Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • What are we trying to accomplish beyond creating the self-assessment, and did we meet those goals?
  • Do we need to extend the scope of the document, or should we focus on getting more impact from the first document (especially if we didn’t meet all our goals the first time)?
  • What does it mean to get acceptance by the DII’s, and have we achieved that?
  • Depending on where these lead, we might conclude that what we really want is more organizations doing the self-assessment and to have these results published centrally or otherwise. I could see that certainly helping those of us looking for resources or justification for the different components of our security program efforts.
  • Taking this hypothetical further, if that is our goal, a reasonable next step is to develop a guideline for the assessment. 

Adam points out that interpretation of what is required by version 1 is far from clear and proposes that we should perhaps concentrate our efforts on producing a set of guidelines.

BUT But before we get too far, Romain encourages us to take a step back on consider our goals again. He reminds us of the history of SCI where we were documenting current best practices aimed very much at potential new infrastructures wishing to join. Subsequently we then realised that the document was also very useful to existing members of the group - as a way of seeing where further improvements were needed. So one important question on our scope: are we aiming to establish trust quickly with a new collaborating infrastructure or are we wishing to assess our own compliance/maturity? Romain says he wishes to use SCI as a way of establishing trust.

Alf reminds us that a number of NRENs are working towards ISO27000 certification. What should we use internally for assessment and what should we use for establishing trust with others?

Eli suggests that we should build a trust matrix - Infrastructure to infrastructure - not individual to individual.

Dave points out that trust between infrastructures is required not only for operational security but also to establish federated identity trust, e.g. will I trust another infrastructure to do authentication of its users to use my infrastructure's resources?

Lots of discussion followed without concluding on a definite clear mandate and goals of the group (we need this for the TNC BoF!) but there did seem to be general agreement that trying to interpret version 1 against our own infrastructures would be instructive and that we might be able to agree easier after trying this (see below).

3. Alf tells us about the comparison he has done of SCI V1 against ISO27001 and the Sirtfi published V1 document.

 

 

 

5. Next meeting. There will be just one meeting between now and the TNC2016 BoF session. Proposed dates are 31 May, 1 June or 2 June. Dave will send a Doodle poll. The agenda will be to look at the SCI V1 comparisons and decide what to present at the TNC BoF (e.g. an agreed mandate statement).

...