May 15, 2015 Meeting Page
From IDESG Wiki
==SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES
Meeting Date: May 15, 2015
- Adam Madlin
- Ryan Galluzzo
- Adam Migus
- Bob Pinheiro
- Christine Abruzzi
- David Temoshok
- Mary Ellen Condon
- Ann Racuya-Robbins
- Jeff Shultz
- Hans Vargas
- Steve Orrin
- Sal D’Agostino
- Jamie Clark
- Paul Knight
- Linda Braun, Global Inventures
- Adam Madlin led the call for the first half and then it was shared between Mary Ellen and Ryan. Notes taken by Linda Braun
- Review agenda
- Approve past meeting notes
- Committee chairman elections
- Process FMO Security Requirements feedback
- New Business
- Wrap up
Work status and updates
- Continuation of FMO Feedback: Ryan Galluzzo took the team through the slides, starting with Requirement #2 and gave a quick update on the changes from the May 14 meeting.
- Requirement#2: Approved Disposition: Entities that issue or manage credentials must ensure that each account credential pairing is uniquely identifiable within its namespace for authentication purposes.
- Requirement #3: Approved Disposition: Entities must implement industry-accepted practices to protect the confidentiality and integrity of identity data – including authentication data and attribute values – during the execution of all digital identity management functions, and across the entire data lifecycle (collection through destruction).
- Requirement #4: Accepted Disposition: Entities that issue or manage credentials and tokens must implement industry-accepted processes to protect against their unauthorized disclosure and reproduction.
- Requirement #5: Accepted Disposition: Entities that issue or manage credentials and tokens must implement industry-acceptable data integrity practices to enable individuals and other entities to verify the source of credential and token data.
- Requirement #6: Accepted Disposition: Entities that issue or manage credentials and tokens must do so in a manner designed to assure that they are granted to the appropriate and intended user(s) only.
- Requirement #7: Entities that authenticate a user must employ industry-accepted secure authentication protocols to demo the user’s control of a valid token.
- Requirement #8: FMO indicated this requirement was a duplicate with Standards. Disposition: Accept. Recommendation to standards committee to separte the documentation of policies from the publication of policy. Remove parenthentical portal and address through the programs policy of best practices, not a security requirement.
- Requirement #9: Disposition: Second reference to user removed.
- Requirement #10: Disposition Approved: Entities must have a risk assessment process in place for the selection of authentication mechanisms and supporting processes.
- Requirement #11: Disposition Approved: Entities that provide and conduct digital identity management functions must have established policies processes in place to maintain their stated assurances availability of their services.
- Requirement #12: Disposition Approved: Entities that use cryptographic solutions as part of identity management MUST implement key management policies and processes that are consistent with industry-accepted practices
- Requirement #13: Disposition Approved: Entities that issue credentials and tokens must implement methods for re-issuance, updating, and recovery of credentials and tokens that preserve the security and assurance of the original registration and credentialing operations.
- Requirement #14: Disposition Approved: Entities that issue credentials or tokens must have processes and procedures in place to revoke invalidated credentials and tokens.
- Requirement #15: Disposition Approved: Entities conducting digital identity management functions MUST log their transactions and security events, in a manner that supports system audits and, where necessary, security investigations and regulatory requirements. Time stamp synchronization and detail of logs MUST be appropriate to the level of risk associated with the environment and transactions. Add wording to supplement guidance on time synchronization.
- Requirement #16: Disposition Approved: Entities must conduct regular audits of their compliance with their own information security policies and procedures, and any additional requirements of law, including a review of their logs, incident reports and credential loss occurrences and must periodically review the effectiveness of their policies and procedures in light of that data.
- Requirement #1: Continue discussion on May 18.
Wrap up and actions for next week
- Next meeting May 18, 2015.
- Continue working on feedback from FMO to Security Committee requirements.