The agenda
was reviewed and approved without amendment.
The actions from the previous meeting (Glasgow, April 23-24, 2008) were
reviewed as our opening review and preparation for this Chicago meeting.
Any actions not addressed in an agenda item in this Chicago meeting were
addressed as part of this Introduction.
NAC-Themed Security Tracks
From the q108 (San Francisco) meeting, Ian and Marty will consider with other
ex-NAC members adopting a meeting format used in the NAC where they
prepare pre-conference materials on a topic and relevant use-cases for it which bring out key issues and questions they want answered, then invite expert speakers to respond in a themed meeting
session, creating a body of knowledge of value to the members. We could adopt this approach to
planning and running Security Tracks in future meetings.
Arising from this action, Marty has obtained from the NAC archive (Pam
Campagna) the NAC-owned pre-conference materials from past NAC events, which will provide a set of examples for how to prepare future themed Security Tracks.
Action: Ian and Marty will work with other members to review the
NAC archive of past NAC events with a view to re-using them in
planning future Security Program plenaries and tracks through 2009
and beyond.
Collaborative RFPs
In the q108 (San Francisco) meeting, Marty presented his proposal
(item dated 19-May-08) for developing a set of Collaborative RFPs.
Action: Ian will call on members to review this proposal and vote on adopting it as a new work item following their review.
Identity Management Standard in ISO
The related documents are available here
under "Recent Documents".
Action: Ian will continue to liaise with SC27 on their Framework for Identity Management, and their Framework for Data Privacy, and also with
ITU-T on review of their FP reports.
The Open Group's Security Program VP, Jim Hietala, summarized
the achievements and outreach activities over the first half of 2008,
including:
- Analyst briefings with Gartner, Forrester, and Burton Group
- Bylined articles in CSO Magazine and DM Review
- Press articles in Compliance Weekly, Dark Reading, and NetWork World
- Plans for Webinars (on SOA and Security on August 6), and a Webcast in
September on security topics
The Open Group is investing in initiatives to broaden our marketing
and outreach activities to spread the message that the Security Forum is
the right place to be to make a difference in working on the critical
issues in information security. The aim is to grow the Security Program
in The Open Group in a cohesive way, so it provides members with the
Forum they need to address their greatest pain points in securing their
businesses. In discussion, it was agreed that this is a great opportunity to attract more
participation from Open Group member companies that are currently
passively observing our Security Forum activities, as well as those who
are not yet members but who we believe should be involved. Suggestions
here include Google, Amazon, Cisco, Microsoft – all of which have
business interests in securing customer-facing services "in the
cloud".
Of course, we need our members to help in this endeavor. In
particular we need:
- Content suggestions and speakers
- Bylined articles for placement in security publications
- Willing members with the ability to talk to the press about Security Forum initiatives
- Proposals from members and their business contacts for presentations
at our conferences
- Proposals for high-value projects which members can take up to address
their business security needs
Right now we are planning Security Practitioner Conferences – plenaries and
tracks – in each of the Open Group's four conferences in
2009. We kick off in our next conference (Munich, Oct 20-24) with a
Security Architectures plenary on the Monday, and plan three Security tracks
over the Tuesday and Wednesday. We will welcome all recommendations and
references to contacts who we can invite to give presentations on
information security topics, in:
- Munich: Oct 20-22, 2008
- San Diego: Feb 2-5, 2009
- London: Apr 27-29, 2009
- Canada (Ottawa/Montreal/Toronto): July 20-22, 2009
- China/Asia: Oct 19-21, 2009
Action: All members are requested to propose and recommend
speakers for our future conferences, and writers of articles for
publication in the security business press, to support our investment in
growing the value and visibility the The Open Group's Security Forum can
deliver.
