May 21, 2015 Meeting Page
From IDESG Wiki
SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft
Meeting Date: May 21, 2015
- Adam Migus
- Christopher Spottiswoode
- Ben Wilson
- Christine Abruzzi
- Martin Smith
- Mary Ellen Condon
- Paul Knight
- Ryan Galluzzo
- Sal D’Agostino
- Linda Braun
- Mary Ellen Condon led the call. Notes taken by Linda Braun.
- Meeting notes from April 23, 30 and May 7 approved.
Agenda – as distributed by Adam Madlin before the meeting
- Roll call; Quorum determined.
- IPR policy reminder - https://www.idecosystem.org/system/files/filedepot/103/IDESG%20IPR%20Policy.pdf
- Review agenda
- Approve past meeting notes
- Confirm finalized security requirements (confirmation, not detailed discussion)
- Plan, and if possible, work on security requirements supplemental information.
- New business / Other topics
- Wrap up and actions for next week
- The group decided to formulate a small task force to work on the Security Committee Requirements’ Supplemental Guidance document and come back with proposed dispositions. Adam Migus volunteered to lead the group. Ben Wilson and Ryan Galluzzo also volunteered to work on the task force. Paul Knight volunteered to look at the references.
- Ryan showed the Security Committee Requirements Set and identified the ones that needed to be updated. Some items might require someone to draft language. Requirement #15 might be the only requirement that needs outside research. The team discussed the consistency of the supplemental guidance approach across all committees. An important goal of the supplemental guidance is to let someone who is a service provider, who wants to self-test, to provide guidance and clarify on what kinds of standards they should be attesting to. This includes making the guidance useable and understandable for users and self-attesters. It helps them sell it within their organization as well. The Supplemental Guidance should not include implementation guidance. Agreed. In some cases a word might need to be expanded. Agreed that the word could be hyperlinked to a definition of the term. We don’t need to redefine something if a definition is already out there.
- Question was asked about a secure transport (TLS) requirement. We only have this in the supplemental guidance. It is covered in the high level baseline requirement #3 and in the associated supplemental guidance and in requirement #5. Some members of the team disagreed. We need to be able to clearly describe. Suggestion if this is a gap, someone should provide an update to what the requirement should be and we need an extension. Sal will provide draft language for the supplemental guidance around authentication techniques and hand over to the FMO. Security Committee should discuss and approve.
Wrap up and actions for next week
- Next meeting: May 28, 2015,
- Meeting was adjourned at 2:08 p.m.
- Adam to determine approach for task force. Outcome expected: recommend dispositions for supplemental guidance.
- Sal to provide language around enhanced authentication techniques is captured as supplemental guidance. Alternately, Sal to send an email to the list with his proposed language.