London 2016: Proceedings - Security Forum

Security Forum Members' Meeting

Objective of Meeting

The objective of the meeting was to address the following topics:

  • Elections
  • Agile Methods
  • Security Architecture Practitioner’s Project
  • Roadmap
  • Open FAIR™
  • Other White Paper/Guide Development

Summary

Elections

A discussion was held on a new model for officers for the June 2016 – May 2017/2018 year. A proposal has been made to move from a Chair/Vice-Chair model to two equal Co-Chairs. This model was proposed to help facilitate the distribution of workload as well as dealing with some of the travel logistics. This model was approved. Elections will be held during the month of May. A call for nominations will be made the week of May 9. The regular term for a Co-Chair is two years. The following are the requirements for a Co-Chair:

  • A Co-Chair nominee must have the support of his member organization’s management.
  • A Co-Chair must be committed to attend at least two face-to-face meetings per year.
  • The Co-Chairs will be responsible and focused on specific projects but are responsible for coordinating activity between them as well as overall Forum strategy and direction.
  • It is preferable that one Co-Chair be North American-based and the other European-based.

The term of the Co-Chairs will be staggered with the election of a Co-Chair in alternating years. To facilitate this schedule, for this first election:

  • Co-chair 2 will have a two-year term.
  • Co-chair 1 will have a one-year term followed by a two-year with each following term being two years.

This model has been reviewed and approved with no dissenters at both the last Steering Committee and before the whole of the attending Security Forum representatives at the London event.

Agile Methods

The Security Forum has been investigating methods and tools that would support more effective collaborative production of documents in a distributive and virtual environment. With the support of The Open Group management, it was elected to conduct a voluntary "proof-of-concept" utilizing a third-party tool. Areas of concern in evaluating suitability include the following:

  • Security
  • Transparency
  • Requirements of government member’s versus industry members
  • Usability, learning curve
  • Conversion from markdown to Microsoft® Word and other formats
  • Long-term archiving and recovery (think 100 years, “hall of records” concept)
  • Single sign on
  • Interfacing with Plato
  • Scalability/costs/simultaneous users
  • Data encryption
  • Location of data
  • Business Continuity (what if third party fails as an organization)

We have currently settled on Ardoq (ardoq.com) for this initial trial. Most of the individual initiatives within the Security Forum have asked to participate. Capgemini has arranged a temporary working arrangement with Ardoq that allows the Security Forum to complete its document objects over the next year. The Open Group is negotiating a potential agreement with Ardoq suitable for a "voluntary standards consensus body. This is a bit more complicated than was first thought. The Open Platform 3.0™ Forum has also asked to participate within the Security/Open Platform 3.0 joint initiative. Thorbjørn Ellefsen is leading this initiative and will provide the on-boarding and support of representatives.

Security Architecture Practitioner’s Project (formerly TOGAF Security Project (TSP))

The following is the confirmed initial selection of topic areas for the Security Practitioner’s Series of Guides to be completed and published roughly by January/March 2017:

  1. What is Security Architecture? (Ron Jeffers/Christian Marks)
  2. Security versus Privacy (John “Randy” Caraway)
  3. Risk Management and Governance (John Sherwood)
  4. Security Services (Pascal de Koning)
  5. Business Continuity (Thorbjørn Ellefsen)
  6. Requirements Management for Security (Thorbjørn Ellefsen)
  7. Stakeholder Communications (Thorbjørn Ellefsen)
  8. ERM/ISM Enterprise Risk Management/Information Security Management (to be considered as stand-alone guides and possible submission to the TOGAF ADM (participants TBD)
  9. Plus an overview guide that introduces the series

At this time, the Security Practitioner’s Series of Guides is conceived as a composition of 12 distinct guides. The planned development of the remaining guides will begin in the January 2017 timeframe.

Roadmap

A review of the current roadmap and projected schedules of individual initiatives was conducted.