As an exercise in quickly gathering feedback on hot security topics
of importance to the members present in this meeting, the following list
emerged:
- Case studies from experienced practitioners on implementing the
Jericho Forum commandments, particularly how to implement secure
services in the cloud
- Virtual computing, slicing of computing resources, configuring and
monitoring system status according to prescribed policy
- A "getting started" boot camp guide introducing key
security principles to the novice
- A track on "here's what we do and why"; e.g., metrics:
show why it makes sense so as to engage the unaware
- SPD-12 SmartCard implementation – authentication, authorization,
provisioning
- Security of computing devices
- Roadmap showing Security Program deliverables and expected
progress in each yearly quarter
- Identity & Access management: a federation standard to manage
identity in the cloud
- Levels of assurance for authentication based on NIST 800-63
- Deploy NAC approach for case study seminars/tracks, involving
preparing sound studies on selected high-value security pain points,
inviting experts to respond to them, and aiming for a goal-oriented
outcome which could be published at member-only or public visibility;
this approach attracted serious vendor interest to NAC events – it requires serious preparation work, but if done right will
deliver distinct high value not offered in any other conference and will serve us well in planning tracks through
2009
- Unify our security activities, to show integrated approach and
demonstrate the synergies that exist among them
Jim announced that he is close to finalizing a survey of security
needs, which he plans to invite all Open Group members to complete. He
will ensure these topics are included in the survey results. His broad
approach in the survey is to ask:
- What are your hot security topics, in priority order?
- Of these, which should the Security Program be working on, again
in priority order?
- Of these, which should be themes in future conferences, again in
priority order?
Jim anticipates running and completing this survey before the next
conference.
The project documents are available here.
Ian prepared a summary presentation on the
current status of this project, including outcomes from the June
24 2008 Burton Group Catalyst Conference SIG meeting with the MITRE CEE
(Common Event Expression) project members. Sadly our crowded agenda
overflowed into the time allocated to this agenda item, so it was agreed
we will progress it in email and web activity outside this meeting. In
brief, our latest (April 2008) XDAS draft has been boiled down to the
essentials of an event and logging standard, excluding the API which was
in the published 2004 standard. It now covers:
- An event record format (logline, JSON, and XML)
- An event taxonomy (for the event type as well as outcome)
- Event filtering (which probably needs to be reworked as well)
- Audit service requirements (some overlap with CEE here)
Our goal in collaborating with the CEE members in a joint project
moderated by Burton Group analysts Dan Blum and Bob Blakley is to find ways to converge
our XDAS efforts with that of the CEE members so as to ensure we arrive
at a single interoperable event and logging standard that meets today's
audit industry requirements for collecting and logging events.
Action: Ian will coordinate project activities with The Open
Group's XDAS project and members of the MITRE-led Common Event Expression
(CEE) Group, plus the Burton Group and other interested consumer parties
of events, to reconcile areas of known difference which are material to assuring interoperability between XDAS and
CEE.
The FAIR (Factor Analysis of Information Risk) project page providing
access to all the development drafts and presentation materials is here.
Company Review of Risk Taxonomy Technical Standard
The Company Review closed on July 29. There have been several
valuable recommendations for improvements, which will be addressed in
the seven days following the end of Company Review.
Review and Development of Draft Risk Assessment Methodologies (RAM)
Guide
Alex Hutton delivered a second draft of this document the week before
this meeting. The draft is available from the web site. This deliverable
is aimed to form the basis for Phase II of our Risk Management project.
Discussion quickly clarified that the aim of this RAM document is to
explicitly identify the key characteristics that any competent risk
assessment methodology should include. The objective of this deliverable
is to provide a guide to understanding what to look for in evaluating
the competence of any given methodology, and why. As such, the
members review of it in this meeting concluded it meets the
intended purpose.
Action: Ian will run a ballot of members proposing adopting this
RAM 2nd draft for review leading to publication as a Guide. If this
ballot result signifies approval then we will proceed with formal review
by the Security Forum members aimed at approving the Guide for
publication.
