April 9, 2015 Meeting Page

SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft

Meeting Date: April 9, 2015

Attendees

• Aaron Guzman
• Adam Migus
• Ann Racuya-Robbins
• Christine Abruzzi
• Christine Spottiswoode
• David Temoshok
• Jeff Shultz
• Lee Aber
• Linda Braun, Global Inventures
• Mary Ellen Condon
• Mike Garcia
• Paul Knight
• Ryan Galluzzo
• Sal D’Agostino

Meeting Notes

• Adam Madlin led the call. Notes taken by Linda Braun
• Adam called for approval of the meeting notes for March 26 and April 2. Sal asked for an additional comment to be included in the April 2 notes under the Attribute Committee proposal, “It was suggested that these comments be forwarded to the FMO in their consideration of the Attribute Committee proposal.” He also asked to include the fact that Jerry Kickenson and Martin Smith also provided comments on the proposal. Once those change are made, Sal said he was OK with the minutes.
• Updates
  • Adam and Ryan went through the Virtual Plenary agenda, which is on www.idecosystem.org and is also available here. The meeting is planned for April 16, 2015, 1– 5 p.m. Eastern. It has not yet been determine how much time each presenter will have. Adam encouraged everyone to register and attend the call.
  • Adam said he and Jerry Kickenson are planning on meeting further on the attribute proposal soon.
  • Paul Knight said they are making good progress on reviewing and analyzing the requirements.
  • Adam informed the team that there is a public forum in two weeks led by the NIST National Cybersecurity Center of Excellence and Paul Grassi will be presenting. Adam received an invite. 800-63 will be discussed. Adam is just confirming and he is happy to share information about the event. Week of April 20. http://nccoe.nist.gov/node/285
  • Sal provided a link for the National Cybersecurity Center of Excellence Access Rights Management Use Case for the Financial Services Sector as he thought people might be interested. https://www.federalregister.gov/articles/2015/04/03/2015-07590/national-cybersecurity-center-of-excellence-access-rights-management-use-case-for-the-financial
  • Sal provided a link for the electronic power sector. https://www.federalregister.gov/articles/2014/03/18/2014-05960/national-cybersecurity-center-of-excellence-nccoe-and-electric-power-sector-identity-and-access#h-4
  • Sal provided a link that might help people not familiar with security. https://nvd.nist.gov/cpe.cfm
  • Sal provided a link on ISO assessment checklist. http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf
• Review Security Requirements Assessment Guide scoping document
  • Adam included the document location in the agenda. It is available here.
  • The scope and purpose of the self-assessment guide will be to provide a consistent, repeatable process for assessing conformance with security requirements. It will include:
  1. The finalized requirements and supplemental guidance
  2. Tests, examinations, reviews, and other procedures that can be applied to the applicants’ systems and policies to determine conformance.
  3. Descriptions of conformance with the requirements
  • We need to take into consideration that any requirements are designed to support the IDESG in its current phase and they need to be appropriate for the first phase of the framework. There are additional considerations and dependencies related to how this might fit in with other committees, similar content and similar contributions and how this might fit under other FMO activities. There should be consistency among committees.
  • Adam asked for comments:
  • Coordination with other committees – do we need to have a common format/template for structure?
    • Yes, this is an area of work where the committees giving requirements will need to pursue. There is a reference in the document saying that the FMO will need to establish a common template for consistency and ease of use. This is to help organizations that are looking to participate in the ecosystem to be able to attest to their support of the requirements. It should be of one guide.
  • TFTM has two work orders with the FMO and one of the work orders, which is numbered 05, has a number of components for the self-attestation program and one of those components represent an assessment guide recognizing that the committees are in fact the entities that are developing the requirements in the first. The committees would be in the best position to create any assessment guide on how to assess against the requirements. It should be a facilitation tool for any of the applicants performing the self-assessments to help to explain requirements, point to references or other materials so they can perform assessments against that requirement. It is conceived as a way to facilitate the self-assessment process. The FMO has not started this work yet, but it is one of the components that would be picked up to be advanced later on. It is good that the Security Committee is thinking about this work and the SC should be hearing from the FMO now that the work order is in place.
