September 10, 2015 Meeting Page

From IDESG Wiki
Jump to: navigation, search

SECURITY COMMITTEE / FUNCTIONAL MODEL MEETING NOTES - draft

Attendees

  • Mary Ellen Condon
  • Adam Madlin
  • Paul Knight
  • Steve Orrin
  • Sal D’Agostino
  • Bob Pinheiro
  • Martin Smith
  • Paul Knight
  • Hans Vargas
  • Linda Braun, Global Inventures


Meeting Notes

  • Mary Ellen led the call. Notes taken by Linda Braun.



Discussion Notes

  • Supplemental Guidance and feedback from FMO. Mary Ellen reviewed the feedback from the FMO in the IDESG Baseline Requirements and Supplemental Guidance document.
  • SECURE-2. DATA INTEGRITY (text from FMO)
    • New alternative added text, for Plenary consideration: append this sentence to the end: "Entities MUST have risk-based countermeasures and safeguards in place to resist common threats to identity solutions and identity data, including such threats include but are not limited to: Session hijacking; Eavesdropping; Theft; Man-in-the-middle; Online Guessing; Replay; Unauthorized copying or duplication; and Insider Threats." [This would more clearly elevate the independent 'countermeasures' mandate to Requirement status. We also recommend the slight grammar edit as marked in this footnote, to fit it into the Requirement.] [This sentence should only be deleted IF the Requirement amendment is adopted; it should be retained and converted to "should" otherwise.]
    • Response from Security Committee: Rejected. Suggestion is to move to Supplemental Guidance, SECURITY -1 PRACTICES.
  • SECURE-5 CREDENTIAL ISSUANCE (text from FMO)
    • New alternative added text, for Plenary consideration: append this sentence to the end: "Where [registration and credential issuance] [these two functions] are executed by separate entities, procedures for ensuring accurate exchange of registration and issuance information MUST be included in business agreements and operating policies." [This would more clearly elevate the independent 'business agreements' mandate to Requirement status. See also INTEROP-8. We also recommend the slight grammar edit as marked in this footnote, to specify which "two functions" are references.] [This sentence should only be deleted IF the Requirement amendment is adopted; it should be retained and converted to "should" otherwise.]
    • Response from Security Committee: Rejected. Shouldn't be in Security requirements.
  • SECURE-10. UPTIME
    • New alternative added text, for Plenary consideration: "for availability of their services. , including documented policies to address disaster recovery, continuity of business, and denial of service prevention/recovery." [This would add the specific policies listed by the committee in the supplemental guidance into the Requirement itself, adding them to the mandate. We also recommend the slight grammar edit as marked in this footnote, to specify which "two functions" are being referenced.] [This sentence should only be deleted IF the Requirement amendment is adopted; it should be retained and converted to "should" otherwise. We also have recommended adding a new cross-reference to INTEROP-5, which may also be a helpful partial explanation.]
    • Response from Security Committee: Rejected. We don’t need to add anything to our requirements. Reference to what we are doing is in Interop-5 so we don’t need to add anything to our requirements. Narrative comments don’t add anything of value.

New business

  • None.
  • Mary Ellen will not be attending the Plenary, Steve Orrin, Adam Madlin, Paul Knight,and Adam Migus will attend.


Wrap up and actions for next week

  • None noted.


  • Next meeting: September 17, 2015
  • Plenary is in Tampa, September 24 & 25, 2015. The Management Council meeting is September 23, 2015.
  • Meeting was adjourned at 1:56 p.m. EDT.


Action Items

  • Mary Ellen will draft responses and have Steve review before sending Security comments back to FMO.




Quick Links: Security Committee | Functional Model | Security Committee Meeting Notes | Security Committee Content