Versions Compared

Old Version 11

changes.mady.by.user Former user

Saved on

compared with

New Version 12

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • It was commented that there is not a specific priority on the sections, we want all them done and  we should drive towards completion on all.

  • David T reported that NIST is working on a list of requirements pulled from 63A and 63B. Work group would appreciate the contribution. Ken inquired why A and B rather than C. David responded that the task is to find common mappings with GPG44/45 of UK cabinet office, and a range of Canadian government documents.  GPG44/45 correspond to 63A and 63B. Federation as an operational component was beyond the scope of that mapping.  May need to turn to 63C when they get to operational stage of this project.

  • Andrew commented that compliance is the wrong word and suggested ‘conformity’, defined as fulfilling the requirements.

  • Andrew provided a suggestion about the 'assessment methods' piece - Paul Grassi mentioned yesterday on the TFP call that NIST is aiming to produce a 63-3 guidance document in around January 2018. Maybe the 'assessment methods' piece might be dealt with as that material develops.

  • David asked – pointed out that IAF has to date required on qualified assessors to determine the assessment methodology to apply to SAC .  Documenting and documenting assessment methods goes beyond the current scope of IAF , qualified assessors would determine assessment methodologies to their satisfaction. Is So he asked if this a conscious expansion of the scope of the IAF? . Colin responded that we’re trying to clarify more than anything else. May be a need to codify aspects of the assessment methods – middle ground between nothing and fully open.

...

  • David

...

  • noted that the initial work plan task was to state the requirements into a clearly understandable set of criteria that qualified assessors would be in a position to evaluate.

 

  • Colin stressed that the general objective is to give a general approach and broad guidance.
  • Scott commented that we cannot say that these are the required assessment methods because there is not external standard driving those requirements; we are here to identify the requirements in the source documents. We can talk about “potential assessment methods”. Difference between

...

  • common organizational vs functional criteria in the IAF. Distinction Security assurance requirements and security functional requirements. The guidance is full of functional requirements what CSP shall do, and little guidance how do we know they shall do that. Although the assessor determines the amount of activity

...

  • , a middle ground would be

...

  • find some equivalent where potential level of effort

...

  • could go to verifying different types of of functional requirements.

...

  • For example explain why is it better third assessment

...

  • than self assessment.

AH Content on the rules for assessment, how certain aspects must be done.

 

...

  • Andrew suggested assessment methods

...

  • is around putting more content into rules for assessment.

Mark asks if the overall goal is Kantara’s assessment of assessors?  This is an update to the Identity Assurance Framework (IAF) which includes requirements on assessors as well as on service providers.  This is the process of changing Kantara’s criteria to reflect 63-3.  Who is going to use it?  RGW answers that Kantara accredited assessors will use the decomposed requirements work product to judge the service providers.

RGW asks about the common organizational SAC is still applicable – it’s a fundamental one that is to do with what can Kantara say when it grants approval after 63-3 assessment.  CO-SAC contents (in RGW’s opinion) are not covered by 63-3.

Ken mentions that the new document coming from FICAM could necessitate the enhancement of CO-SAC.

David asks – IAF has to date required on qualified assessors to determine the assessment methodology to apply to SAC.  Documenting assessment methods goes beyond the current scope of IAF – qualified assessors would determine assessment methodologies to their satisfaction. Is this a conscious expansion of the scope of the IAF?

Colin responds we’re trying to clarify more than anything else. May be a need to codify aspects of the assessment methods – middle ground between nothing and fully open.

David notes that the initial workplan task was to state the requirements into a clearly understandable set of criteria that qualified assessors would be in a position to evaluate.

Andrew suggests assessment methods comment is around putting more content into rules for assessment.

...


  • Richard responded to Mark´s question on who will use the work product, saying that Kantara accredited assessors will use the decomposed requirements work product to judge the service providers.

  • RGW

...

  • affirmed that CO-SAC contents

...

  • are not covered by 63-3.
  • Ken

...

  • mentioned that the new document coming from FICAM could necessitate the enhancement of CO-SAC.

 

  • Ground rules were agreed
  • DT

...

  • suggested to include conditional requirements

...

 

...

  • .
  • It was commented that conditional controls will take place if you choose a certain authenticator or a certain registration workflow.
  • Aakash

...

  • pointed out that unlocking mobile phone is not considered biometric authentication for example. This requirement applies during the phone unlocking scenario.

 

  • David inquires – we’re intending that this will not follow the IAF, is that correct? Scott It is not part of our task to work with the current IAF . Make a comparison to see where the IAF needs adjustment to the new requirements.

 

Andrew suggests that the direct reference methods is useful during this exercise.  An independently named scheme will be useful in the long run, we should be ready to impose a Kantara specific naming scheme.

...