Development of Implementation Cookbook for FAIR
Discussion on this RAM Guide led quickly on to focusing on the
applicability and usefulness of FAIR in the context of all the other
risk assessment methodologies which exist in the industry; e.g., how does
FAIR fit with COSO, and with other methodologies? Alex asserted that
FAIR is complementary to other methodologies like COSO, ITIL, 27001,
CoBIT, OCTAVE, etc.; it provides the engine that can be
used in other risk models. It was agreed that we need to
explain this as a short introductory piece in the Risk Taxonomy
standard. It would be best if this piece could describe in generic form
how to apply FAIR to a risk management framework.
A member has also pointed us to an ENISA (European Network and
Information Security Agency) report on "Methods for
the Identification of Emerging and Future Risks" (November 2007), which
includes an assessment of 18 risk assessment methodologies, scoring
them on the basis of responses to 37 questions on Emerging Risk and 8 on
Future Risk. Reviewing the conclusions, Alex noted that their assessment
on FAIR is based on the original Risk Management Insight White Paper,
which was not an in-depth paper so in the circumstances FAIR comes out
well; their low evaluation of FAIR for Questions 17-21 which was based
in inadequate information.
The Implementation Cookbook standard will describe in
detail how to apply FAIR to a selected risk management framework, in the
form of an application paper, such that others could then follow by
example how to create their own application paper to apply FAIR to other
frameworks. The objectives we need to aim at in this Cookbook are to
create a reference sample for how to use FAIR with other frameworks and
also demonstrate its use for at least one concrete business requirement;
for example, in forward budgeting. As an initial starting point, we
will select the COSO framework; this may change depending on licensing
constraints.
Action: We will check the licensing situation
regarding COSO and using it for creating a derived work with FAIR, and
subject to this being acceptable we will aim to create a draft for a
FAIR Implementation Cookbook using COSO by end September 2008.
NAC Enterprise Security Architecture Paper
We have interest in updating the NAC Enterprise Security Architecture
document, available at www.opengroup.org/bookstore/catalog/h071.htm.
It is a substantial work, including coverage on Governance which
reproduces material licensed from the British Standards Institute's
BS17799. This license requires quarterly submission of number of
downloads of the ESA document, and payment of a license fee to BSI for
each download.
One update might be to revise this section of ESA so as to remove
the need for this licensed extract. This could be done as part of a
revision to the latest standard (ISO 27002). ESA is a tutorial as well
as a reference document, so we should review it as having two potential
uses. Other update opportunities could be to separate out different
parts (e.g., on policy, guidelines, procedures) for specific audiences.
Members agreed in the San Francisco meeting (January 2008) to undertake a reading assignment to assess how best to revise the NAC Enterprise Security Architecture
(ESA) document, taking into consideration existing publications on this subject area from other major
sources, including ISF (benchmarking), ITIL (management), NIST (800-14 and 800-53), CoBIT (Audit),
COSO, ISO (27002), and the Burton Group report (October 2007) on Enterprise Security & Risk Management –
Framework for Assessing Control Standards.
Little progress was made since that meeting, due to other priorities.
However, we now do have member volunteers interested in taking in this
project. One new suggestion was that this update could consider using ESA
to populate a Security Architecture crop-circle diagram as a parallel
with TOGAF.
Action: Ian will coordinate action to update and perhaps separate
out sections from the published Enterprise Security Architecture
document into stand-alone guides, to deliver its material in a more
useful form.
Security Plenary: Architecting Secure Information Delivery
The Security Plenary presentations are available here.
Security Track A5: Enterprise Security
Architectures
The Security Track presentations are available here.
Security Track A6: Managing Secure Enterprise
Architectures
The Security Track presentations are available here.
BoF on Secure Enterprise 2.0 Initiative (David Lavenda & Chenxi Wang)
David Lavenda's slides are available here.
He explained that he has held two meetings – in London last December 2007,
and New York at end-April 2008 – exploring interest and support for
forming a new group to address securing Web 2.0 for the enterprise. He
has established that there is significant interest there, and is now
considering whether The Open Group would be the right place and is
interested in hosting the group, as a new Forum or as a Working Group.
