July 16, 2015 Meeting Page
From IDESG Wiki
SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft
- Adam Migus
- Adam Madlin
- Ann Racuya-Robbins
- Christopher Spottiswoode
- Ryan Galluzzo
- Steve Orrin
- Paul Knight, FMO (joined at 1:23p.m.)
- Christine Abruzzi
- Hans Vargas
- Suzanne Lightman
- Linda Braun, Global Inventures
- Steve Orrin led the call. Notes taken by Linda Braun.
Agenda Review – as distributed by Mary Ellen in advance of the call (approved)
- Roll call; Quorum determination. Quorum was met.
- IPR policy reminder – https://www.idecosystem.org/system/files/filedepot/103/IDESG%20IPR%20Policy.pdf
- Draft response re: endorsement of updated HIMSS Policy
- Redress Task Force work – any feedback?
- FMO updates
- New business
- Volunteers for the IDESG Story committee lead by Andrew Hughes
- Standards list-- are there specific standards to which the Security Committee should map requirements? COBIT, 800-53?
- Draft response to HIMSS Policy
- Mary Ellen sent the response to the Security Committee along with the agenda. Ryan read the response to the team for comment. The team made a few minor edits to the response, but in general stated that the Security Committee recommendation is that IDESG not endorse the HIMSS Policy. Steve and Ryan will make final edits to the response and send to Mary Ellen for final send to the Management Council.
- Redress Task Force work
- No update available from Adam Migus. This topic will be added to next week’s meeting.
- FMO updates
- Mary Ellen had previously asked about the Security Evaluation Methology item. Anyone familiar with that work item? It was a deliverable in the charter when the Security Committee was started. No longer a focus of the Security Committee, but someone said it was an item we should consider re-addressing. This is still in the Security Committee charter. It is currently not on the FMO Dashboard. The item was for the Security Committee to evaluate tools or products. If this is for tools or products, no need to keep in charter. Some asked it the Security Committee should come up with a Security Evaluation Methology similar to the Privacy Evaluation mythology as a new work item? Steve recommended we add the next week’s agenda when Mary Ellen is available.
- Volunteers for the IDESG Story Committee
- Adam Madlin volunteered to participate on behalf of the Security Committee; however, he was having a conflict with the time slot on Friday afternoons at 1:30 p.m. EDT. Adam Migus would like to attend as well, but said he was having a conflict with the meeting time as well.
- Standards list
- Short term work is to take another look at the list of standards and prioritize. Longer term work – take the Security Committee baselines requirements and map against standards organizations’ based policies and control suites to show how the security baseline maps into existing environments. Process clarification by Ryan: The standards list was originally put together by the Security Committee and we tried to prioritize them. In order to get them adopted, we need to fill out the standards adoption recommendation form. We did not send the entire list to the Standards Committee. We only sent over the two security standards adoption forms. We have not had a chance to re-evaluate the list yet. The list was reviewed during the meeting. ISO270001 and ISO270002 currently in review by Standards Committee. NIST-SP80037 and NIST-SP80053 submitted and adopted at the last virtual plenary. High priority standards: ISO29115/ITU-T 1254, NIST-SP-80063 and ISO/IEC 27018 not submitted. Someone asked why PCI-DISS was lower on the list.
- What was the process used last time to submit the standards recommendations? Ryan drafted and the group did a review/edit. Volunteer group formed to work through the list and pick the ones to submit and review with the Security Committee. Volunteers: Ann Racuya-Robbins, Ryan Galluzzo. Steve requested the broader Security Committee members to volunteer as well.
- Requirements mapping COBIT and 800-53 discussion
- Are there others that should be included? Recommendation is to look at which framework standards have requirements that are already mapped and find ones that have been mapped to other standards frameworks; we might be able to get a better mapping. Recommendation was to ask FMO to define a task order to get resource in to do the mapping and work with the SC Task Force. Step #1: come up with short list of frameworks to select for mapping. Step #2: put in work order for FMO to resource. Steve will draft initial list through email exchange. Adam Migus, Ryan and Ann are the selection committee members.
Wrap up and actions for next week
- Redress Task Force work – add to agenda
- Security Evaluation Methology – add to agenda
- Next meeting: July 29, 2015
- Next Plenary is in Tampa, September 24 & 25, 2015. The Management Council meeting is September 23, 2015.
- Meeting was adjourned at 1:55 p.m.
- Steve to draft initial requirements mapping list
- Ann asked about recent chairs call next steps on functional model, one is glossary and the other is the functional model. Mary Ellen to report back next week. There might be a group that gets together, but no action taken as of yet.