Versions Compared

Old Version 4

changes.mady.by.user Martin Smith

Saved on

compared with

New Version 5

changes.mady.by.user Martin Smith

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Meeting notes: 

Administrative items:

IAWG Chair Ken Dagg called the meeting to order at about 1:04PM (US Eastern), and called the roll. It was noted that the meeting was quorate. 

Minutes approval:  Mark King moved approval of the draft Minutes of the IAWG meeting of Aug 12 . Richard W. seconded. The minutes as distributed were approved unanimously.

Staff reports and updates: ED Kay Chopard–New APM Lynzie Adams, starts next week on Monday. Hope she will be on the next IAWG call. Invite Kay Invites anyone to offer suggestions re: any Kantara issues, strategy, etc. .   

LC reports and updates:  Ken – The LC met yesterday. Discussion There was a discussion of the appropriate scope of activity of Kantara WGs, DGs. Results to be communicated to all when guidance is finalized. Ken says IAWG's activities seem to be well within our appropriate scope

Ken  reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities via the @KantaraNews Twitter handle. Requests can be sent to Ken D or Kay C.

Discussion:


Finalize proposed criterion language regarding "comparable alternative controls (CACs)."  

Ken invited Richard W. to comment. Thinks

Richard thinks "make available" discussion last week (which he reviewed via the recording of the meeting) was off-target. The term "MAmake available" has been used for a long time in Kantara criteria texts, and has not caused a problem. Don't tell them how. 

martin – need to send an alert, per David. 

Richard-- The principle is to tell assessees what must be done, not how to do it. 

Martin S.– In proposing a more pro-active approach, I think we were taking account of NIST's David T's reported view, that use of an alternative control should be an explicit client (i.e., RP) risk decision taken at the executive level. and that Kantara should not appear to be endorsing the service-provider's assertion that an alternative control is "comparable." 

Richard W.-- But Kantara can't make the RP do something.  Other We might further insure the RPs attention via things we might do: now require already do, like requiring a statement of criteria applicability; we might also require consider requiring that used use of a CAC is " mentioned " explicitly at least in their published discussionmaterial.  

Martin S.:  Assuming we do want to take account of David T's viewpoint, it seems we need to find some way to make sure the RP is specifically alerted to the use of a CAC

Ken: should we add to the criterion that the RP acknowledge receipt .?JJ - not of the CAC information? Jimmy J. - that would not be possible or effective – the RPs won't read it.  But if KI provided notice we would have done all we can, 

Ken :  Given this discussion, is it OK with everyone to go with "no change"

JJJimmy J: can we put in the "Notes" : comment column of the criteria spreadsheet that we (KI) are going to publish fact of CAC.?  If we do something unusual, we need to make sure they (the RP) know about it. 

RWRichard Wmaybe Maybe mod language to make avail : publish how you determined CAC and config requirements to make sure it is CAC. Fact of use in S3A could be noted. 

...