Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Agenda

1. Roll Call

Peter Capek
Susan Landau
Colin Soutar
Colin Wallis
Rich Furr
Trent Adams

Mark Lizar

John Bradley
David Wasley

2. PAC -   Privacy Assessment Criteria - Pls Review and Comment

Drafting an introduction 'scene setting'  

David W suggested a three document approach in the context of a broader goal, to include CSPs, outsourcers to Federal agences acting as RPs and ultimately international, taking in a more generalised suite of use cases.

      • First Document - Focus on FICAM CSPs for the first document - a kind of privacy equivalent to the IAF's SACs, that extends beyond the IAWG's IAF Fed Privacy Profile - in essence a narrow focus and subset of the general use cases
      • Second Document  - outsourcers to Federal agences acting as SPs/RPs .. for example those offering cloud services)  - in essence broadening the scope of the PAC to cover what is currently a gap, since such folk are not themselves Federal agencies and therefore do not need to comply with FICAM as if they were.
      • Third Document - Guidance for those US operations who need to operate in otehr privacy domains - in essence further broaden the scope of the PAC to the International/Inter-Federation spheres - to include the Article 29 WP if going to Europe for example.
      • David will make some comments on the Introduction
  • Opportunity
    • General agreement that there is a growing (and evolving) need for various Privacy Assessment Criteria, in that at this time there is no PAC for many providers involved in credential management
  • Focus

Colin S suggested that, rather than starting narrow and broadening, we should set the scope to incude all 3 above at the outset, and then tackle each as sub sets of that whole i.e. for P3 to market the PAC in the General Case - with a specific first focus on FICAM and to not pigen hole the PAC effort to a FICAM only endeavour.

General discussion: What is needed is a specific set of requirements that assessors can easily locate in the target entity when doing assessments - taking the general guidance and Privacy profile and producing specific requirements.  Need to make this sufficiently concrete so the auditor has something concrete to work with.

Colin W suggested we just revise the current IAWG Fed Privacy Profile rather than putting this in the PAC. General consensus was to make this a two step process; create the first document (FICAM CSP focus) separate from the IAWG Fed Privacy Profile, and after Kantara completes its full 'approved' status as a Trust Framework Provider (rather than provisional as is now), look towards combining the two and submitting the PAC to FICAM as an approved assessment tool

  • Capture of Use Cases for Future PAC's
    • CSP's for FICAM - If we help assessors locate what to assess, costs can be reduced significantly
    • SP's (Outsourcers) as described above
    • International extension - as described above, and leverage the successful 'template' that will then have been created by documents 1 and 2.

3. Face-to-Face Meeting in Redwood City, CA, Oct. 20-21
- Did not discuss
4. PAC Priorities and AOB (Any Other Business)   

  • FICAM first priority but put in the context of Kantara's General Privacy Assessment Criteria
  • No labels