Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • is it a good idea to go through the status of the work with the P3WG? (Nathan) yes; it would be good to resolve the question opened on the last call that the privacy guidance should just be pulled directly from FICAM; (Colin) understanding is that additional specificity is required for assessor's to actually apply that guidance - this question can be posed and the proposed answer put in the slide deck for the F2F since the question keeps coming up
  • do we feel there is value in working on the items yet to be discussed above? Yes -
    • No Activity Tracking
      • (Nathan) suggest we strike the world "Federal" with the idea that the privacy guidance will be both for federal, commercial, public/private sector; (Tom) but isn't that the limit that we are working under, that this is against the FICAM requirement? (Nathan) good question - thought this was supposed to be more general; for example, Europoint has been approved as an assessor in Sweden, and as an accredited assessor they can perform a privacy assessment; (Myisha) would agree; while the initial requirements came from FICAM, this was intended to be more general and more specificity can go in a profile similar to the model for the SAC; (Colin) the initial target was only FICAM and expectation was that it would broaden out to be more general in the future; (Tom) if we get to the point we're doing a general document, we need to do a lot more thinking about what's in and what's out, particularly on the topic of No Activity Tracking; outside of FICAM there is no law preventing tracking; (Anna) taking a position that there is no law and so we shouldn't do anything does not make sense; (Tom) that is not what was being advocated, just that it is open to debate except under FICAM; (Nathan) maybe it is a matter of testing whether they perform some sort of activity tracking, review the EUA to that tracking, and then performing tests that check the data the org gets against the EUA and whether it is anonymized - basically, follow the chain of the use; (Anna) what does that buy you if you essentially have no choice? (Nathan) words are observe, requireinquire, and inspect; auditor could say "would like to observe the LDAP directory and other components as they receive messages related to the credential. Would like to see the information sent to the Relying Party. Would like to see if any info is received back from the RP after they receive their information." Need to give the auditor the room/opportunity to inspect the information flow
    • Dispute Resolution
      • (Nathan) have audited against something similar to this criteria; usually moves to inquiring of the process and whether any discputes disputes were logged over the audit period, then inspecting documentation related to disputes that were logged, and then inspecting further documentation to note when the dispute was logged, how long it took to be resolved, and was the dispute resolved to the satisfaction to party X
      • (Anna) what would the user be disputing? the credential, the data tied to the credential, other? (Tom) the CSP's handling of their information? (Anna) what would trigger them since they cannot see what the CSP is doing? (Nathan) credential suspended/revoked without notification to end user, they could get anomalous transactions they didn't approved, it could be the credential is used by someone else; (Anna) what about user being wrongly denied a credential? Or is FICAM restricted to the credential itself? we need to know what the person is able to dispute. (Tom) this struck me as similar to the EU Safe Harbor rules, where they have to provide a dispute resolution process for the data; the issues discussed so far can have privacy implications but are not privacy-focused - we should be limited to looking at privacy dispute resolution, not the broader scope of is the CSP doing their job properly? (Anna) what is in the IAF, and are we writing a new criteria or an amendment to their criteria? (Nathan) this should fall out with inquiry to management regarding the dispute resolution process; (Tom) the issue that Anna is raising is that we perhaps should not be raising this ourselves, it should be part of the IAF;
      • (Colin) what has happened is that the docs have been created in a bolt-on manner and so reflects a couple of different things; before P3WG was actively involved, the IAWG conceived a doc which we are using as a basis to this which relate to additional requirements to CSP intending to be accredited under the FICAM program; so some things need to go in the FICAM profile via IAWG work; a matrix diagram would be helpful; (Myisha) if the IAWG does take on something like Dispute Resolution, it would be along the lines of having an inappropriate credential issues, it would not capture privacy components; (Anna) then we should add an additional assessment criteria to the privacy piece, but it should be part of the overall Dispute Resolution set - it would be helpful to have this all together. A statement that says when you do  dispute resolution process, people need to be able to dispute X Y or Z. Still don't know who will be allowed to do the Dispute Resolution and whether they will be authorized to adjudicate on Privacy as well as other issues
  • Colin will summarize where things stand now, circulate that along with a summary we can present to the broader Kantara group, and see where we go from there

...