June 18, 2015 Meeting Page

SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft

Meeting Date: June 18, 2015

Attendees

• Mary Ellen Condon
• Adam Migus
• Adam Madlin
• Ann Racuya-Robbins
• Bob Pinheiro
• Bev Corwin
• Ryan Galluzzo
• Sal D’Agostino
• Martin Smith
• Paul Knight
• Linda Braun

Meeting Notes

• Mary Ellen Condon led the call. Notes taken by Linda Braun.

Agenda Review – as distributed by Mary Ellen in advance of the call

• Roll call; Quorum determination. Quorum was met.
• IPR policy reminder - https://www.idecosystem.org/system/files/filedepot/103/IDESG%20IPR%20Policy.pdf
• Supplemental Guidance Task Force - (initial feedback mtg recommendation - Adam Migus, task force lead)
• Virtual Plenary, Thursday, June 25 (no Security Committee meeting that day)

Discussion Notes

• Supplemental Guidance Task Force – Adam Migus reported that the task force got through all the higher priority requirements at their last meeting.
  • Requirement #15: There was no guidance, so the task force wrote it.
  • Requirement #8: Entities that authenticate a USER MUST offer authentication factors which augment or are alternatives to a password. Task force to rework Req.#8 in a minor way by replacing “factors” with “mechanism.”
  • Requirement #9: Entities MUST have a risk assessment process in place for the selection of authentication mechanisms and supporting processes. Discussion followed. Supplemental Guidance wording in #9 “however, authentication mechanisms should be commensurate with risk” was commented upon for revision and the task force will clarify at their next meeting.
  • Next steps for task force: Revisit language in Req.#3; clarify in supplement guidance as to what “invalidated means” in Req.#13 and revisit wording in Req.#8 and Req.#9. Task force will also look at lower priority requirements at their upcoming meeting for consistent language.
  • Security Committee discussed knowledge-based authentication next. In Req.#9 the task force will revisit wording “additional controls” and “authorizing parties” in the supplemental guidance.

New business / Other topics

• Mary Ellen submitted a request to the FMO for review/verification of the standards that were cited in the supplemental guidance.
• HIMSS recommendation discussed at Chairs meeting; policy has been sent to Privacy, Security and Standards Committees chairs. Chat from Paul Knight: “The Management Council is formally requesting the Security Committee review the policy and make a recommendation to the Management Council as to whether it implicates IDESG-adopted (or to-be-adopted) standards so as to require review, and if so, if it comports with our principles. Such recommendation may be accompanied by a minority report, authored by those leading the minority opinion.” Security Committee should look at policy and determine how to evaluate. MEC forwarded the IDESG Endorsement Policy and HIMSS recommendation to the team during the call.

Wrap up and actions for next week

• No Security Meeting (June 25) since the plenary session will be taking place during our normal meeting time. Next meeting: July 2, 2015,
• Meeting was adjourned at 1:51 p.m.

Action Items

• Supplemental Task Force to continue their work and report back to Security Committee.

Quick Links: Security Committee | Functional Model | Security Committee Meeting Notes | Security Committee Content