Link to IAWG Roster
As of 2015-11-05, quorum is 5 of 9
Meeting achieved quorum
Motion to approve minutes of 2016-02-25: Andrew Hughes
Seconded: Lee Aber
Discussion: Andrew suggests minutes need Confluence artifacts removed, Scott agrees.
1. Excel service assessment criteria - any new comments? Ken Proposes that we as IAWG approve the work tool and put it out for 45 day review. Scott seconds. Action item - Scott Shorter to follow up with Ruth on getting it out for 45 day review.
2. Statement of requirements update forthcoming, Ken apologizes for delay. Thanks for the comments thus far.
3. Presentation from Hannah Short from CERN April 7th 10am PST 1PM EST. Authentication and authorization for research security and incident response. Don't forget clocks change soon.
4. Take a look at IAWG charter and bring discussion forward with that. If no changes to make, please let us know. Last Charter
5. TFS solutions synch meeting. Frustration expressed that government people were not attending the meeting. KI and InCommon and SBP will be sending note to FICAM and NIST. If not the monthly meetings will be put on hold.
Discussion of the privacy audit criteria. OECD has privacy criteria, eight principles, collection limitation , data quality purpose specification, use limitation, security safeguards, openness participation, accountability. AI: Ken to send the text and the link to the test. "The privacy of the subject is respected" - high level mission statement.
RGW: we should keep an open mind whether existing criteria can simply be used as is, many existing criteria can be used for privacy when viewed correctly.
Andrew: a quick survey of what's out there, gap analysis, begin work.
Ken: what others do we know of?
Andrew mentions privacy by designengineering principles, FIPPS, FICAM, FCC's privacy rules.
Scott: is this worth trying to get KI funding for?
Andrew: do we need a scope or charter for this? Ken: will undertake to do that.
RGW: doesn't see the need for it. IS there a call from the marketplace for such a thing?
RGW: do agree that there needs to ba focus on how to interpret generic controls when you have privacy as a focus. Maybe approach is not to have privacy criteria per se, but to profile the criteria. Did the FIPPS principles, repurpose of existing SAC criteria. There's a gap in KI's ability to meet FICAM requirements,
Ken cites the reference to privacy requirements in TFPAP 2.0.2, 2014: https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNKRAA4&field=File__Body__s
Andrew: controlling documents - ICAM approved submission page: ICAM Approved Submission
Scott and RGW mention that privacy criteria are part of CSPs responsibility to cover compliance since that is not covered by the SAC. RGW creating a profile, to apply criteria in a specific context. Doesn't diminish criteria, shows how to use them In a particular context. Maximizes reuse.
Christine: IDESG is looking at complementary programs such as KI, for each program, come up with a way of on boarding the participants that are certified at a certain level.