Agenda
The agenda was reviewed and approved.
Review of Progress Since Previous Meeting
The three slides summarizing key achievements, deliverables
status, and teleconferences held since the previous meeting in Boston, were reviewed and
approved.
Reports
Ian advised that the Secure Mobile Architecture (SMA) document that was produced by the
Mobile Management Forum (MMF) has been submitted for Company Review. It is strongly
advisable that the SMA's information security content is checked by security experts, so
he requested Security Forum members to review it during its Company Review period - 27
October to 23 November. Ian will arrange a topic teleconference during this review period
to discuss Security Forum members' comments, and will invite the MMF representatives who
wrote the SMA to join us.
Bob Blakley advised he is sharing a public platform with Tom Ridge (US Dept of Homeland
Security) in San Jose on 27 October and welcomes member feedback on issues to raise.
Steve Whitlock recommended Bruce Schneier's new book "Beyond Fear" as an
excellent successor to his earlier book "Secrets and Lies" - explaining in very
accessible form the basics for security. Also OASIS are now including Liberty Alliance
material into the SAML specification and expect to release SAML v2.0 in March 2004. IETF
is working on key management in IPv6, their PKIX WG is now wrestling with four different
protocols for validation certificates and he hopes the SCVP will win, and there is also a
WG focusing on profiles for security.
Ben Halpert noted that OASIS is now the home for the PKI Forum.
Manny Vlastakis advised he is party to the Center for Standards in DISA, and is
actively involved in the joint technical architecture for the US DoD - GIG, and end-to-end
security, so he will welcome members' feedback.
Ilya Burdman reported he has now delivered the Identity Management Catalog template,
which will now be put to use in the IdM project. he also expressed concern over reading
recent reports from reputable international management consultancies that only 20% of
system process projects are successful - if this is correct he wonders what our chances of
success are with our EVM project. Discussion on this concluded that success is based on
realistic goals and good project management, and we have the expertise to do both well, so
we should have very high expectations of success.
Dennis Taylor reported he has been investigating Palladium, and members may be
interested in checking out the web site at www.sewp.nasa.gov/.
Eliot reported that he was at Digital Id World the week prior to this Open Group
Conference, and held a SIMC meeting there on Identity Management in the Securities
Industry. Their next step is to come up with compliance scenarios.
ASC RPI Fasttrack Results
The outcome of the Enterprise Vulnerability Management meeting was that we would:
- Review the outcome from our lightweight Fasttrack Review of the American Security
Forum's (ASC) Risk Preparedness Index (RPI)
- Evaluate the conclusions that Mike Jerbic drew out of the EVM meeting presentations (see
final slide) - that we are spanning three areas that CxOs are
heavily concerned with (Risk, Compliance, and Business Performance) and that vulnerability
management connects these three areas
- Consider the opportunities to work with NIST, the ASC and their members (who include the
big four audit companies), and the EOIF, to harmonize best practices, information
interoperability standards, test suites, certifications for processes or products, etc.
- Look critically at what we can and want to do, and come out with a report from the end
of this conference week, which we will then share and develop with NIST, ASC, and EOIF
In the subsequent Security Forum members meeting, the EVM meeting and the ASC RPI
lightweight Fasttrack Review activity we ran in early October were evaluated. In
discussion, points that arose included:
- Our three sets of RPI lightweight Fasttrack Review comments address the general approach
of the RPI, not the detail. These comments do propose how to make the RPI document better.
- We also recommend that the ASC also check NIST SP800-26 guidelines for creating
self-assessment checklists to see what might need to be done to align the RPI with the
NIST SP. In this context we should seek harmonization with NIST standards - FISMA in
particular.
- We question the RPI checklist as scalable down to smaller (SME) organizations.
- We wonder whether the RPI checklist was compiled from a systematic base or an ad hoc
approach.
- We are interested in the weighting scheme used, and its underlying algorithm(s), because
the Index number that will result will be very much skewed by the weighting system.
- Our Enterprise Vulnerability Management project needs a method for quantifying risk, so
the RPI concept is very appealing.
- The RPI is currently aimed at being an underwriter's index - this is probably not
something our members would value - so we will want to broaden its applicability to
embrace IT risk management.
- This RPI is being created by ASC in collaboration with the business community it aims to
measure (the big four auditing companies - Deloitte Touch Tohmatsu, KPMG,
PricewaterhouseCoopers, AIG) so is it sufficiently independent to be objective? We need to
guard against it being a politically convenient but ineffective tool for these sponsors to
indicate due diligence, and need to engage better with this community to generate
assurance on the RPI's objectivity.
- Overall, we want to continue the association with the ASC in its RPI process, and will
seek to join with them in developing this RPI work, on the basis of our review and
comments.
- We note the intention of the ASC to launch the RPI in November. We consider this is
premature because we see a lot of general improvements that will render it much more
acceptable as a generally applicable quantitative risk measurement tool for the critical
infrastructure and for enterprise IT business. We would like to help introduce the changes
to the RPI which we believe will achieve this goal, and we hope to avoid a situation where
the current RPI document is launched and perceived by the wider community outside the big
four auditor companies as inadequate and flawed - which it currently is.
Ian will put this feedback to the ASC in a consolidated report, and with Mike Jerbic
(Security Forum Chairman) will liaise with the ASC to establish a sound working
relationship for continuing development of the RPI, as part of our EVM project.
It was also agreed that we will seek to develop close working relationships with NIST,
the ASC and their members (who include the big folur audit companies), and the EOIF, to
advance the objectives of the EVM initiative, and specifically to harmonize best
practices, identifiy opportunities to create information interoperability standards,
advance provision of test suites, and programs for certifications of processes and
products, etc. A specific action will be to review and comment on NIST's SP 800-53. Ian
will produce a report advising this outcome to NIST, ASC, and EOIF.
Approval of Washington Security Forum meeting agenda.
Review and approval of progress report since Boston meeting in July 2003.
Approval to engage in Secure Mobile Architecture (SMA) company review.
Sharing of member reports on significant events since Boston meeting in July 2003.
Agreement on feedback regarding the ASC RPI, and resolve to establish a sound working
relationship for continuing development of the RPI, as part of our whole Enterprise
Vulnerability Management project.
Agreement to send a report to NIST, ASC, and EOIF, confirming the Security Forum's
commitment to working with them to advance the objectives identified in the EVM meeting
and subsequent Security Forum review meeting.
All Security Forum members to engage in the Secure Mobile Architecture company review,
and share review comments in a teleconference before the closing date (24 Nov) of the
review.
Ian and Mike to seek to establish a sound working relationship with NIST, the American
Security Consortium (ASC), and the EOIF, for support of NIST and FISMA (and specifically
review of SP800-53), continuing development of the ASC RPI, and progression of the
EOIF objectives, all as contributions towards our EVM initiative.
