The Security Forum members met twice, on Tuesday and Wednesday, and discussed the broad Security Forum projects, and the specific risk possible work items.
Participants: Jim Hietala, Steve Whitlock, Mike Jerbic, Mary Ann Mezzapelle, Steve Borchert, Jack Jones, Chad Weinman, Jim May, Andrew Josey
Security Forum Projects Review
Recommendation and consensus on monitoring activity to look for opportunities for the Security Forum, but not actively engaged at this point.
Discussed security automation and the Security Forums involvement and role at length.
Action: Jim to write charter.
Action: Steve to start drafting the Vision White Paper.
Action: The Open Group staff and members to socialize this vision with other vendors and standards organizations, and see who we can attract to participate in this work.
The draft standard has been approved.
Action: Plan and do a webcast on theSMA standard (Jim)
Action: Jim to have a question and answer session with David Corlette to discuss blockers, challenges, participants, dependency on DMTF work, etc.
Action: Have Geoff Besko attend a Security Forum steering committee call, and present project & status in the near future
Jericho Forum Transition Items
(One carry forward item is the Information Protection White Paper, which informs/is input to self-healing security, and also a need for data commandments, which implies doing a set of commandments/principles.)
Discussion on possible future directions and topic areas included:
- Guide on how to use FAIR to implement the NIST Cybersecurity Framework
- Guide on how to use O-ISM3 w/NIST Cybersecurity Framework
- O-ESA, update for Platform 3.0, and connect to NIST Cybersecurity Framework by writing a White Paper or Guide
- Discussed engagement, participation, and recruitment in Security Forum activities
Action: Jim to circulate the current projects summary and plan to the Security Forum mailing list, invite participation, and outline benefits, and then ask if there are other projects people have in mind.
Action: Jim to do a quarterly newsletter on Security across The Open Group (Security Forum, RTES, Architecture Forum, OTTF, and Open Platform 3.0), and promote to the all-members lists.
Members identified a goal – to have project status captured and circulated in advance of each steering meeting, and do a deeper dive on one project per meeting.
Action: Jim or new Forum Director to update project status in advance of each steering call, and to add project leads to the summary report.
Joint Meeting with Open Platform 3.0™ Forum
Mary Ann has volunteered to be Security Forum point person for this effort.
The Security Forum to review/advise on guidance for security in Open Platform 3.0. As we review the use-cases, use this lens:
- Look for security principles that ought to be considered/relied on
- Look for relevant standards (and white papers) to be referenced, whether from The Open Group or from other standards organizations
Action: Jim to supply links/references to The Open Group security documents/standards, including:
Jericho Forum original commandments,
W143, O-SMA, etc.
Risk Work Group Discussion
The group met and produced a draft priority list of possible risk work items for 2014. The list is available to the link provided below.
Action: Jim to circulate to the Risk Work Group list for their review and input, and also to the Security Forum mail list.
The group also discussed the bugs and inconsistencies identified in the O-RA and O-RT standards, and how best to resolve them. Consensus was that we should produce a consolidated list, and then discuss in the Risk work Group as to whether to do maintenance releases of each standard, or possibly consolidate them into a single standard.
Action: Jim to build the consolidated list of bugs from emails received, and then discuss on the Risk Work Group call and decide what to do.
The group discussed encouraging more participation, from risk practitioners, as well as from new trainers.
Action: Jim to create a message to the Security Forum mail list, plus to some of the trainers, and new member outreach from Steve to large enterprises, risk consultants, and IT-GRC vendors, etc.
The group discussed the need for a risk marketing plan, particularly a Risk Survey project, and the need for case studies.
Action: Jim to work with Patty to build a plan to promote the risk program.
The group discussed Open FAIR commercial policies.
Action: Jim to arrange a discussion on 3/6 risk call to describe The Open Group commercial policies, and to have The Open Group legal there to answer questions.