  • Since this is self-assessment, it would be for the applicants. When requirements move into a third party review in the future, it would be for them.
  • It was agreed to add the target audience to the guide.
  • The requirements and supplemental guidance as submitted are in a good place. There might be a few edits because of the harmonization process and we will be aligning with that work. Our requirements submission has a start on controls, standards and other reference materials and further work would contribute to the ecosystem and provide further information on usability. There is more work to include appropriate detail on each requirement, and describing how to conform to those requirements.
  • The difference between a self-assessment and a third party assessment is who is doing it. We aren’t necessarily structuring things for a self-assessment, we are structuring for an assessment which will be carried out by the service providers themselves.
  • This work could be a precursor to a third party assessment program. There would be a lot of learnings through the self-assessment. There is going to be an evolution of the requirements, we used the term baseline previously. As we evolve from a self-assessment program to a third party assessment program, there would be an increase in rigor and detailed requirements, and so it would have different implications given the phase of the program. Also being a new program, we need to consider onboarding of new organizations appropriately.
  • The assessment guide is to explain the requirements and to make sure what is being assessed is the right thing. As the IDESG program moves ahead we can add additional requirements incrementally.
  • The plan within TFTM, following the initial self-assessment, allows for a continuation of self-assessments, but also allows for more rigor or assurance through a third party capability. Having an assessment guide for the self-assessment period, as well as for third party assessments is a good idea for the program and will help with adoption.
  • There are no diagnostics in the document or tooling supported by the system for a computer based ecosystem. It seems to be a natural evolution and is this being kept in mind for the design? Agree, it wasn’t pointed out in this version of the document, but we will keep in mind and we should be looking at automating whenever possible and putting the right kind of moderation in place. We need to create a state of the art program.
  • There is an advantage to calling this an assessment guide for the advantages mentioned, but we need to let the evolution of requirements evolve without getting ahead of ourselves.
  • Adam asked about the scope of the document. We are not defining the level of detail around components but will have to flush this out with TFTM’s leadership. We are at a good starting point, is this appropriate?
  • This looks like a security assessment so where is remediation? Can we have something included in the scope about nonconformance to help the audience? Yes, we need to update the assessment guide with comments on remediation.
  • Duration – there will be no Security Committee meeting next week. Next time we will talk about this subject is April 30.
  • Adam asked about how we wanted to proceed with this work. We have a manageable amount of requirements (15) that we have submitted and we have more than 15 people on the Security Committee. Should we break into smaller teams and assign requirements to each team? Make people owners of specific requirements and have them do research and come back to the committee and report out their proposed content for the guide?
  • Ryan suggested we get an idea of what existing documents look like so we can understand the depth of information available, what format we might want to present the information in, instead of having everyone go out and pull together what they think is right. Instead we need one person to do this initial research and come up with a format that would be consistent for all of us to use. Ryan volunteered to take the first stab at this work. If anyone has documents that they know of, please send to Ryan and he will start to consolidate that information. Sal volunteered to send some information.
  • For next meeting, April 30, we will have some existing materials cataloged for the committee. Adam will contribute as well. At that April 30 meeting, we can start to make assignments and use the guiding material as a starting point.
  • Question about collaboration –is there a plan for the Security Committee to use an online tool for collaboration to keep track of changes instead of a static document? It’s on the agenda for Inventures to assist make a recommendation. Adam will see if there is any update on this.
• Wrap up and actions for next week
• Next meeting April 23, 2015

Action Items

• No meeting April 16 due to the virtual plenary and Linda will cancel Security Committee meeting.
• Ryan to research existing documents and come back in two weeks with recommendation on format

Quick Links: Security Committee | Functional Model | Security Committee Meeting Notes | Security Committee Content