September 17, 2015 Meeting Page

From IDESG Wiki
Jump to navigation Jump to search

SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft

Attendees

  • Mary Ellen Condon
  • Adam Madlin
  • Adam Migus
  • Paul Knight
  • Martin Smith
  • Edgar Saldivia
  • Christine Abruzzi
  • Sal D’Agostino
  • Linda Braun, Global Inventures


Meeting Notes

The September 10, 2015 minutes were approved.
Discussion Notes

  • Supplemental Guidance and feedback from FMO/Pilots. We've been asked to look at both proposed changes from FMO to supplemental guidance #1, #2, #5 & #10. We've also have three items where the Pilots have requested more clarity #1, #14 & #15.
  • SECURE-1. SECURITY PRACTICES
    • Entities MUST apply appropriate and industry-accepted information security STANDARDS, guidelines, and practices to the systems that support their identity functions and services. FMO recommended inserting in the requirements: [Entities MUST have risk-based countermeasures and safeguards in place to resist common threats to identity solutions and identity data, including Session hijacking; Eavesdropping; Theft; Man-in-the-middle; Online Guessing; Replay; Unauthorized copying or duplication; and Insider Threats.]
    • As of 9/10, Security Committee asked that this amendment be moved from SECURE-2 to SECURE 1. The Security Committee has asked that it be placed in the Supplemental Guidance for SECURE-1 for the 2015 drafting round. FMO recommended instead that, if it remains an imperative ("MUST"), it should be amended into the Requirement text; see its two alternative locations, above and below. FMO is concerned about the contrast between the second paragraph of the supplemental guidance ('we won't give you a list of policies'), and this clause as a new third paragraph ('here's a list of required policies').
    • [Entities [should]/must have risk-based countermeasures and safeguards in place to resist common threats to identity solutions and identity data, including Session hijacking; Eavesdropping; Theft; Man-in-the-middle; Online Guessing; Replay; Unauthorized copying or duplication; and Insider Threats.]
    • Security Committee Response: Leave paragraph as a third paragraph in the Supplemental Guidance and add clarifying words “for example,” Session hijacking; Eavesdropping; Theft; Man-in-the-middle; …
  • SECURE-2. DATA INTEGRITY
    • Text moved to SECURE-1 as the Security Committee directed the FMO 9/10/2015.
  • SECURE-5. CREDENTIAL ISSUANCE
    • Entities that issue or manage credentials and tokens MUST do so in a manner designed to assure that they are granted to the appropriate and intended USER(s) only. FMO recommended inserting in the requirements: [Where registration and credential issuance are executed by separate entities, procedures for ensuring accurate exchange of registration and issuance information MUST be included in business agreements and operating policies.]
    • As of 9/10, the Security Committee asked that this language remain in the Supplemental Guidance for the 2015 drafting round. FMO recommended instead that, if it remains an imperative ("MUST"), it should be amended into the Requirement text; see its two alternative locations, above and below.
    • SUPPLEMENTAL GUIDANCE
    • Procedures exist to ensure the user(s) who receives the credential and associated tokens is the same user(s) who participated in registration. These can include: The use of secure transport for credential and token data (see SECURE-2 (DATA INTEGRITY)); Out-of-band distribution of credentials or tokens; In-person issuance of credentials or tokens.
    • [Where [registration and credential issuance] are executed by separate entities, procedures for ensuring accurate exchange of registration and issuance information [should]/[] be included in business agreements and operating policies.]
    • Security Committee Response: We agree to promote the second sentence [Where [registration and credential issuance] are executed by separate entities, procedures for ensuring accurate exchange of registration and issuance information [should]/[] be included in business agreements and operating policies.] to the requirement.
    • Feedback to FMO on INTEROP-5 DOCUMENTED PROCESSES. During our discussion we noted some additional supplemental guidance for INTEROP-5 to add clarify around separation of responsibilities when transactions are between two entities. “Wherever there is an interface, the responsibility for parties on both sides of the interface, should be documented, so nothing is omitted and responsibilities are clear.” Both parties should be responsible.
  • SECURE-10. UPTIME.
    • Entities that provide and conduct digital identity management functions MUST have established policies and processes in place to maintain their stated assurances for availability of their services[, including documented policies to address disaster recovery, continuity of business, and denial of service prevention/recovery.]
    • As of 9/10, the Security Committee asked that this language remain in the Supplemental Guidance for the 2015 drafting round. FMO recommended instead that, if it remains an imperative ("MUST"), it should be amended into the Requirement text; see its two alternative locations, above and below.
    • SUPPLEMENTAL GUIDANCE
    • [At a minimum, service providers [should]/ have documented policies to address disaster recovery, continuity of business, and denial of service prevention/recovery. [See INTEROP-5 (DOCUMENTED PROCESSES).]
    • Security Committee Response: Reject adding the sentence into requirements. Leave sentence in Supplemental Guidance and amend to say “documented policies and procedures” Endcap the sentence with “commensurate with the stated assurances and availability.” Team agreed that additional work needs to be done on this topic. Needs to be included in framework v2.

New business

  • None.
  • Mary Ellen will not be attending the Plenary, Steve Orrin, Adam Madlin and Paul Knight will attend.
  • TFTM would like to get together with Security Committee during Plenary. If anyone is going to be in Tampa, Ben Wilson and David Temoshok would like to get together. Christine to follow-up and schedule.


Wrap up and actions for next week

  • Linda to schedule an additional call for Monday, September 21, 2015 at 1:00p.m. since the team did not get through the entire agenda.


  • Next meeting: September 21, 2015
  • Plenary is in Tampa, September 24 & 25, 2015. The Management Council meeting is September 23, 2015. Next Virtual Plenary scheduled for October 15, 2015.
  • Meeting was adjourned at 2:02 p.m. EDT.


Action Items

  • Mary Ellen will draft responses and have Steve review before sending Security comments back to FMO.




Quick Links: Security Committee | Functional Model | Security Committee Meeting Notes | Security Committee Content