San Diego 2015: Proceedings - Security

Printer-friendly version

Security Forum Members' Meeting

Objective of Meeting

The members' meeting held in San Diego included some project reviews, as well as several working sessions. The meeting agenda covered:

  • Security Automation (review Business Scenario White Paper, discuss plans for vendor engagement)
  • Risk (discuss level 2 certification deliverables)
  • Risk program, new White Paper proposals (e.g., communicating with Senior Management/Boards on cybersecurity and risk; how Open FAIR complements/enhances the NIST CSF; when to use checklist, quantitative, qualitative (risk analysis continuum); ideas from risk survey output, etc.)
  • Security Forum marketing project/plan (build on the initial project calls, review/comment on draft marketing plan)
  • Review Data Principles draft paper (for comments/inputs, and forward planning)
  • Misc. topics (cybersecurity; IoT and security; White Papers to frame IoT issues; partner with Open Platform 3.0; study IoT standards landscape and partner with others; Cyberlaw ABA discussion; development proposal for XDAS v2; O-ISM3 status)
  • TNSP Project (status of project, discuss TNSP core, how best to align our Part 2 document, describe security services catalog project status)

Summary

Good discussions were held on a number of topics, including future risk work, where the Security Forum should engage on the topic of cybersecurity, and the Internet of Things and security.

Outputs

Specific outputs include suggested edits to the data principles paper, which were captured and which will be reviewed by the working group. Other actionable items are captured in Next Steps below.

Next Steps/Actions

Specific actions captured during the members' meeting included:

  1. Proposal to hold a special interest meeting inviting academics teaching FAIR to meet for one day in Baltimore to discuss and compare notes. Action for CXOWARE to connect other academics to Mike Jerbic and Jim Hietala. Mike to think about an agenda. Jim to coordinate with the events team. Follow-on proposal to solicit FAIR analysis from students in a competition, with a small scholarship award for winning papers, and providing a publication vehicle for papers.
  2. Request to add links to the FAIR Pocket Guide, and student guide documents to the Open FAIR web page, and to the security standards web page. Jim to coordinate with marketing team.
  3. Following discussions on both cybersecurity and risk, there was consensus that a White Paper aimed at Boards and Senior Management, about communicating on cybersecurity and risk, would be a valuable paper to produce. There is a general feeling that there might be multiple deliverables here, aimed at different audiences (Boards, CEOs, CIO/CISO, and managers). There was also discussion of perhaps doing a survey of Boards/CEOs to understand their needs and pain-points first. Mike to draft a charter, which will then be circulated to recruit contributors.
  4. Idea to conduct a "town hall" type web meeting/webex, with two different audiences. The first is internal, to highlight the various work streams to all member companies, get input on other new project possibilities, and seek more contributors. The second would be a similar externally-focused webex, making the work more visible. Jim to schedule and coordinate.
  5. Regarding the Open FAIR level 2 certification, there was discussion regarding how the test will be structured, what it will test, and what the test platform capabilities are regarding more complex risk scenarios. Jim to research, and compare to the draft conformance requirements.
  6. Discussions regarding risk, cybersecurity, systemic risk, and FAIR led to a discussion of how well FAIR adapts to very large systemic risk scenarios. Dave Hornford offered to explore/research, and report back in Madrid.
  7. We discussed possibly writing a blog, and conducting a tweetjam on the topic of IoT and security. Jim to discuss with The Open Group marketing staff.
  8. Mike described a paper he will propose to the ABA Cyberlaw group, regarding how the IoT is changing perceptions of property rights. When he has an abstract prepared, he will share it with the Security Forum to see if there is interest in publishing it from The Open Group.
  9. Suggestion that in advance of any serious IoT security work, The Open Group should undertake a detailed analysis of other IoT standards efforts that are underway at other standards organizations. We need a volunteer with interest in this area to do this. There was also a suggestion that the healthcare/mobile device area would be a good entry point for IoT and security.
  10. The group reviewed the current draft data principles paper, and comments and feedback were captured for the first half of the paper. Jim to incorporate these comments, and schedule an informal review of the paper, followed by a web meeting to discuss comments received. There was a fair amount of concern among members present that the paper is too much of an aspirational statement of how things ought to be, with too many differences to realities around data, and that, as a result, it may be difficult to reach consensus. Therefore, we think that having an informal review to capture a broad set of member opinions is a good next step.

Links