March 10, 2015 Meeting Page
From IDESG Wiki
SECURITY COMMITTEE WORKING SESSION NOTES - draft
Working Meeting Date: March 10, 2015 (Working Session)
- Adam Madlin
- Adam Migus
- Ann Racuya-Robbins
- Bob Pinheiro
- Jeff Shultz
- Linda Braun, Global Inventures
- Mike Garcia
- Ryan Galluzzo
- Sal D’Agostino
- Seetharama Durbha
- Adam led the call.
- Notes taken by Linda Braun
- Requirement #11.
- Team reviewed all five proposals.
- Recommendation - based upon modification to #5 – break requirement #11 into two sections. One that follows A and one that follows B.
- 1-4 removed. #5 broken into A and B.
- Supplemental guidance was changed to “Service providers offer users the ability to choose an authentication factor which is not a single factor password.”
- Requirements #3 and #9: Recommendation was to combine and team agreed.
- Requirement #13: No changes.
- Requirement #14: The committee accepted change suggested by pilots. New requirement “Processes for reissuance and/or recover of credentials and authentication tokens preserve the security and assurance of the original registration and credentialing operations.
- Requirement #15 The committee accepted change suggested by pilots. Supplemental guidance comment could be added around real time monitoring. Action: Sal to add. This is usability for security professionals. Exportability of logs. Ryan add "and regulatory requirements" to the requirement statement. Deleted "internal system" from the requirement. Added "Synchronization of systems could be internal or external dependent upon regulatory, risk, or other requirements" to the supplemental guidance.
- New Requirements slide: New requirements suggested by pilots. Revocation of credentials and tokens – team thought they should add. First requirement has a jurisdiction issue and conflicts with other regulatory agencies. This committee should not be proposing requirements. Topic is out of our domain, but should be included some place. State, federal likelihood requirement, but this is not a baseline requirement and needs more discussion. Raised with FMO, but not going into SC requirements. This is the end of the pilot comments.
- Requirement #11.
- Next working session: Thursday, March 12.