September 21, 2015 Meeting Page: Difference between revisions

SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft

Attendees

• Mary Ellen Condon
• Adam Madlin
• Adam Migus
• Martin Smith
• Paul Knight
• Steve Orrin
• Ryan Galluzzo
• Christine Abruzzi
• Linda Braun, Global Inventures

Meeting Notes

• Mary Ellen led the call. Notes taken by Linda Braun.
• Roll call; Quorum determination. Quorum was met.
• IPR policy reminder – https://www.idecosystem.org/system/files/filedepot/103/IDESG%20IPR%20Policy.pdf

The September 17, 2015 minutes were approved.
Discussion Notes

• Supplemental Guidance and feedback from FMO/Pilots
  • This was an extra meeting to finalize the Security Committee’s response to the FMO/Pilots feedback. The Security Committee reviewed item #10 again since they did not have time at last week’s meeting. They also reviewed the Pilots request for more clarity on #14 & #15.
• SECURE-10.UPTIME
  • Entities that provide and conduct digital identity management functions MUST have established policies and processes in place to maintain their stated assurances for availability of their services[, including documented policies to address disaster recovery, continuity of business, and denial of service prevention/recovery.]
  • Amendment proposal from FMO, to address a Security Committee mandate in the supplemental guidance)
  • As of 9/10, the Security Committee asked that this language remain in the Supplemental Guidance for the 2015 drafting round. FMO recommended instead that, if it remains an imperative ("MUST"), it should be amended into the Requirement text; see its two alternative locations, above and below.
  • SUPPLEMENTAL GUIDANCE
  • [At a minimum, service providers [should]/ have documented policies to address disaster recovery, continuity of business, and denial of service prevention/recovery. [See INTEROP-5 (DOCUMENTED PROCESSES).] [delete if amendment adopted]
  • SECURITY COMMITTEE RESPONSE: Agreed to change MUST to SHOULD and keep text in the Supplemental Guidance and add the words “and processes” after policies. Keep in reference to INTEROP-5. No change to the requirement.
• SECURE-14. SECURITY LOGS
  • Entities conducting digital identity management functions MUST log their transactions and security events, in a manner that supports system audits and, where necessary, security investigations and regulatory requirements. Timestamp synchronization and detail of logs MUST be appropriate to the level of risk associated with the environment and transactions.
  • SUPPLEMENTAL GUIDANCE
  • Transactions and events associated with systems that support identity management functions must be time-stamped and logged. Where necessary additional information related to the events also must be logged (such as the source of an authentication assertion) with the data needed to support audits.
  • Selection of logging and timestamping standards, processes, and procedures should be consistent with the processes outlined in SECURE-1 (SECURITY PRACTICES).
  • Audit records and logs must be protected consistent with SECURE-2 (DATA INTEGRITY). [NSTIC pilots expressed concern about defining the scope of 'systems' to which this Requirement applies, and asked for clarification of how to assess "appropriateness." 6/17/2015, refreshed 9/2/2015.]
  • SECURITY COMMITTEE RESPONSE: No change recommended at this time.
• SECURE-15. SECURITY AUDITS
  • Entities MUST conduct regular audits of their compliance with their own information security policies and procedures, and any additional requirements of law, including a review of their logs, incident reports and credential loss occurrences, and MUST periodically review the effectiveness of their policies and procedures in light of that data.
  • SUPPLEMENTAL GUIDANCE
  • Both internal and third party audits are considered acceptable for conformance to this Requirement. This Requirement does not dictate frequency of audits. However, the processes, policies, procedures for conducting audits, and audit findings, as well as those for defining the frequency of audits, must be documented. Additionally, a process for remediating and correcting deficiencies identified during audits must also be documented.
  • NSTIC pilots asked for clarification of how to assess "effectiveness," and questioned whether such audits were effective: 6/17/2015, refreshed 9/2/2015.] FMO recommends that no change may be needed for the 2015 release, in light of the industry practices in which such audits appear to be proceeding without serious complications. The committees and pilots may wish to discuss the cost/benefit aspects of this practice for future rounds. FMO recommends that the terms are moderately self-explanatory and no change may be needed for the 2015 release.
  • SECURITY COMMITTEE RESPONSE: No change recommended at this time. A new Measurement Team should be created that owns metrics.

New Business

• None.
• Adam Madlin will present the Strategic Plan to the Security Committee on October 8.

Wrap up and actions for next week

• Ben Wilson and Dave Temoshok looking to speak with the Security Committee members who will be at Tampa to discuss SALS. Christine to schedule time.
• Next meeting: October 1, 2015
• Plenary is in Tampa, September 24 & 25, 2015. The Management Council meeting is September 23, 2015. Next Virtual Plenary scheduled for October 15, 2015.
• Meeting was adjourned at 1:39 p.m. EDT.

Action Items

• Mary Ellen will draft responses and have Steve review before sending final Security comments back to FMO.

Quick Links: Security Committee | Functional Model | Security Committee Meeting Notes | Security Committee Content