October 1, 2015 Meeting Page
From IDESG Wiki
SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft
- Mary Ellen Condon
- Ben Wilson
- David Temoshok
- Adam Migus
- Christine Abruzzi
- Hans Vargas
- Jim Kragh
- Paul Knight
- Steve Orrin
Linda Braun, Global Inventures
- Mary Ellen led the call. Notes taken by Linda Braun.
Agenda Review – as distributed by Mary Ellen in advance of the call (approved)
- Roll call; Quorum determination. Quorum was met.
- IPR policy reminder – https://www.idecosystem.org/system/files/filedepot/103/IDESG%20IPR%20Policy.pdf
- David Temoshok reviewed the SALS Program Overview with the Security Committee.
- SALS is a conformance assessment program initially using self-assessment and self-reporting. It implements IDEF V1. Any legitimate service provider in the ID ecosystem may apply. IDESG administers the SALS. Authorization to operate is December 31, 2015. This is not a federal system. It is important that there is a clear set of operational checks, includes Security, Privacy, Standards and User Experience. What has been a baseline against what we measure? That has not yet been determined. This is worth a discussion. We would like recommendations from the Security Committee for the system security. It is an operational program and the IDESG will be visible.
- We might be able to provide security for the website. We have to look collectively on the experience and knowledge and what we have seen with similar operational programs before we go live. We understand what it means for a federal system to go live.
- Part of what the Security Committee can help with is contributing insight into what we can do. Any contributions the group can make as to the design or how the data is stored, would be very helpful. We could do a risk assessment to map to. We are not mandated to do this, but there is enough to look at so we don’t have to reinvent. If the Security Committee is to play some role in the site, then we should take the discussion offline. Once we get the baseline requirements for v1.0 approved and the initial documentation set, then we need to look at what needs to be done to launch the program.
- Security Committee has to decide whether they will plan an operation role vs policy and strategy role, including skill set. IDESG may have to look at what it means to be an operational entity. This is different from what we are doing now. The change is from a developmental phase to an operational phase. We have gathered some resource requests that have been sent to the management council and need to add risk assessment. In addition to a risk-assessment project, we need to establish what the role of the Security Committee will be. A list of things that needs to be done is what TFTM has put together. It may be a request to the other committees as well. The management council should be making the business decisions for IDESG.
- TFTM Recommendations – Fees
- Issue: No fees for the initial implementation. First 12 – 24 months, evaluate and make recommendation.
- IDESG membership should not be required for subscribes to apply.
- Partial compliance – Service Providers who apply do they have to conform to all compliance or partial.
- TFTM Recommendations - Trust Marks – should the IDESG initially issue trust marks to SALS subscribers that attest to full compliance with the IDESG IDEF v1 requirements. Recommendation is No.
- TFTM Recommendations – Future Trust Mark. Should the IDESG plan to administer and issue trust marks to organizations that are determined to be in full compliance with the IDESG IDEF v1 or future. Recommendation: No.
- SALS Initial Program Documentation (aka minimum viable product)
- SALS Program Overview
- SALS Application Package
- SALS Data Handling Policy
- SALS Data Types and Categorization
- Ben Wilson will send out these documents to the committee. If there are particular documents the committees want to review, please let us know. We recognize these are necessary documents to run the program. If there are additional drill downs, we will be happy to discuss. Ben commented that he just sent a .zip file to all chairs and would like to get feedback.
- SALS IDESG Self-Assessment Matrix
- The matrix shows the entries that the applicants would provide in performing the assessment. Column 1, of the spreadsheet is the number of the baseline requirements. Column 2 is the presentation of the baseline statement. Column 3 is a link to the supplemental guidance that was just approved. Next columns are checkbox for assessors. FULL CONFORMANCE, IMPLEMENTATION UNDERWAY, UNDER CONSTRUCTION, NOT APPLICABLE (CHANGED IN TAMPA: NOT UNDER CONSIDERATION OR NOT APPLICABLE), COMMENTS/ADDITIONAL INFORMATION. This matrix will be submitted back to the IDESG as a PDF file.
- SALS Submission and Reporting
- Path A: Conformance Confirmation for those that can fully attest; reconfirm annual and re-assess and confirm every three years. Path B: Status Reporting – assessed entity can attest to full conformance with some, but not all applicable baseline requirements. Submit status report – reports on the status of implementation of baseline requirements where full conformance is not achieved. Submit status reports at least annually to update implementation status.
- Feedback from Plenary (Steve Orrin)
- The Security Committee attended the plenary with all our work done. Other teams spent a lot of their time working on final edits. SALS information, member status, membership fees coming up next year, but not figured out yet. Free ride is over. Challenge is what to budget for when a number of organizations are doing their budgets now. There may be tiered memberships fees, i.e. Government, big companies, different membership pricing.
- Next projects for Security Committee working group:
- Methodology for Evaluation, Audit, and Measurement of compliance/conformance to NSTIC; Baseline Security Requirements (and Supplemental Guidance?) and Mapping of Baseline Security Requirements to existing Compliance/Control regimes. Targets: § FISMA/800-53 r4 (already has mappings), § ISO xxx, § others. And, glossary of terms in baseline requirements with Security WG definitions.
- Jim Kragh and the Healthcare Committee will come to speak to the Security Committee (on future version release) in the next few meetings. October 15 targeted. Dr. Tom to confirm.
Wrap up and actions for next week
- Next meeting: October 8, 2015
- Meeting was adjourned at 2:03 p.m. EDT.
Action Items None.