose the authentication method they use.
      • Chat from Martin Smith: maybe the requirement is for transparency, and "meaningful" transparency.
  • Meeting ended with statement: Service Providers offer an alternative to password authentication. Team agreed to meet next week to work on statement further. And,Ryan will work on supplemental guidance.
  • Next working session: Linda to put out a Doodle poll with option of meeting Monday (March) or Tuesday (March 10).

Action Items

  • Linda to schedule next working session.
  • Adam to post previous notes to wiki.




Quick Links: Security Committee | Functional Model | Security Committee Meeting Notes | Security Committee Content