Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Attendees:

Mickey Tevelow
Richard Wilsher
David Wasley
Linda Goettler
Myisha Frazier-McElveen
Ben Wilson
Bill Braithwaite

Apologies:
Richard Trevorah

Staff:
Anna Ticktin
Joni Brennan

 

Notes:

1. Administrative:

  • Roll Call---quorum not reached
  • Motion for minutes approval: 21 Sept 2011,26 Oct 2011

 
2. ARB update: Richard(s)

  • As the organization has moved through the Accreditation and Certification pilot, there are several issues the ARB would like to highlight to the IAWG for discussion and further action. Kantara would like to address some of the IAF materials, highlight any updates to FICAM and seek their review and (re)approval (IAF 2.0---pending action item).
  • AQR updates were circulated via the list. (Edited to v0.9).
  • Those with an AICPA background seeking pre-qualification are often based in accounting and not InfoSec.
  • The ARB created a new requirement AO.0 — asking that any applicant must demonstrate proven capability in the InfoSec Audit Domain. But it doesn't ask for recency requirements.
  • The ARB is asking the IAWG to understand, absorb and accept these changes and address the other outstanding 4 changes annotated in the document. The wg will take action to review and respond to changes proposed.

Discussion : MGMT Assertion Letters / Period vs Point of Time Audits (Richard Trevorah)
Discussion : Need for Identity Proofing Criteria (Richard Wilsher)

  • Carried to next week's call

3. AOB
 
Discussion around profile development and management — Joni
When binding US FPP to FICAM, should profiles remain in WG "Report" status?
If the whole of Kantara has to vote to approve a profile that layer on and will ultimately only be used by a particular entity, will that deter a stakeholder from bringing something forward?
Should layered on profiles remain with the community that intends to reply them and thus remain wg reports?
FICAM has introduced requirements beyond scope because these changes are tantamount to making a fundamental change to the SACs. But if we determine that a profile is domain or sector specific, RGW feels these "sub-set" standards should remain profiles vetted by that community and could remain "reports".
David Wasley, feels that both the entity authoring the change and ICAM should be reviewing this documentation because IdPs will be unilaterally responsible in determining a profile's application.

Core or subset of core=reports, but Use-Cases should go thru all-member
David Wasley believes that the US FPP does reach out to broader communities and they should consider these SACs in order to engage with the Federal Government.

New stringent requirements should go to all member ballots
but core or subset of core could remain wg "report"
extensions of criteria will run thru an all member ballot
additional criteria_XX

Name change — Additional Criteria : US Federal Privacy (capture this in the AAS? template doc for profiles, profile proformae?) ** add to the IAF stack of changed,change request to the AAS + discussion on IAWG "profile vs additional criteria"
Notice of the name change to all members list, ficam and notice to the lc
(attach title change and context of why so we can search again in the past)

capture the precedent / rules :
recapture where the doc recaptures itself

Profile is a change on a "standard"

Proposing a change in the file name to report and capturing that for ficam, updating the document and running the US FPP report thru all-member ballot

Adjourned.

  • No labels