Identity Management: O-ISM3 and SABSA Guide
Vicente Aceituno gave a summary on current plans for:
- Promoting adoption of the Information Security Management Maturity Model (O-ISM3) standard; see The Open Group blog by Jim Hietala and Vicente Aceituno.
- Certification program plans for O-ISM3 Maturity Models, and for ISM3 Professional Certification, are both held pending demonstrating a sufficient base of ISM3 adopters.
An initial draft paper for mappings between O-ISM3 and SABSA is in preparation for review by Security Forum members. The project plan is to publish it as a White Paper in December 2012.
Identity, Entitlement, and Access Management
We are participating in the US National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, and the Identity Ecosystem Steering Group (IESG), representing The Open Group Security Forum members' interest in open systems security standards and the Jericho Forum members' interest in several IDESG Working Groups and Stakeholder Groups. We now know that the October 29IDESG Washington DC face-to-face meeting has been postponed due to hurricane Sandy, but in this meeting we agreed a Jericho Forum submission responding to five Identity Management questions to be addressed in the IDESG agenda when that meeting is re-scheduled.
Our joint Jericho Forum and MIT Media Labs "Open Architecture for Core Identity and Persona” submission for funding under the NSTIC Pilot Program initiative was not accepted, but we are continuing with it as a lower-key joint collaborative activity. The funded NSTIC initiative pilots are listed here.
Integrating Security into TOGAF: Development Workshop
We held a joint development workshop with the Architecture Forum TOGAF® Next team, in which we reviewed proposed Security Forum contributions for Part 1 (fundamentals) on Risk Management and Security Principles, and ventured into contributions on these topices for Part 2 (how-to practitioner guidance). Outcomes from this workshop were highly constructive in clarifying understandings for how we will proceed over the next three months leading up to our next meeting sessions in the January 28-31, 2013 Open Group conference at Newport Beach.
This workshop confirmed how we plan to move forward with our vision for an integrated standards-based security automation strategy for configuration, compliance monitoring, and automated response to incident alerts, and to propose next steps based on outcomes from the Washington DC security automation workshop, and subsequent feedback from IETF on their SACM activity, plus their interest in ACEML as the front-end for configuration and monitoring/alerts on compliance, and from integration with SCAP.
An important outcome from this meeting was approval by The Open Group Governing Board that the Security Forum may take our ACEML standard into the upcoming IETF SACM WG meeting (November 4-9, in Atlanta) for adaptation to meet the requirements of their evolving security automation solution.
The background to our development on this project is as follows.
It started in January 2012 with a proposal for the Security Forum to take a holistic approach to security automation to assure configuration and continuous compliance monitoring for machine health and compliance to security policy. In our Cannes conference (April 2012) we noted that we have a number of current and proposed new projects that are components of this solution space:
- ACEML for configuration/compliance
- DASv2 for Event Management
- AVOS for Virtualization Management
Security Forum members ran a follow-up Security Automation workshop in our Washington DC conference (July 2012) where they brought together a group of well-informed speakers from all the areas involved. Outcomes highlighted that NIST wishes to attract industry interest in exploiting its Security Content Automation Protocol (SCAP); the IETF have related Working Groups on Security Automation & Content Management (SACM) and on Management Incident Lightweight Exchange (MILE); and the Trusted Computing Group (TCG) is working on Machine Health. The IETF SACM group is seen as the best option to move this forward, including promoting adoption of ACEML as a part of their solution.
Status and progress on current projects and proposed new projects is reported in regular Summary Reports which are available to members via our website.
Attendees reviewed current options for our security coverage in upcoming Open Group conferences in 2013. Members will develop these to make them public as soon as possible:
- Newport Beach, USA, January 28-31, 2013:
Members reviewed the outline plan for public security sessions (plenary and tracks), and will issue a draft agenda for the Security Forum members' meetings in the next few weeks.
- Sydney, Australia, April 15-18, 2013:
Industry verticals focus on Finance, Defense, and Exploration & Mining. Members reviewed opportunities for public security sessions, including recommendations from our Jericho Forum member located in Sydney.
- Philadelphia, USA, July 15-18, 2013
- London, England, October 21-24, 2013
Secure Mobile Architecture (SMA): Development Workshop
The draft for a Snapshot is now re-structured into an agreed format and the lead project team is developing it for Security Forum member review aimed at submitting it for Company Review to become an Open Group “Snapshot” by end 2012. A “Snapshot” is an Open Group publication raising advance industry awareness for it being published as a full Open Group standard within 6-12 months.
The upgrade to a full Open Group SMA standard will follow when external dependencies (from the TCG's Trusted Network Connect group) and the ISA (International Society of Automation – ISA 100 security) are published.