May 21, 2015 Meeting Page

SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft

Meeting Date: May 21, 2015

Attendees

• Adam Migus
• Christopher Spottiswoode
• Ben Wilson
• Christine Abruzzi
• Martin Smith
• Mary Ellen Condon
• Paul Knight
• Ryan Galluzzo
• Sal D’Agostino
• Linda Braun

Meeting Notes

• Mary Ellen Condon led the call. Notes taken by Linda Braun.
• Meeting notes from April 23, 30 and May 7 approved.

Agenda – as distributed by Adam Madlin before the meeting

• Roll call; Quorum determined.
• IPR policy reminder - https://www.idecosystem.org/system/files/filedepot/103/IDESG%20IPR%20Policy.pdf
• Review agenda
• Approve past meeting notes
• Confirm finalized security requirements (confirmation, not detailed discussion)
• Plan, and if possible, work on security requirements supplemental information.
• New business / Other topics
• Wrap up and actions for next week

Discussion Notes

• The group decided to formulate a small task force to work on the Security Committee Requirements’ Supplemental Guidance document and come back with proposed dispositions. Adam Migus volunteered to lead the group. Ben Wilson and Ryan Galluzzo also volunteered to work on the task force. Paul Knight volunteered to look at the references.
• Ryan showed the Security Committee Requirements Set and identified the ones that needed to be updated. Some items might require someone to draft language. Requirement #15 might be the only requirement that needs outside research. The team discussed the consistency of the supplemental guidance approach across all committees. An important goal of the supplemental guidance is to let someone who is a service provider, who wants to self-test, to provide guidance and clarify on what kinds of standards they should be attesting to. This includes making the guidance useable and understandable for users and self-attesters. It helps them sell it within their organization as well. The Supplemental Guidance should not include implementation guidance. Agreed. In some cases a word might need to be expanded. Agreed that the word could be hyperlinked to a definition of the term. We don’t need to redefine something if a definition is already out there.
• Question was asked about a secure transport (TLS) requirement. We only have this in the supplemental guidance. It is covered in the high level baseline requirement #3 and in the associated supplemental guidance and in requirement #5. Some members of the team disagreed. We need to be able to clearly describe. Suggestion if this is a gap, someone should provide an update to what the requirement should be and we need an extension. Sal will provide draft language for the supplemental guidance around authentication techniques and hand over to the FMO. Security Committee should discuss and approve.

Wrap up and actions for next week

• Next meeting: May 28, 2015,
• Meeting was adjourned at 2:08 p.m.

Action Items

• Adam to determine approach for task force. Outcome expected: recommend dispositions for supplemental guidance.
• Sal to provide language around enhanced authentication techniques is captured as supplemental guidance. Alternately, Sal to send an email to the list with his proposed language.

Quick Links: Security Committee | Functional Model | Security Committee Meeting Notes | Security Committee Content