Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Attendees:

Voting Participants: Andrew Hughes, Martin Smith, Mark Hapner, James Jung, Michael Magrath, Denny Prvu
Non-voting participants: Eric Thompson
Guests: Matt King and Ray Kimble
Staff: Lynzie Adams

Proposed Agenda

  1. Administration:

    • Roll call, determination of quorum

    • Minutes approval - 2022-07-07 Minutes

    • General Updates

    • Assurance Updates

  2.  Discussion: 

    • Assurance Program - continued discussion from previous weeks

    • 63b SoCA proposal

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

The newest voting member, Denny Prvu, introduced himself to the group including his role with the Royal Bank of Canada.

Minutes approval:    Mark Hapner motioned to approve the draft minutes from the July 7 IAWG meeting. Martin Smith seconded the motion. The minutes were approved unanimously. 

Agenda was confirmed.

General Updates: Andrew provided a brief update in lieu of Kay’s absence. The UK program is in a bit of a lull attributed both to summer travel and the resignation of Boris Johnson. We will keep an eye on how it all progresses.

Assurance Updates

Andrew provided a brief update on the relying party feedback meeting being planned with NIST and financial institutions. There is little coverage in 63-3 around some of these topics that private institutions are already tackling (risk-based, fraud signals, etc). These meeting can provide information for NIST consideration. Awareness, consideration, and influence are all goals of this meeting.

Jimmy stated that NIST is government agency focused, but they need to think outside agencies and acknowledge what is happening outside their spectrum that could be implemented into 800-63. Michael mentioned that NIST did bring in outside organizations in 2017 for cybersecurity feedback - so this is not outside NIST’s realm.

Martin asked how Kantara will respond to NIST potentially saying they have no authorization to make standards outside the government realm. Andrew and Eric confirmed that is not what we are trying to accomplish. The hope is that they will consider current approaches from financial institutions and potentially implement them - especially from a DEI perspective. These are companies that are solving common problems - so potentially adopting their solutions could benefit everyone.

Mark Hapner initiated a short discussion on financial regulators. Denny provided his perceptive from the RBC and those regulations and guidelines.

The meeting is lined up with David Temoshok for early August.

Discussion:

Assurance Program

There seems to be inconsistent use in the terms in scope - applicable, in scope - not applicable, and not in scope between the assessors, CSPs and ARB. Andrew asked the assessors what customers use as justification on why something is not applicable versus out of scope. Ray confirmed this is a gray area and that there are often discussion within KUMA about the proper term to use. These terms have been used interchangeably so we need to settle on consistent application of terms.

Ray recalls that SHOULD statements should be listed as in scope. Some CSPs are not comfortable with that though and feel that certain SHOULD criteria are out of the scope of their service and adamantly want it listed that way on the SoCA.

Ray stated his understanding is that 100% must be in scope to be a full service - but one we get less than that it becomes a bit gray. Jimmy asked if that would mean if you do not offer supervised remote that you cannot be considered a full service. Andrew acknowledged that is one way to interpret it - even if it’s not the intended interpretation.

Martin summed up as ‘what IS offered by the CSP versus what IS required of the solution.’ Andrew feels like something like trusted referee - that is not essential to a solution - should not disqualify you from a full-service approval.

Jimmy referenced 63a#0470. Often not applicable is going to offer choices - you must do a, b, or c. The one that is offered is applicable while the others are listed as not. We should check the criteria to make them clearer.

Andrew noted that IAWG needs to make sure that conditional requirements are clearly stated as conditional. And those requirements are explicitly where the use of ‘not applicable’ is used. That may be the determination. If it is not a conditional requirement, rather a mandatory requirement, then it should either be in scope - applicable or out of scope. Jimmy asked we think a step further to whether there is a minimum mandatory of criteria that must be met for partial solutions.

Due to time and Richard Wilsher’s absence, the 63b SoCA proposal will be deferred to the next meeting.

Any Other Business

  • No labels