P3-PFSG Meeting Notes - 2011-09-29
Agenda
1. Roll Call
Peter Capek
Susan Landau
Colin Soutar
Colin Wallis
Rich Furr
Trent Adams
Mark Lizar
John Bradley
David Wasley
2. PAC -Â Â Privacy Assessment Criteria - Pls Review and Comment
Drafting an introduction 'scene setting'Â Â
David W suggested a three document approach in the context of a broader goal, to include CSPs, outsourcers to Federal agences acting as RPs and ultimately international, taking in a more generalised suite of use cases.
-
-
- First Document - Focus on FICAM CSPs for the first document - a kind of privacy equivalent to the IAF's SACs, that extends beyond the IAWG's IAF Fed Privacy Profile - in essence a narrow focus and subset of the general use cases
- Second Document - outsources to Federal agencies acting as SPs/RPs .. for example those offering cloud services) - in essence broadening the scope of the PAC to cover what is currently a gap, since such folk are not themselves Federal agencies and therefore do not need to comply with FICAM as if they were.
- Third Document - Guidance for those US operations who need to operate in other privacy domains - in essence further broaden the scope of the PAC to the International/Inter-Federation spheres - to include the Article 29 WP if going to Europe for example.
- David will make some comments on the Introduction
-
- Opportunity
- General agreement that there is a growing (and evolving) market need various Privacy Assessment Criteria, in that at this time there is no PAC for providers involved in credential management
- Focus
Colin S suggested that, rather than starting narrow and broadening, we should set the scope to include all 3 above at the outset, and then tackle each as sub sets of that whole i.e. for P3 to market the PAC in the General Case - with a specific first focus on FICAM and to not pigeon hole the PAC effort to a FICAM specific endeavor.
General discussion: What is needed is a specific set of requirements that assessors can easily locate in the target entity when doing assessments - taking the general guidance and Privacy profile and producing specific requirements. Need to make this sufficiently concrete so the auditor has something concrete to work with.
Colin W suggested we just revise the current IAWG Fed Privacy Profile rather than putting this in the PAC. General consensus was to make this a two step process; create the first document (FICAM CSP focus) separate from the IAWG Fed Privacy Profile, and after Kantara completes its full 'approved' status as a Trust Framework Provider (rather than provisional as is now), look towards combining the two and submitting the PAC to FICAM as an approved assessment tool .
In addition, there is an action to look into the OIX privacy profile/assessment criteria for RP's
- Capture of Use Cases for Future PAC's
- CSP's for FICAM - If we help assessors locate what to assess, costs can be reduced significantly, (a cost benefit analysis should be considered to market the PAC (and raise additional resources to further develop the PAC)
- SP's (Outsourcers) as described above
- International extension - as described above, and leverage the successful 'template' that will then have been created by documents 1 and 2.
3. Face-to-Face Meeting in Redwood City, CA, Oct. 20-21
- Did not discuss - Currently only one member of P3 is attending.
4. PAC Priorities and AOB (Any Other Business)Â Â Â
- FICAM first priority but put in the context of Kantara's General Privacy Assessment Criteria