Versions Compared

Old Version 2

changes.mady.by.user Colin Wallis

Saved on

compared with

New Version 3

changes.mady.by.user Colin Wallis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Drafting an introduction 'scene setting'  

David Suggested W suggested a three document approach in the context of a broader goal, to include CSPs, outsourcers to Federal agences acting as RPs and ultimately international, taking in a more generalised suite of use cases.

      • First Document - Focus on FICAM CSPs for the first document - Specific Requirements - a kind of privacy equivalent to the IAF's SACs, that extends beyond the IAWG's IAF Fed Privacy Profile - in essence a narrow focus and subset of the General Casegeneral use cases
      • Second Document  - for Service Providers (SP's) which would broaden outsourcers to Federal agences acting as SPs/RPs .. for example those offering cloud services)  - in essence broadening the scope of the PAC to the likes of cloud service providers and NSTICThird Document - Further cover what is currently a gap, since such folk are not themselves Federal agencies and therefore do not need to comply with FICAM as if they were.
      • Third Document - Guidance for those US operations who need to operate in otehr privacy domains - in essence further broaden the scope of the PAC to the International/Inter-Federation SPhere spheres - to include the Article 29 WP etcif going to Europe for example.
      • David will make some comments on the Introduction
  • Opportunity
    • General agreement that there is a growing (and evolving) need for various Privacy Assessment Criteria, in that at this time there is no PAC for many providers involved in credential management
  • FocusFor

Colin S suggested that, rather than starting narrow and broadening, we should set the scope to incude all 3 above at the outset, and then tackle each as sub sets of that whole i.e. for P3 to market the PAC in the General Case - with a specific first focus on FICAM and to not pigen hole the PAC effort to a FICAM only endeavour.

General discussion: What is needed is a specific set of requirements

...

that assessors can easily locate in the target entity when doing assessments - taking the general guidance and Privacy profile and producing specific requirements.

...

  Need to make this

...

sufficiently concrete so the auditor has something concrete to work with.

Colin W suggested we just revise the current IAWG Fed Privacy Profile rather than putting this in the PAC. General consensus was to make this a two step process; create the first document (FICAM CSP focus) separate from the IAWG Fed Privacy Profile, and after Kantara completes its full 'approved' status as a Trust Framework Provider (rather than provisional as is now), look towards combining the two and submitting the PAC to FICAM as an approved assessment tool

  • Capture of Use Cases for Future PAC's
    • Credential SPCSP's for FICAM - What to assess reduces costs for 38:12If we help assessors locate what to assess, costs can be reduced significantly
    • SP's (Outsourcers) as described above
    • International Kantara Case - Is the General Case - Best Practices -- Applied to FICAMextension - as described above, and leverage the successful 'template' that will then have been created by documents 1 and 2.

3. Face-to-Face Meeting in Redwood City, CA, Oct. 20-21
- Did not discuss
4. PAC Priorities and AOB (Any Other Business)   

...