...
Drafting an introduction 'scene setting'
David Suggested W suggested a three document approach in the context of a broader goal, to include CSPs, outsourcers to Federal agences acting as RPs and ultimately international, taking in a more generalised suite of use cases.
- First Document - Focus on FICAM CSPs for the first document - Specific Requirements - a kind of privacy equivalent to the IAF's SACs, that extends beyond the IAWG's IAF Fed Privacy Profile - in essence a narrow focus and subset of the General Casegeneral use cases
- Second Document - for Service Providers (SP's) which would broaden outsources to Federal agencies acting as SPs/RPs .. for example those offering cloud services) - in essence broadening the scope of the PAC to the likes of cloud service providers and NSTICThird Document - Further cover what is currently a gap, since such folk are not themselves Federal agencies and therefore do not need to comply with FICAM as if they were.
- Third Document - Guidance for those US operations who need to operate in other privacy domains - in essence further broaden the scope of the PAC to the International/Inter-Federation SPhere spheres - to include the Article 29 WP etcif going to Europe for example.
- David will make some comments on the Introduction
- Opportunity
- General agreement that there is a growing (and evolving) market need for various Privacy Assessment Criteria, in that at this time there is no PAC for many for providers involved in credential management
- FocusFor
Colin S suggested that, rather than starting narrow and broadening, we should set the scope to include all 3 above at the outset, and then tackle each as sub sets of that whole i.e. for P3 to market the PAC in the General Case - with a specific first focus on FICAM and to not
...
pigeon hole the PAC effort to a FICAM
...
specific endeavor.
General discussion: What is needed is a specific set of requirements
...
that assessors can easily locate in the target entity when doing assessments - taking the general guidance and Privacy profile and producing specific requirements.
...
Need to make this
...
sufficiently concrete so the auditor has something concrete to work with.
Colin W suggested we just revise the current IAWG Fed Privacy Profile rather than putting this in the PAC. General consensus was to make this a two step process; create the first document (FICAM CSP focus) separate from the IAWG Fed Privacy Profile, and after Kantara completes its full 'approved' status as a Trust Framework Provider (rather than provisional as is now), look towards combining the two and submitting the PAC to FICAM as an approved assessment tool .
In addition, there is an action to look into the OIX privacy profile/assessment criteria for RP's
- Capture of Use Cases for Future PAC's
- Credential SPCSP's for FICAM - What to assess reduces costs for 38:12If we help assessors locate what to assess, costs can be reduced significantly, (a cost benefit analysis should be considered to market the PAC (and raise additional resources to further develop the PAC)
- SP's (Outsourcers) as described above
- International Kantara Case - Is the General Case - Best Practices -- Applied to FICAMextension - as described above, and leverage the successful 'template' that will then have been created by documents 1 and 2.
3. Face-to-Face Meeting in Redwood City, CA, Oct. 20-21
- Did not discuss - Currently only one member of P3 is attending.
4. PAC Priorities and AOB (Any Other Business)
...