This meeting was open to all attendees to The Open Group
Conference. It included members of the Security Forum, the Active Loss Prevention
Initiative, and Partners in the ALPINE project.
Eliot Solomon (Security Forum, SIAC, SIMC)
Steve Jenkins (Security Forum, JPL)
Steve Whitlock (Security Forum, Boeing)
Martin Roe (Security Forum guest, independent consultant, ICX)
Craig Heath (Security Forum, Symbian, Security Forum)
Jeremy Hilton (Viviale, ALPI)
John Mawhood (Tarlo Tyons, ALPI)
Dave Heiman (NASA SEWP, Security Forum)
Dennis Taylor (Security Forum, NASA SEWP)
Scot Hansen (Open Group, EC coordinator)
Richard Sitruk (ETIS, ALPINE Partner)
Mikel Emaldi (ESI)
Estebaliz Delgado (ESI)
Ian Dobson (Security Forum, The Open Group)
David Lounsbury (The Open Group, ALPI)
Chris Taper (Security Forum guest, independent consultant, ICX)
Jane Hill (Viviale, ALPI)
Bob Blakley (IBM/Tivoli, Security Forum)
Ian Lloyd (ALPI, The Open Group)
Ian Lloyd showed a spreadsheet listing the Active Loss Prevention
initiative activities plan through to 2003. The existing projects are:
- Risk Vocabulary 1 - 1st draft document due by end 2002
- Risk Vocabulary 2 - 2nd version of document due in April-Sept 2003 and probably
successive maintenance versions to keep it up-to-date.
- Critical Infrastructure - held meetings recently in USA and Europe on this to help
define where the outputs of the initiative will support the needs of critical
infrastructure.
A further project under consideration is Actuarial Data - the insurance industry are
looking for information assurance information - they need standards on what information
they need, how they should gather and maintain it, and how they communicate information.
This project could lead to an Insurance Requirements project.
The initiative members intend to progress their projects using short sharp
teleconferences at approximately monthly intervals with individuals producing work in
between.
Project ALPINE - Active Loss Prevention in It-eNabled Enterprise - was awarded to The
Open Group's Active Loss Prevention initiative by the EC. It involves 6 deliverables which
have been tagged as follows
- Survey of SME market on security issues
- Trust Services Mapping
- mCommerce Liabilities
- Security Policy Best Practice
- Two open projects
Scot Hansen explained that the EC has 11-12 roadmap projects involved as part of their
initiative to bring together experts on related IT areas to see at the business and
enabling technologies levels where it should put EC resources to promote best practice and
adoption of IT, and ALPINE is one of these projects. ALPINE has an 18-month timeframe.
Partners in ALPINE are
- ETIS (telecoms infrastructure)
- ESI (European Software Institute)
- The Open Group
Ian Lloyd continued with an explanation of the promotion work that is in hand
- publicity - working with USA and European groups to explain what ALPINE is about and
getting articles published in relevant press outlets
- The UK National Hi-Tech Crime Unit (NHTCU) is looking to produce a seminar about issues
of risk in the Internet
- Open Group quarterly conferences, of which this is the last in 2002. The next is in
Burlingame, San Francisco on 3-7 February 2003.
- ALPINE Workshops and a special ALPINE conference by the project closure date of Jan 2004
- Various speaking events that will arise in the course of our regular speaking
opportunities.
Scott explained there will be a roll-out of calls for participation in further related
initiatives from the European Commission within the new Framework 6, and these will be
partly triggered by input from the ALPINE project. Influential milestones from the ALPINE
project can be expected in June 2003 and Sept 2003.
Eliot described SIMC and its inter-firm security goals to identify technologies which
will improve its members risk model, and the trust model they use. Lately they are
addressing identity management technologies in ways that will guide them forward - the way
forward in discussions yesterday showed that we need to focus on the business drivers for
identity management and access control rather than have a technology-driven approach.
SIMC's phase 1 report will focus on clearly articulating the problems rather than defining
solutions. Would this be of interest as a project in ALPINE? Ian and Scott will discuss it
further with Eliot.
Scot reminded attendees that the ALPINE and related EC projects are designed to enable
experts to come together and give sound recommendations, not deliver solutions. Ian showed
a slide listing all the current European Roadmap projects Available on the ALPINE web
pages.
Eliot would like the ALPINE project/ALPI/The Open Group to provide analysis resources
in articulating to the vendors why they should understand the problems and map them onto
business processes.
John Mawhood noted that silos overlap where the risks and liabilities are partially
understood and in order to bring this into the business domain we need clearer vocabulary
so this is the essential starting point. Eliot felt that the best way to move towards
enabling eCommerce is to take examples of real existing businesses who are practicing it
and demonstrate how their e-operations can be improved. Richard thought content is the
critical element - the real value - of what is delivered, so the customer should be our
starting point for the business model, to elicit their requirements regarding the
information.
John observed that we need to enable an electronic trading culture, but small to medium
enterprise businesses don't often get the help they need from IT vendors.
The question of ownership of customer data arose. Bob felt strongly that ownership of
customer information can easily create problems if it is used in the wrong way. Developing
a good relationship with a customer is important and this is based on having information
about them, but selling information about a customer is not a good thing - it alienates
customer, and in this regard it should not be thought of as an economic asset except in
your own business customer list. Distinguishing between customer information as a social
asset and an economic asset is vital to getting the issue of handling customer information
right.
Ian Lloyd then took a closer look at the 3 projects in ALPINE:
- Richard - agree on the framework for what we are to address and understanding the
requirement, including for mobile users. Need to understand what are the real issues
surrounding liability and how security can help contain it - come up with a set of
recommendations to his ETIS members. A critical success factor is involving SMEs - the
idea is to gather about 50 players from the industry to form a representative group.
- Policy management - concerned mostly with users, including larger companies that do not
have big IT departments. Issues include certification, acquiring security-certified
products. Eliot commented that the driver for having certified products is reduced costs -
e.g. reduced insurance premium or value in terms of auditors approval that business is
conducting its business properly. Chris Taper suggested we should endorse BS7799
(ISO17799) for doing audits. Dave said ALPINE is aimed at SMEs so we need to scale our
thinking to what the SMEs view of liability is - here we can do a good job by educating
SMEs on what liability means - e.g. draw the liability roadmap for SMEs. Bob said
liability is managed by assessment of risk and there are standards for this (e.g.
Australian standard), so the need here is to consider what actions create and minimize
liability. For example, in eCommerce it is the communications provider who needs to be
audited against ISO17799.
- Trust Services work - Ian explained the key issues are what are the service elements
involved, then which are being offered electronically today, and which are inappropriate
for delivery by electronic means for jurisdiction reasons. We may expect this to extend to
include other related considerations.
