Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Kantara Initiative Identity Assurance WG Teleconference

 

 

Date and Time

Agenda

    1. Administration:
      1. Roll Call
      2. Agenda Confirmation
    2. Discussion
      1. ALx_CO_ISM_#80 and ALx_CO_ISM_#90 (Ticket #287119)
        1. what is the scope of the audits specified?
        2. how was the frequency of the audits decided?
      2. Agile IAF - report re: FICAM's direction with components (Andrew)
      3. NIST 800-63 comparison update (Richard)
      4. NIST 800-162 - Guide to Attribute Based Access Control (ABAC) Definition and Considerations (Draft)
    3. AOB
    4. Adjourn

 Attendees

As of 14 January 2013, quorum is 4 of 7

Non-Voting

Staff

Notes & Minutes

Discussion

Agile IAF
Ticket 287119
In section 4.3.3 CO_ISM - Information Security Management, CO_ISM#80 and CO_ISM#90 require Internal Service Audits and Third-Party Audits at specified frequencies (either 24 or 12 months depending on AL and type of audit).

The rationale for changing from 24 months (independent audit) to 12 months was based on the idea that there must be a certified ISMS for LOA3, and in that ISMS there is most likely to be the requirement to conduct it each year.

I think these criteria could use an edit - there seem to be some parts that are unclear.

AL[2,3,4]_CO_ISM#080 do say Internal Audit every 12 months
AL[3,4]_CO_ISM#090 say independent audit every 12 months


At least three issues arise:
1) At AL3 and AL4, the criteria appear to require a Third Party audit as well as an Internal Service audit every 12 months.

2) The scope of the audits in both criteria could use some clarification. Do internal and 3rd party audits have the same scope? If so, then why do both? If not, then what should each focus on?

3) If the scope is the ISMS only, would it be sufficient to provide evidence that a part of the organization conducts regular reviews, tests and assessments of the ISMS and its effectiveness - rather than explicitly calling out the 'internal audit function'?

 

AOB

Next Meeting

 

  • No labels