2024-03-14 Meeting Notes

Meeting status metadata

Quorum

quorate

Notes-Status

approved

Approved-Link

2024-03-28 IAWG Meeting Notes

The meeting status metadata table is used for summary reports - copy the status macros from the table in these instructions:

Quorum: quorate not quorate

Notes-Status: drafting Ready for review approved

Approved-Link: Insert a link to the Meeting Notes page holding the approval decision for this notes page

 

Agenda

  1. Administration:

  2. IAWG Actions/Reminders/Updates:

  3. Discussion:  

  4. Any Other Business

 Attendees

Voting participants: Richard Wilsher, Jimmy Jung, Andrew Hughes, Yehoshua Silberstein, Mike Magrath

Non-Voting Participants: Jazzmine Dowtin, Eric Thompson

Guests: Liza Balzerit

Staff: Amanda Gay, Kay Chopard, Lynzie Adams

Quorum determination

Meeting is quorate when 50% + 1 of voting participants attend

There are <<7>> voters as of <<2023-03-14>>

Approval of Prior Minutes

Motion to approve meeting minutes listed below:

Moved by: Jimmy Jung, for unanimous consent. No objections. Motion passes.

 

Link to draft minutes and outcome

Discussion

Link to draft minutes and outcome

Discussion

  1. Motion to approve meeting minutes listed below. Moved by: Jimmy Jung, for unanimous consent. No objections. Motion passes.

2024-02-22 DRAFT Minutes

2024-02-29 DRAFT Minutes

 

 Discussion topics

Time

Item

Presenter

Notes

Time

Item

Presenter

Notes

 

Kantara Updates

Kay

  • 2 new UK auditors will be starting next week.  

  • UKAS has informed Kantara that we are officially in the queue for ISO 17065 accreditation, with the first desk audit scheduled.

 

Continue discussion on second criteria question #0180 (superior v. strong evidence) with an updated version of Richard’s proposed alternative/comparable criteria (sent 2024.02.22)

Richard Wilsher

  1. Evidence selection and risk acceptance

  2. 63A#0700-put to IAWG sometime back, Richard used them, and tagged with 63A with modifications to truly represent 63 rev 5.4

    1. They don’t make any distinction for particular criteria strengths are affected

    2. Derived normative statements from this, aiming to tell people what they have to do (employ comparable alternatives, as long as they are justified)

    3. How to best consider the risks that may be introduced through the use of the alternative controls?  There needs to be internal acceptance of the comparative risk that it is a manageable risk.

  3. AHughes: Kantara focuses on evidence selection and validation and NIST is more general (guidance applicable to all requirements) - so are we narrowing this down to just evidence selection?

  4. Richard-NIST has written things that just don’t work in the real world, due to variations that occur

    1. How do we maintain rigor with the constraints currently in place to back it up?

  5. AHughes: AAL/FAL, 5.4 all of this is referenced and covered - will this cause a future assessment  issue by narrowing the criteria?

    1. Kantara criteria says IAL applicability, NIST says IAL/AAL/FAL applicability-is that significant?

  6. Lynzie: In the past, the ARB noted this came up in an assessment, and they did not think of these as a requirement.  This gave the assessors and CSPs something to judge against, but not that everything would fit perfectly into the box.  If an assessor/CSP had a better way to demonstrate conformance, that would be OK (with adequate justification).

  7. Richard-rewrite to make more generic?  If it is softened, how to make sure it is just as good as NIST?

    1. Some flexibility is available by saying “not applicable” and then justifying it

    2. Another option: Develop an additional criterion that says “if you are going to use these, you need a good definition of what you are trying to do” (requiring the explicit/exact criteria the  CSP/assessor is trying to replace/modify)

    3. Need a definition/scope for the comparability

    4. Define the problem: evidence selection and validation

  8. Yehoshua: Open to a comparable alternative as long as the asessor/CSP can fully document why this slightly different approach works better

    1. Less worried about making it expansive because they have  starting point and clear direction to fully explain their approach

  9. Richard: More worried about someone saying we don’t do any of “that” (63A) and offering a long list of alternatives

  10. Yehoshua:  Each criteria that had a proposed alternative would need to be identified and and alternative justified

  11. Richard:  How far can we allow them to go with alternatives?  Justify an alternative for every criteria?  There could potentially be consistency issues with assessments.

  12. Yehoshua:  Include compensating controls, per 5.4 language

  13. Jimmy:  Either we are allowing comparability or not, and the reality is that if someone may want to do 200 comparable controls and pay for that.  SoCA already includes a “comparable” columnWe should make the expectations clear that justification will be needed, but we can’t “sortof” allow comparability.

  14. Eric: It’s expected that more rigor would apply in the assessment with comparability

  15. Richard: We should mandate the use of whatever controls we choose to use for alternative criteria to give consistency (a consistent set of inputs) to assessments being presented to the ARB.

  16. Andrew Hughes: Is there a market advantage to giving comparable control, if someone has found an alternative way to do something (a cheaper way)?

    1. Should this be a Kantara concern?

    2. Lynzie: Comparable controls are not published on the Trust Status List

  17. Jimmy Jung:  Perhaps the SoCA does need to say a comparable control was used here.

    1. Yehoshua and Mike Magrath in agreement.

    2. Mike M: having a long list of comparable controls could lead to government agencies questioning the assessments

    3. Yehoshua: Is it the level of documentation of how it is comparable?

  18. Andrew Hughes: Is the assessor evaluating what the CSP is delivering or evaluating how well the CSP delivers what the client wants?

    1. It depends on where the client wishes are written (Richard)

      1. Service definition v. letter

  19. Yehoshua:  If we separate the function from the form (if something doesn’t have the properties), then it isn’t a comparable alternative, it’s just an alternative.  

  20. Eric:  Should go back to the risk mitigation component versus specific evidence (if it is tied to specific evidence, it is artificially constrained)

    1. It should go back into the CRPS and the policy that is shared with every client (and understood by the client)--where the assessor would be looking at this as evidence that supports it.

  21. Andrew:  So if a client comes to Kantara and proposes a comparable control, and it’s justified via their assessor, but a future customer of the client asks for more compensating controls, do we do a comparable assessment with the client and their customers?  Do we always have to do it?

    1. Richard-we don’t want to get involved with customers.  We assess whether a service meets its description in terms of policy and conformity to the Kantara published criteria

  22.  Comparability seems to be the way to go, but what is the rubric for acceptance/evaluation?

 

  • Review a clean copy of Yehoshua’s draft of criteria #1810 (multi-factor authentication) 

Andrew Hughes

  1. No other edits from the group, this is considered final.

  2. The edits are deemed clarifying, yet non-material and would not affect any assessments, so this will be incorporated into the next set of criteria changes and updates.

  1. Andrew Hughes moves to accept the updated text (clean copy of Yehoshua’s draft of criteria #1810 ) as a non material change. Richard Wilsher seconds, motion passes with no objections.

 Open Action items

Action items may be created inline on any page. This block shows all open action items from all meeting notes.