July 2, 2015 Meeting Page
From IDESG Wiki
SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft
- Mary Ellen Condon
- Adam Migus
- Bob Pinheiro
- Ann Racuya-Robbins
- Ryan Galluzzo
- Sal D’Agostino
- Steve Orrin
- Paul Knight, FMO
- Christine Abruzzi
- Linda Braun, Global Inventures
- Mary Ellen Condon led the call. Notes taken by Linda Braun.
Agenda Review – as distributed by Mary Ellen in advance of the call (approved)
- Roll call; Quorum determination. Quorum was met.
- IPR policy reminder – https://www.idecosystem.org/system/files/filedepot/103/IDESG%20IPR%20Policy.pdf
- Meeting notes for June 11 and June 18, 2015 (approved)
- Steve Orrin was welcomed as the new Vice Chair of the Security Committee.
- Supplemental Guidance Task Force - (initial feedback mtg recommendation - Adam Migus, task force lead)
- Security Requirements
- HIMSS draft
- Supplemental Guidance Task Force – Adam Migus commented that the task force finished their work. Adam walked the team through three requirements where substitutive discussion had taken place.
- Requirement #3: Use of MFA for administrative access. Change made to supplemental guidance to have it state that MFA must be used for administrative access “Appropriate access control measures including multifactor authentication MUST BE in place to ensure that access to identity data by data custodians is restricted…”
- Requirement#8: Supplemental guidance was amended at the virtual plenary. The change was accepted to use authentication mechanisms instead of authentication factors. One other change that needs to be approved, but not brought up at the plenary is “…authentication based on a password acting as a shared secret.” Security Committee will need to figure out the approval process.
- Requirement #9: Entities MUST have a risk assessment process in place for the selection of authentication mechanisms and supporting processes. Supplemental guidance recommendation is to use additional control.
- Sal posted the following link into chat on biometrics. https://www.schneier.com/essays/archives/1999/08/biometrics_uses_and.html. Discussion followed.
- Sal to come up with wording on biometrics. Authentication and the factors that contribute to establishing that identification for authentication needs to be better defined.
- Requirement#13: Revised “invalidated,” and amended at the virtual plenary to “invalidate credentials.”
- Security Committee Supplemental Task Force work is now completed. Requirement#8-some modification wording is included around “shared secret,” and Sal volunteered to provide additional language for clarity.
- Motion was made to approve the supplemental guidance, with exception of supplemental guidance in requirement#8. Motion approved and seconded - supplemental guidance accepted by the Security Committee.
New business / Other topics
- HIMSS discussion moved to July 9 meeting.
Wrap up and actions for next week
- Next meeting: July 9, 2015
- Next Plenary is in Tampa, September 24 & 25, 2015. The Management Council meeting is September 23, 2015.
- Meeting was adjourned at 1:48 p.m.
- Sal to provide language for requirements #8 and #9.