Versions Compared

Old Version 13

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Meeting Notes 

 

Attendees 

Scott Shorter, KUMA – Coordinator (member)

...

Richard Wilsher, Zygma (observer)


Key discussion items


  • Scott made a presentation that included: Scope of the sub-group; Ground rules for requirements decomposition; Requirements Naming Scheme; Requirements Data Model; Work Plan; Timeframe; Participation - sub-group members; Logistics.

...

  • It was agreed that the Google spreadsheet would be the place to compile the work product. 
  • It was asked if the edited / decomposed requirements are the same as the service assessment criteria. Andrew responded that the requirements from the source document will be closely linked to the service assessment criteria, by Kantara’s adoption process. The SAC are about how to demonstrate having fulfilled the requirement. Without dictating what assessors must do, this may convey specific tests or evidence. 
  • RGW asked how to define an assessment method if you don’t know the solution.  Andrew pointed out that this can point to a policy being in place without the implementation of the policy being validated in the text of the SAC.  Each accredited assessor should be able to achieve the same conclusions, given the same evidence.  If two assessors can’t agree on what nonconformities are, that’s a problem.

 

  • Scott provided the ISO definition of a requirement: Expression in the content of a document conveying objectively verifiable criteria to be fulfilled and from which no deviation is permitted if compliance with the document is to be claimed http://www.iec.ch/members_experts/refdocs/iec/isoiecdir-2%7Bed7.0%7Den.pdf

  • Andrew suggested that “assessment methods” could be “criteria”. 

  • Richard commented that is not yet persuaded that we need assessment methods. Colin responded that depending on the requirement, we may state if the requirement is such that we can repeat it direct from the requirement.  Envision that we would have a category of terms to choose from to show the interpretation of the requirement.
  • David comments – Kantara ARB does not assess the methodology that assessors have used to determine conformity to the assessment criteria.  Assessors should indicate their approach in assessment plans in accordance with security review standards, but to date there’s been no methodology for individual assessment criteria reported by the assessor.  If the intention is to have an evaluation of the assessment method that qualified assessors apply, that’s a departure from the way assessments have been done to date.
  • Richard pointed out that it could impose an expertise qualification on the ARB. Andrew suggested that we may be overstating the significance of the assessment methods – if something must be assessed a certain way.  RGW suggests we are confusing how something may be required versus how it may be fulfilled.  Ex: CSP SHALL NOT misuse PII. We could have a criterion that shows that there must be a policy statement, we could also require that a credential policy.
  • Richard suggested that we strike step three from the plan. Identify the requirements and refine them.  Andrew noted different usage of requirements – for Andrew, the SAC are not the same as the requirements as stated in the standard. Richard said that requirements are normative statements from the source documents.
  • David has pulled the normative requirements from 63A and 63B.  Aakash suggested contributing his work on 63C.
  • David observed that there are different ways to pull out the requirements and organize them.  Organized by AL for 63A, by generalized authentication approach and specific authenticators in 63B.
  • David will look into potential errata on the source documents.

  • It was agreed that Google spreadsheet works with static snapshots.

  • Scott commented that Kantara IAF has encoded assurance levels into each unique criteria, map to what is required for which level, which subset is applicable to at level 2 and 3. 

Tasks for week 1

The Tasks for week 1 are: Identification: Analyze the source texts with the ground rules below to create a list of the requirements, conditions and recommendations.

ACTION ITEMS:

-Mark Hapner volunteered to work with 800-63A

...