The object of this Birds-of-a-Feather (BoF) session is to discuss the
issues involved in taking this forward, and to check how much interest
exists among Open Group members in participating.
David presented the numbers of subscribers already using Web 2
services like FaceBook, MySpace, MyYahoo, iGoogle, and the like, and the
projected growth in these numbers. The new generation of computer users
are bringing Web 2.0 into their office environments, and this trend is
not likely to be stoppable in any effective way, so the obvious thing
for enterprises to do is to embrace it and ensure it is secure for
enterprise use. For customer-facing businesses, it is of course a
business imperative to adopt secure Web 2.0 for their enterprise.
The challenges we need to address in this space include threats, data theft,
access control, identity protection, privacy, information leakage, and liability for information misuse by employees.
Existing consumer tools are not sufficiently robust for enterprise-grade
operations.
After considerable discussion on a wide range of related issues, it
was agreed that we need to see what a Charter for this new group would
look like, to enable us to make more informed evaluation.
Action: The Secure Enterprise 2.0 champions will draft a Charter
summarizing the objectives, scope, benefits, expected deliverables,
required resources, and projected roadmap with timelines, for the
propose new Secure Enterprise 2.0 group, for evaluation.
New Project Proposal: Compliance Templates
Shawn Mullen (IBM) proposed a new work item aimed at standardizing
what he termed Automated Compliance Expert (ACE) templates. These templates would provide a knowledge base in a format which can be consumed by compliance
tools. These tools will
then be able to achieve a high degree of automated
compliance configuration and monitoring, which in turn will reduce the
cost of compliance for end users and increase security consistency
amongst their IT systems.
There are many different compliance standards,
and many areas of compliance within these standards. Not all elements of compliance can be automated.
However, many of the compliance standards have overlapping
guidance in the area of IT security.
These ACE templates would define an XML format which will
describe specific OS configuration settings required to meet regulatory
compliance standards.
More importantly, by working with the regulatory compliance
bodies, ACE would enable transfer of the meaning and intent of any
compliance standard into a knowledge base described by ACE's XML format,
so that compliance tool vendors can consume this XML knowledge base and so
deliver actionable and automated configuration methods.
Action: The Compliance Templates project
proposer will work with The Open Group to develop a Work Group Charter
proposing the context, scope, benefits, expected deliverables, expected
resources, and roadmap with timelines, to inform Security Forum members
on deciding whether to approve initiating a new Automated Compliance
Expert (ACE) project.
ITSC Stream for Security Specialists
The Open Group's ITSC (IT Specialist Certification) program team is led by James de Raeve (VP Certification, The Open Group). The
ITSC home page (www.opengroup.org/itsc)
explains the distinguishing features which make this ITSC
scheme special as an experience and skills-based certification which
promotes career development and proven recognition in the IT industry.
Among the existing ITSC participating members, security is a career
strength, so adding a Security Specialist stream would facilitate
adoption of information security in like organizations as a formal
career development path at three levels: certified, master, distinguished.
In our previous meeting in Glasgow (April 2008), the ITSC program
team put forward an outline proposal to add a security specialist stream
to the now-established ITSC program.
The outcome from that Glasgow meeting was that there is merit in
considering it further, so the ITSC team took away the feedback from
that meeting and presented a modified proposal. This
proposal has been further revised by the ITSC team.
Much discussion centered on slide #7 – Positioning – in this revised presentation
which seemed to arbitrarily divide architecture and security; the
question of where governance fits, sometimes termed "operational
security", may need to be accommodated. One further observation was
that some people come with security skills gained though the systems
management path. One point of firm agreement was that any Security
Specialist certification should not be subdivided into Service Provider
and Customer/User – best to have just one, unless this ultimately proves
unrealistic.
