June 11, 2015 Meeting Page

From IDESG Wiki
Jump to navigation Jump to search

SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft

Meeting Date: June 11, 2015

Attendees

  • Ann Racuya-Robbins
  • Bob Pinheiro
  • Christine Abruzzi
  • Jerry Kickenson
  • Mary Ellen Condon
  • Ryan Galluzzo
  • Sal D’Agostino
  • Martin Smith
  • Paul Knight
  • Martin Smith
  • Linda Braun


Meeting Notes

  • Mary Ellen Condon led the call. Notes taken by Linda Braun.


Agenda Review – as distributed by Mary Ellen in advance of the call

  • Roll call; Quorum determination. Quorum was met.
  • IPR policy reminder - https://www.idecosystem.org/system/files/filedepot/103/IDESG%20IPR%20Policy.pdf
  • Meeting Notes from May 21 and June 4 meetings approved(Motion by Adam Madlin, Second by Jerry Kickenson.
  • Reminder: Call for Vice Chair Nominations thru Monday, June 15, 2015. Linda will create an online Survey Monkey election to be sent out on June 15. Election period will run through June 22, 2015.
  • Supplemental Guidance Task Force - (initial feedback mtg recommendation - Adam Migus, task force lead)
  • New business / Other topics
  • Wrap up and actions for next week


Discussion Notes

  • Supplemental Guidance Task Force – Ryan indicated that this session was not intended to be a full deep dive on each item, but more of a general overview of status and currently thinking of the task force. This is not the final product, but items discussed during the task force meetings. In general, SHOULD statements will be changed to MUST statements. The task force has discussed four requirements out of the total of 15. There is no formal deadline to finish, but the task force is hoping to by the end of June.
    • Requirement #1: Entities MUST apply appropriate industry-accepted information security standards, guidelines, and practices to the systems that support their identity functions and services. Changes made by task force were to those made by the FMO, including changing SHOULD to MUST. Ryan asked if the team has any substantial comments they should send directly to Adam Migus.
    • Requirement #3: Entities MUST implement industry-accepted practices to protect the confidentiality and integrity of identity data – including authentication data and attribute value – during execution of all digital identity management functions, and across the entire data lifecycle (collection through destruction). Changes: Ryan indicated there was an extensive set of supplemental guidance in this section. There were a number of comments on multifactor authentication solutions that the committee discussed in this requirement. Action: Ryan and Bob to discuss with Adam Migus and figure out updates to the language.
    • Requirement #13: Entities that issue credentials or tokens MUST have processes and procedures in place to revoke invalidated credentials and tokens. Changes: Task force looked at this requirement in respect to invalidated expired credentials. Suggestion was to look at current credentials. Action: Clarify in supplement guidance as to what “invalidated means”. Sal agreed to send update wording to Adam and Ryan.
    • Requirement #14: Entities conducting digital identity management functions MUST log their transaction and security events, in a manner that supports system audits and, where necessary, security investigations and regulatory requirements. Timestamp synchronization and detail of logs MUST be appropriate to the level of risk associated with the environment and transactions. Comments: Question was asked about restricting to identity data? Logging was discussed.


New business / Other topics

  • Management Council is considering endorsing the HIMMS task force recommendation for identity assurance for patient portals. The Healthcare Committee originally made the recommendation and sent it to the Management Council for consideration. Lacking any other standards, they are recommending a standard Level Of Assurance (LOA) 3 for accessing their own protected health information through a patient portal. Paul Knight offered the following link: HIMSS document considered for endorsement by MC: http://www.himss.org/files/HIMSS_IDMTF_IAPP_Recommendation_Final.pdf.
  • Action: (Mary Ellen) to put on agenda for next meeting to discuss. Adam Madlin will follow-up with Adrien to discuss his opinion on this standard and will report back to the Security Committee.
  • Upcoming Plenary is June 25 (1-5 p.m.) Security Committee will be canceled for next week.

Wrap up and actions for next week

  • Next meeting: June 18, 2015,
  • Meeting was adjourned at 2:01 p.m.


Action Items

  • See above and here:
  • Actions:
    • Requirement #3-Ryan and Bob to discuss with Adam Migus and figure out updates to the language.
    • Requirement #13-Clarify in supplement guidance as to what “invalidated means”. Sal agreed to send update wording to Adam and Ryan.
    • Mary Ellen to put HIMSS on agenda for next meeting to discuss. Adam Madlin will follow-up with Adrien to discuss his opinion on this standard and will report back to the Security Committee.
    • Supplemental Guidance Task Force to continue their work.




Quick Links: Security Committee | Functional Model | Security Committee Meeting Notes | Security Committee Content