...
Drafting an introduction 'scene setting'
David Suggested W suggested a three document approach in the context of a broader goal, to include CSPs, outsourcers to Federal agences acting as RPs and ultimately international, taking in a more generalised suite of use cases.
- First Document - Focus on FICAM CSPs for the first document - Specific Requirements - a kind of privacy equivalent to the IAF's SACs, that extends beyond the IAWG's IAF Fed Privacy Profile - in essence a narrow focus and subset of the General Casegeneral use cases
- Second Document - for Service Providers (SP's) which would broaden outsourcers to Federal agences acting as SPs/RPs .. for example those offering cloud services) - in essence broadening the scope of the PAC to the likes of cloud service providers and NSTICThird Document - Further cover what is currently a gap, since such folk are not themselves Federal agencies and therefore do not need to comply with FICAM as if they were.
- Third Document - Guidance for those US operations who need to operate in otehr privacy domains - in essence further broaden the scope of the PAC to the International/Inter-Federation SPhere spheres - to include the Article 29 WP etcif going to Europe for example.
- David will make some comments on the Introduction
- Opportunity
- General agreement that there is a growing (and evolving) need for various Privacy Assessment Criteria, in that at this time there is no PAC for many providers involved in credential management
- FocusFor
Colin S suggested that, rather than starting narrow and broadening, we should set the scope to incude all 3 above at the outset, and then tackle each as sub sets of that whole i.e. for P3 to market the PAC in the General Case - with a specific first focus on FICAM and to not pigen hole the PAC effort to a FICAM only endeavour.
General discussion: What is needed is a specific set of requirements
...
that assessors can easily locate in the target entity when doing assessments - taking the general guidance and Privacy profile and producing specific requirements.
...
Need to make this
...
sufficiently concrete so the auditor has something concrete to work with.
Colin W suggested we just revise the current IAWG Fed Privacy Profile rather than putting this in the PAC. General consensus was to make this a two step process; create the first document (FICAM CSP focus) separate from the IAWG Fed Privacy Profile, and after Kantara completes its full 'approved' status as a Trust Framework Provider (rather than provisional as is now), look towards combining the two and submitting the PAC to FICAM as an approved assessment tool
- Capture of Use Cases for Future PAC's
- Credential SPCSP's for FICAM - What to assess reduces costs for 38:12If we help assessors locate what to assess, costs can be reduced significantly
- SP's (Outsourcers) as described above
- International Kantara Case - Is the General Case - Best Practices -- Applied to FICAMextension - as described above, and leverage the successful 'template' that will then have been created by documents 1 and 2.
3. Face-to-Face Meeting in Redwood City, CA, Oct. 20-21
- Did not discuss
4. PAC Priorities and AOB (Any Other Business)
...