IAWG Meeting Notes 2011-11-16
Attendees:
Mickey Tevelow
Richard Wilsher
David Wasley
Linda Goettler
Myisha Frazier-McElveen
Ben Wilson
Bill Braithwaite
Apologies:
Richard Trevorah
Staff:
Anna Ticktin
Joni Brennan
Notes:
1. Administrative:
- Roll Call---quorum not reached
- Motion for minutes approval: 21 Sept 2011,26 Oct 2011
2. ARB update: Richard(s)
- As the organization has moved through the Accreditation and Certification pilot, there are several issues the ARB would like to highlight to the IAWG for discussion and further action. Kantara would like to address some of the IAF materials, highlight any updates to FICAM and seek their review and (re)approval (IAF 2.0---pending action item).
- AQR updates were circulated via the list. (Edited to v0.9).
- Those with an AICPA background seeking pre-qualification are often based in accounting and not InfoSec.
- The ARB created a new requirement AO.0 — asking that any applicant must demonstrate proven capability in the InfoSec Audit Domain. But it doesn't ask for recency requirements.
- The ARB is asking the IAWG to understand, absorb and accept these changes and address the other outstanding 4 changes annotated in the document. The wg will take action to review and respond to changes proposed.
Discussion : MGMT Assertion Letters / Period vs Point of Time Audits (Richard Trevorah)
Discussion : Need for Identity Proofing Criteria (Richard Wilsher)
- Carried to next week's call
3. AOB
Discussion around profile development and management — Joni
- When binding US FPP to FICAM, should profiles remain in WG "Report" status?
- If the whole of Kantara has to vote to approve a profile that layer on and will ultimately only be used by a particular entity, will that deter a stakeholder from bringing something forward?
- Should layered on profiles remain with the community that intends to apply them and thus remain wg reports?
- FICAM has introduced requirements beyond scope because these changes are tantamount to making a fundamental change to the SACs. But if we determine that a profile is domain or sector specific, RGW feels these "sub-set" standards should remain profiles vetted by that community and could remain "reports".
- David Wasley, feels that both the entity authoring the change and ICAM should be reviewing this documentation because IdPs will be unilaterally responsible in determining a profile's application.
- Summary : Core or subset of core = reports. But use-cases should go through an all-member ballot.
David Wasley believes that the US FPP does reach out to broader communities and they should consider these SACs in order to engage with the Federal Government.
- Extensions of criteria will run through an all member ballot
Proposed nomenclature : additional criteria_XX
- Profile is considered change on a "standard"
Actions:
- Proposed Name change — Additional Criteria : US Federal Privacy
- ACTION ITEM 20111116-01 Anna / IAF Editor : capture the above naming convention in the AAS and template docs for profiles or create profile proformae?)
** add to the IAF stack of change requests to the AAS ** - Submit notice of the name change to all-members list, FICAM and to the LC.
(Create an original thread and attach title change and context of why so we can search for a future reference, if necessary.) - Editing Notes : "Recapture" the title change where/when referenced within the document itself.
- This updated document will continue through an all-member ballot, but as an approved wg report