Slides #9-10 – Conformance Requirements – proposing the
nine skill sets also attracted considerable
discussion. The general view from the Security Forum was that no-one
will ever achieve full competence in all nine. Perhaps a more realistic
approach would be to have a level-1 certification which profiles maybe
three or four specific skill competences suited to an entry level of operational
security competence, then a level-2 encompassing more (e.g., six to
eight)
competences to represent a satisfactory profile for a security
designer-programmer, and perhaps a level-3 for a security architect. Further
comments suggested two additions to the skills listed:
- Most security people are expected to have a code of ethics and
even a "good character" element in their competences, so
it would be good to add this into the security specialist skills
set.
- Add forensics and penetration testing to the list of skills.
Action: Members of the Security Forum will review the revised ITSC
Security Specialist proposal within their organization to check if it is
likely to be adopted as representing worthwhile added value to their
organizations as a career path benefit, a team-building benefit, and a
recruitment benefit.
Following up from our San Francisco (January 2008) meeting, we now have a
Trust Management & Classification (tmc) web page: www.opengroup.org/projects/security/tmc.
The members' view gives access to all the project materials assembled to
date. In this session, members reviewed a presentation
based on the presentation originally outlined in the January 2008 San
Francisco meeting, validating the concepts and definitions as a
necessary basis for creating a trust taxonomy upon which we can build a
trust/confidence management model.
Action: Write a Charter including context, scope, benefits,
expected deliverables, expected resources, and roadmap with timelines, to formally initiate
the Trust Management & Classification project.
The initial proposal as presented in the Security Forum's January 2008
meeting was to revise the Secure Mobile Architectures Technical Study (E041, published February 2004) to become an Open Group SMA
Technical Standard.
This proposal was reviewed in the April 2008 meeting (Glasgow) where
members considered which aspects of SMA were appropriate for development
as a standard interface and subsequent certification program. Arising
from this review it was agreed that the champion for this project would develop a paper (2-10 pages) sufficient to describe:
- What is the problem being addressed?
- What is the technical architecture that will solve it?
- What in this architecture is common and therefore needs to be standardized to make it interoperable in a generic
environment; also,
what are the underlying assumptions?
- Present at least one use-case to illustrate the potential value
The response is that the application area is a Supervisory Control
and Data Acquisition (SCADA) connectivity infrastructure, so the
application scope is a SCADA connectivity problem in a closed
environment; for example, a large manufacturing floor. This kind of
requirement will have the interest of manufacturing enterprises. Known
interest is from Ford, Siemens, and petrochemical industries (like Exxon
Mobile).
There is a SCADA conference in San Diego at the end of August where
related requirements will be on the agenda of many attendees. Our
champion attendee will be there.
Action: Security Forum representative will report on outcomes from
the SCADA conference in San Diego at end-August 2008 on interest in
developing a standard Secure Mobile Architecture for closed system SCADA
networks.
Action: Ian will check with analyst contacts in Gartner, Burton
Group, and Forrester on their interest in SCADA networks.
This was a joint meeting of the Security Forum with the SOA Working
Group on securing SOA environments.
The charter of the joint project is to develop an architect
practitioner's guide to Securing SOA.
From the San Francisco (January 2008) meeting, Mike Nassar and David Chappelle
agreed to review the November 2007 IBM Redbook on Understanding SOA Security Design and Implementation, with the specific aim to compare the coverage of the IBM Redbook and our Guide to SOA Security, and identify gaps we can fill from it.
Mike Nasser completed the task, providing valuable analysis which has
been incorporated into later drafts of the re-structured draft Guide to Securing
SOA,
which resulted from a major review in the April 2008 (Glasgow) meeting.
Subsequent conference calls have identified further content which has
been incorporated to produce the current draft v17, available from the
soa-sec web page at www.opengroup.org/projects/soa-sec/protected.
Fred Etemadieh, a co-chair of this project, presented a status
summary of the project, and encouraged members to contribute towards
pulling together the wealth of material that we have gathered in the
current draft v.17. During ensuing discussion, several members from the
SOA Working Group expressed interest.
Action: Ian will coordinate interest in reviewing the current SOA-Security Guide draft v.17 and pulling together contributions towards
integrating the existing content into a coherent SOA-security
practitioners guide.
