Kantara Initiative Identity Assurance WG Teleconference

 

Date and Time

Agenda

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Minutes Approval: 
    4. Action Item Review
    5. Organization Updates - Director's Corner
    6. Staff reports and updates
    7. LC reports and updates
    8. Call for Tweet-worthy items to feed (@KantaraNews or #kantara)
  2. Discussion
    1. Kantara IAF-1401 (Excel SAC) - ready for a vote?
    2. Review statement of requirements for SAC update task
    3. Reminder of presentation from Hannah Short of CERN
    4. Review of IAWG Charter
    5. Report out on TFS sync meeting
  3. AOB
    1.  
  4. Adjourn

 Attendees

Link to IAWG Roster

As of 2015-11-05, quorum is 5 of 9

 

Meeting achieved quorum

 

 

Voting

Non-Voting

Staff

Apologies

 

 

 

Notes & Minutes

Administration 

Minutes Approval

Motion to approve minutes of 2016-02-25: Andrew Hughes 
Seconded: Lee Aber
Discussion: Andrew suggests minutes need Confluence artifacts removed, Scott agrees.
Motion Carried 

Action Item Review

Staff Updates

Director's Corner Link
LC Updates
Participant updates

Discussion

1. Excel service assessment criteria - any new comments? Ken Proposes that we as IAWG approve the work tool and put it out for 45 day review. Scott seconds. Action item - Scott Shorter to follow up with Ruth on getting it out for 45 day review.
2. Statement of requirements update forthcoming, Ken apologizes for delay. Thanks for the comments thus far.
3. Presentation from Hannah Short from CERN April 7th 10am PST 1PM EST. Authentication and authorization for research security and incident response. Don't forget clocks change soon.


4. Take a look at IAWG charter and bring discussion forward with that. If no changes to make, please let us know. Last Charter

5. TFS solutions synch meeting. Frustration expressed that government people were not attending the meeting. KI and InCommon and SBP will be sending note to FICAM and NIST. If not the monthly meetings will be put on hold.

AOB

Privacy Criteria

Discussion of the privacy audit criteria. OECD has privacy criteria, eight principles, collection limitation , data quality purpose specification, use limitation, security safeguards, openness participation, accountability. AI: Ken to send the text and the link to the test. "The privacy of the subject is respected" - high level mission statement.

RGW: we should keep an open mind whether existing criteria can simply be used as is, many existing criteria can be used for privacy when viewed correctly.

Andrew: a quick survey of what's out there, gap analysis, begin work.

Ken: what others do we know of?

Andrew mentions privacy by designengineering principles, FIPPS, FICAM, FCC's privacy rules.

Scott: is this worth trying to get KI funding for?

Andrew: do we need a scope or charter for this? Ken: will undertake to do that.

RGW: doesn't see the need for it. IS there a call from the marketplace for such a thing?

RGW: do agree that there needs to ba focus on how to interpret generic controls when you have privacy as a focus. Maybe approach is not to have privacy criteria per se, but to profile the criteria. Did the FIPPS principles, repurpose of existing SAC criteria. There's a gap in KI's ability to meet FICAM requirements,

Ken cites the reference to privacy requirements in TFPAP 2.0.2, 2014: https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNKRAA4&field=File__Body__s

Andrew: controlling documents - ICAM approved submission page: ICAM Approved Submission

Scott and RGW mention that privacy criteria are part of CSPs responsibility to cover compliance since that is not covered by the SAC. RGW creating a profile, to apply criteria in a specific context. Doesn't diminish criteria, shows how to use them In a particular context. Maximizes reuse.

Christine: IDESG is looking at complementary programs such as KI, for each program, come up with a way of on boarding the participants that are certified at a certain level.

Attachments

 

Next Meeting