Open FAIR™

Mike Jerbic gave a presentation on status and discussion on the development of an academic program as a means of engaging academia as related to Open FAIR. The primary goal is the development of the next generation of certified Open FAIR practitioners and potential Open Group members. The focus was on how to outreach and promote The Open Group Security Forum standards (such as Open FAIR) to undergraduate/graduate educators and student engagement with The Open Group. The main areas concentrated on were student recognition, student competition for small scholarships, student participation in the Security Forum to support approved projects as an alternative to more senior representatives and internship development for students.

  • Note that San Jose State University (SJSU) has joined the Security Forum as our first Academic Member.
  • Steve Nunn will be presenting at the SJSU commencement exercises awarding three students who recently received their Open FAIR certification
  • By the start of the Austin Members' meeting in July we would like to have our first intern working on harmonizing the current version of the Open FAIR standard with the Jack Jones book. This would result in the refresh and reintroduction of the Open FAIR standard. Part of this is working out the funding mechanism/vehicle through The Open Group with the sponsor Capgemini.

An Open FAIR track has been proposed for the Austin Members’ meeting. It will have two parts:

  1. Open Session: Making Projects Work: How academics, students, and industry can collaborate to accelerate standards, a panel discussion
  2. Open Session: Open FAIR Symposium, an overview of Open FAIR with real examples of its application and results. We may want to run this session a second time at the Paris Members’ meeting.

Other White Paper/Guide Development

  • Open Fair to STIX Mapping White Paper: This project will map concepts, terms, and definitions from Open FAIR to STIX, which is a threat expressions language standard initially developed by MITRE, and now being standardized by OASIS. Chad Weinman will be the Work Group Chair and is leading this project. A call for participation is expected by the week of May 16. We have some issues getting this project off the ground.
  • Open FAIR Process Guide: Eva Kuiper (Work Group Chair) has created a first draft of the Process Guide using the ISO 27005 – FAIR Cookbook as a template. There was a suggestion from Jim May that we might consider using the case study/example FAIR analysis that Metaplexity developed as a part of the training materials as input to the Process Guide. The Work Group meets weekly and is making steady and consistent progress. No member of the Work Group was able to attend the London event. A link to the approved Charter is supplied in the Links section below.
  • Meaning of “Risk” White Paper: The discussion of the term “risk” and its meaning never seems to lack grounds for long debate. It has been determined that a White Paper would be useful to the industry discussing the different perspectives from within industry. A charter proposal has been produced, reviewed, and approved in a previous Steering Committee meeting. The basic premise is to create a bridge forward from old thinking to a more expanded view and address some of the conflict currently in the industry. A basic outline for the purpose of developing a White Paper has been completed. A call to participate is expected within the next couple of weeks. A targeted date for publication is within the 2016 calendar year. The URL to the Charter is provided in the Links section below.

Outputs

A new model for election of officers has been reviewed and approved with no dissenters at both the last Steering Committee and before the whole of the attending Security Forum representatives at the London event.

Next Steps

  • A call for nominations of officers will be made the week of May 9.
  • Thorbjørn Ellefsen is leading this initiative and will provide the on-boarding and support of representatives into the Ardoq system.
  • Steve Nunn will be presenting at the San Jose State University commencement exercises awarding three students who recently received their Open FAIR certification.
  • By the start of the Austin Members' Meeting in July we would like to have our first intern working on harmonizing the current version of the Open FAIR standard with the Jack Jones book. This would result in the refresh and reintroduction of the Open FAIR standard. Part of this is working out the funding mechanism/vehicle through The Open Group with the sponsor Capgemini.
  • Development of the Open FAIR track for the Austin Members’ Meeting in July.
  • Call for participation in the STIX to Open FAIR Mapping White Paper.
  • Call for participation in the the Meaning of “Risk” White Paper.

Links

The Open Group Platinum Members
fujitsu
HCL_Technologies
huawei
ibm
intel
microfocus
philips