The Security Forum agenda for the conference week is available here:
Information Assurance Meeting
On Tuesday July 19th, Security Forum members attended the open-day meeting on
"Information Assurance for High Risk Environments", arranged by the Real Time
& Embedded Systems Forum. See the separate report, or send a request to i.dobson@opengroup.org for further
information.
APC Stream 10 Meeting
On Wednesday July 20th, Security Forum members contributed to the Architecture
Practitioners Conference Stream 10 - A Step-by-Step approach to Architecting the
Secure Enterprise. This APC stream was based on the joint Security-Architecture
Forum project whose objective is to deliver to the Architecture Forum a documentation
package which extends TOGAF to integrate information security into the architecture
development methodology (TOGAF ADM). See separate
report, or send a
request to i.dobson@opengroup.org for further
information.
Identity Management
On Wednesday July 20th, the Security Forum and Directory Interoperability Forum (DIF)
held a joint meeting. The full report on this meeting is provided separately.
However, because the Security Forum is a full paricipant, the highlights are also
summarized here:
- A proposal to transform the Identity Management program into a new Identity Management
Forum, with joint membership and leadership controlled by the Security Forum and DIF, and
the DIF operating as a Working Group within the new IdM Forum, was approved.
- The Framework for Identity Management Standards - a project that includes external
liaison with INCITS CS1 - was progressed.
- Bob Blakley (IBM) led a session by teleconference link on developing design patterns for
identity management.
- The project to develop a Guide to Architectures for Identity Management was progressed,
with target dates set for company review in September 2005.
Integrating Security into TOGAF ADM
On Thursday July 21st, members of the Architecture Forum joined with the Security
Forum to continue work to extend the TOGAF ADM by adding considerations of information
security. Discussions in teleconferences between the previous Dublin conference and this
New York City conference had established that this project is focused on identifying
high-level security issues that the enterprise architect should include in developing IT
architectures using the TOGAF ADM approach. It is emphatically not a comprehensive guide
on how to do architectures for information security. The question is left open for
Security Forum members to take up the challenge to create a guide on how to do effective
information security. Concern was expressed by Security Forum members on what artifacts
will define compliance, certification, and verification in Phase G; the answer was that
these artifacts are in the "how to do security" domain, not in
TOGAF ADM.
Another concern was also expressed over Phase G and how it separates enterprise
architecture standards for software development (ITIL, Carnegie-Mellon, etc.) from the ADM
process; the response was that this line is moveable - it depends on how the architect
instantiates the ADM to match the business requirements for the architecture being
created, but if your organization requires a specific EA methodology then it should be
called out in Phase G. After brief review on other issues, it was agreed that we should
aim to complete this project by the time of the next conference, so dates were agreed
accordingly for company review to start on August 28 and close on
September 25.
Certificate Policies for PKI-Based Email Encryption
On Thursday July 21st, the Security Forum joined the Messaging Forum to review their
requirement for reducing the workload involved in agreeing Certificate Policy
Statements
between collaborating partner organizations. A mini-business-scenario workshop approach
was used to quickly gather the relevant responses to the range of questions raised in our
business scenario methodology, and this resulted in spectacularly useful outcomes which
identified a totally different solution space to that which was implied at the start of
the meeting. Actions were assigned to determine what further development might be
appropriate, and we will hold a further checkpoint meeting during the next conference to
determine the best way forward. See the separate meeting report, or send a request to
i.dobson@opengroup.org for further
information.
Trust Models Guide
On Thursday July 21st, the Security Forum reviewed progress on its Trust Models Guide.
Progress has been slow since the previous meeting, but a teleconference is arranged
for July 25th in which we expect to make significant further progress. Based on the
outcome of this teleconference we will plan how we will complete this
project.
Digital Rights Management
The DRM Guide has now completed its company review, and having applied all the agreed
changes it is ready for a final sanity check before submitting it for Governing Board
approval.
Security Forum Administrivia
On Thursday July 21st, the Security Forum reviewed its strategy, project
plans, and deliverables, information exchange between members, and consideration of new project
proposals. Updates will be reflected in updates to the Security Forum's
web pages.
Framework for Control of ECP
On Friday July 22nd, the Security Forum hosted a joint meeting with the American Bar
Association's Cyberlaw Committee, to progress its joint work to develop a Framework for
Control of Electronic Chattel Paper. See the separate meeting
report.
