Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Kantara Initiative Identity Assurance WG Teleconference

Call not at quorum

 

Date and Time

Agenda

    1. Administration:
      1. Roll Call
      2. Agenda Confirmation
    2. Discussion
      1. ALx_CO_ISM_#80 and ALx_CO_ISM_#90 (Ticket #287119)
        1. what is the scope of the audits specified?
        2. how was the frequency of the audits decided?
      2. Agile IAF - report re: FICAM's direction with components (Andrew)
      3. NIST 800-63 comparison update (Richard)
      4. NIST 800-162 - Guide to Attribute Based Access Control (ABAC) Definition and Considerations (Draft)
    3. AOB
    4. Adjourn

 Attendees

  • Myisha Frazier-McElveen
  • Bill Braithwaite
  • Scott Shorter

As of 14 January 2013, quorum is 4 of 7

Non-Voting

  • Ken Dagg
  • Rich Furr

Staff

  • Andrew Hughes

Notes & Minutes

Discussion

Agile IAF

 

ALx_CO_ISM_#80 and ALx_CO_ISM_#90 - Ticket 287119
In section 4.3.3 CO_ISM - Information Security Management, CO_ISM#80 and CO_ISM#90 
require Internal Service Audits and Third-Party Audits at specified frequencies 
(either 24 or 12 months depending on AL and type of audit).

The rationale for changing from 24 months (independent audit) to 12 months was based 
on the idea that there must be a certified ISMS for LOA3, and in that ISMS there is 
most likely to be the requirement to conduct it each year.

I think these criteria could use an edit - there seem to be some parts that are unclear.

AL[2,3,4]_CO_ISM#080 do say Internal Audit every 12 months
AL[3,4]_CO_ISM#090 say independent audit every 12 months


At least three issues arise:
1) At AL3 and AL4, the criteria appear to require a Third Party audit as well as an 
Internal Service audit every 12 months.

2) The scope of the audits in both criteria could use some clarification. Do internal 
and 3rd party audits have the same scope? If so, then why do both? If not, then what 
should each focus on?

3) If the scope is the ISMS only, would it be sufficient to provide evidence that a 
part of the organization conducts regular reviews, tests and assessments of the ISMS 
and its effectiveness - rather than explicitly calling out the 'internal audit function'?

What is the scope of the audits specified?

How was the frequency of the audits decided?

We need to either change the guidance, or change the rule, to be more clear

  • This becomes more of a problem in AL3 - AL3 says two different audits for ISMS, and that those audits might be of different scope, but that's just a suggestion not guidance; this is ambiguous enough to be open to an unacceptably wide interpretation
  • another interpretation is that you have to do both independent AND internal audit once you are at AL3, which seems excessive; this is different for AL2
  • the reason there is an internal and independent is that for AL2 and 3, ISM 80, seems to be a set of assumptions (see change log for v3)
  • suggest having an internal audit alternating with an external audit every year
  • holding the conversation until RGW is available to discuss

AOB

  • Andrew: who is going to IIW and IDESG next week?  Bill Braithwaite (IIW), Scott Shorter (IDESG)

Next Meeting

 

  • No labels