2022-06-09 Minutes
Attendees:
Voting Participants: Andrew Hughes, Martin Smith, Mark Hapner, Mark King, Maria Vachino, Richard Wilsher, James Jung
Other IAWG Members: Colin Wallis
Guests: Matt King, Lesley O'Neill, Michael Magrath, Ryan Kirchoff, Scott Perry
Staff: Lynzie Adams, Kay Chopard
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval - 2022-05-19 DRAFT Minutes
General Updates
Assurance Updates
Requests to IAWG for Comment
Discussion:
Assurance Program - Classes of Approval, Service Descriptors discussion
Any Other Business
Meeting Notes
Administrative Items:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes approval: Martin Smith motioned to approve the draft minutes from the May 19 IAWG meeting. Maria Vachino seconded the motion. The minutes were approved unanimously.
General Updates:
Kay - Kantara will be represented and presenting at both Identiverse in Denver and Identity Week in London later this month.
Assurance Updates:
Maria - 63-4 still lated to release in Q3. David Temoshok will be speaking at FedID September 6-9 in Atlanta. Andrew suggested Kantara list the event on the website with a note that members are attending.
Discussion:
Assurance Program - Classes of Approval/Service Descriptors
Andrew started discussion with following questions to consider:
We see vendors selling 'proofing/verification' only services. Is there an appropriate service/Trust Mark that they should obtain?
What about credential service companies?
Who needs confidence that a company is offering a comparable service when offering a partial service?
How can we deliver that confidence to the entity needing it?
Discussion needs to focus on – what does partial service mean? Should there be a technical approval?
Overview of a technical approval: Richard explained that when the rev. 3 criteria were drafted, they were not integrated with the CO_SAC – creating an opportunity for CSPs to apply for a technical or organizational approval. The CO_SAC has some vital criteria that should not be overlooked in the rev. 3 approval process. More companies are now opting to not complete the CO_SAC, possibly to save money. The CO_SAC came from two sources – huge inheritance from T-scheme with an ISO 27001 overlay, with tweaks over the years. Colin pointed out that the technical was available to allow companies who already had a SOC2/FedRamp to not duplicate efforts with the CO_SAC – but a prerequisite was never put in place.
Richard proposed we do nothing immediately and wait for rev. 4. At that point, after a thorough review of the CO_SAC to keep the good stuff (more technical requirements scope/construct credential policy) embed those criteria into the new SAC. We should recognize certain qualifications that fulfill the needs of the CO_SAC that could count as a free pass. And if they don’t have that – then they must do the CO_SAC. Regardless, going forward do not allow the technical scope as it’s known today.
Andrew asked if companies are being steered toward technical or if they are coming with the mindset already. Jimmy feels they come not knowing what they are looking for at all. When the shopping list of options is explained, many feel the SOC2 of FedRAMP is comparable and prefer the technical route.
Andrew asked if there is an uplift in the amount of work required to complete the CO_SAC? Richard explained that it’s extra criteria so it’s extra work. The SAH allows for a 50/50 split on technical criteria but not for the CO_SAC. That must be fully reviewed each year. Richard explains to potential clients that the organizational approval is better because it shows the good standing of the entity of the organization. But when the client posses other certifications – he cannot deny that the CO_SAC is unnecessary.
Martin asked how long the mapping would take. 15-25 hours was the estimate from Richard - taking into consideration which certifications would result in the ‘free pass’. 27001 seems the most closely associated to our current CO_SAC.
Andrew agrees with waiting until rev 4 for any substantial changes to the SAC. Jimmy thinks these are reasonable compromises being addressed. Andrew sees path forward where a CSP meets certain criteria that would allow them to effectively achieve a technical approval. Without that prerequisite met, you cannot skip over the CO_SAC. Basically, allow CSPs to claim credit for other certifications. We will need to analyze the CO_SAC over the next year to determine which criteria we need to stay.
Andrew summarized the steps:
Do nothing in the immediate future as we prepare for rev 4.
Evolve the program so people can’t choose the technical but get credit for work already done.
In the interim, allow people to go forward with their technical approvals with the information that this is being discussed and will be changing and therefore there might be different requirements in an upcoming ACR. (at the ARB’s guidance to secretariat). Be specific on what and how things are changing.
Richard suggested embedding the good criteria in now – go through the CO_SAC and identify the criteria which are technically important and apply those without imposing all the other stuff. Enhance the technical side. Keep criteria around service definitions, proofing, service provision policies.
Jimmy asked if this is rev-3 or rev-4. Richard believes this is a bandage to improve -3 and we completely resolve the problem in -4.
-2 was also brought up. Should it still be offered? There are a number of current CSPs that need to maintain their Classic Approval. Lynzie suggested possibly taking it to the Board that we don’t take any new Classic applicants. Richard thinks if it's generating income, why not? But the technical has evolved making it outdated.
Will reconvene next week to discuss partial service. Will create a high-level plan for the next steps on technical approvals.
Any Other Business