February 12, 2015 Meeting Page
From IDESG Wiki
SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft
Meeting Date: February 12, 2015
- Adam Madlin
- Adam Migus
- Andrew Hughes
- Ann Racuya-Robbins
- Bob Pinheiro
- Christopher Spottiswoode
- Jerry Kickenson
- Jeff Schultz, NPO
- Linda Braun, Global Inventures
- Paul Knight
- Ryan Galluzzo
- Sal D’Agostino
- Seetharama Durbha
- Suzanne Lightman
- Notes taken by Linda Braun
- General Discussion
- The next two plenary meetings will be virtual, April and June (½ day) or maybe (two, ½ days) and mid-August F2F in California.
- Deadline for finalized requirements to be submitted to FMO on March 16 according to Management Council request.
- Adam said he received feedback from FMO and the NSTIC pilots on the Security requirements. Feedback still in draft form and will be forwarded once he gets clarification that it is okay to send to the Security Committee.
- Call for today was to provide comments on other committee requirements, discuss in meeting and determine how best to represent to other committee. No one had any comments as of yet.
- Thursday, February 19 & February 26: For the next two Security Committee meeting, the group will work on updating the Security Requirements. Everyone on the committee should come prepared to process and update the requirements. Adam will resend the comments matrix spreadsheet and next week the Security Committee will start updating the requirements.
- How do we do a better job of documenting the components? Include supplemental information/guidance? All information was made available to FMO, but Adam noticed that there is not a consistent format for the requirements across committees.
- Action: Adam asked Paul to find out if there is a template that (other committees) are using that would work better than the template we are using. Need sooner rather than later.
- Someone made the comment that if we make the requirements and supporting documents too complex, it will make it too hard to use as an assessment tool. Intent is to set the minimum entry for the requirements. All goes back to the baseline requirements discussion. Security Committee should put forward highlevel requirements; we need to clarify more and balance out that they are as the baseline. There won’t be any changes to the nature of the requirements; the Security Committee states the requirements and is the authority. This would be the time to bring in other experts within our networks and to solicit guidance from them. Security Committee’s role is to complete the deliverable and that includes accessing expertise if needed.
- Adam wants to see comments, input, guidance, approach etc. from the Security Committee. Now is the committee’s opportunity to get this work done. We might need a couple of extra meetings or form smaller teams in order to complete the task. Engage on the listserv with questions, or security based questions. Need to look at requirements from the perspective of all roles in the ecosystem.
- Question: Our focus is security of the electronic transactions taking place online. How much assurance do the parties have that they are dealing with the individuals they think they are? We are talking about information security; if not, we should be clear. We are talking about assurance and information security.
- From Chat: sans definition Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
- We have had security scope creep in conversation, security is related to but not equal to trust as an example.
- Adam said if there are areas still missing in our requirements that and we need to identify them. Cryptographic solutions is one of them. Security of a transaction vs security of an ecosystem? Probably both need to be addressed. Whether they should be part of the baseline is in question. We need to look at the whole picture. Fundamentally we need to figure out what the initial set of requirements are that will attract particpants. Detailing the requirements, testability, etc. is probably the easier part.
- The requirement spreadsheet is on the wiki. https://www.idecosystem.org/wiki/Security_Requirements dated January 15, 2015.
- Adam asked Paul to find out if there is a template that (other committees) are using that would work better than the template we are using. Need sooner rather than later.
- Action for committee members: Read the feedback from the FMO that was sent to the listserv.
- Next meeting February 19, 2015