IEEE ISSAA Minutes (24Mar04)

	Information System Security Assurance Architecture Working Group (P1700)

Minutes March 24, 2004

Held at the Johns Hopkins University Applied Physics Laboratory Laurel, Maryland USA

Presiding: Jack Cole
Author of these minutes: Jack Cole

PROCESS

Meeting was called to order at 9:30 am ET .
Participants introduced themselves.
Attendance was taken (see attendance list below).
Note takers were solicited.
Agenda was accepted as proposed.
IEEE Patent Policy was reviewed using authorized slide set.
Mailing list and website were reviewed.
Operating procedures were discussed
àACTION: Jack will circulate proposed procedures to the group before next meeting.
IEEE standards development process was reviewed.
P1700 title, scope, and purpose were reviewed.
àIt was decided that the scope and purpose will remain unchanged, but that the title of P1700 will become “Information System Security Assurance Architecture”. References to P1700 shall be changed to reflect the new title and a modified PAR submitted to NesCom (ACTION for Jack).
Discuss Best Approach: Standard, Recommended Practice, or Guide
àAction held in abeyance until development of the draft indicates the need to change P1700 to other than a standard.

DISCUSSION

Review Stuart Katzke “Big Picture slide” and synopsis.
àStuart gave an updated presentation (see website for ISSCA.ppt, especially slide #22 which shows “System Security Activities (Inside) within the System Development Life Cycle (Outside)”).
Begin Development of Requirements Document
àACTION for Jack, Stuart
What Components Are Need for an Architecture?
à Components already identified by NIST seem sufficient for now.
Should the Common Criteria framework be used?
àNot relevant for this standard, but if it becomes so, the CC framework can be incorporated by annex.
What other efforts exist, and how can this project co-exist with those without harming the environment of law, standards, policy?
àThe position of P1700 as an architecture is fairly unique, and so is unlikely to collide with law, other standards, policy. It will instead draw upon existing examples of these.
What are the goals of this project, generally?
àGeneral discussion was held examining the present scope and purpose without change.

Stuart’s presentation triggered a broad discussion of the proposed architecture and where it fits into higher level views of business processes and the system development cycle.

John James presented his slides “MilitarySystemsAndInformationAssuranceStandards3”, and especially slide #11 “Information Assurance Processes” in contributing to this examination.

Another point discussed was that the changing threat has to be monitored as well as the effectiveness of controls against existing threats. Stuart volunteered to address this question, and respond to the group after the meeting. His response to this changing threat question will be posted to the web site.

Finally, a discussion arose about the context of this architecture respecting different business lines and respecting new or existing systems.

It was noted that “system” is used broadly, and includes personnel.

Respecting different business lines and context for these, it was suggested that domain components to the architecture might embody the special requirements for these areas (healthcare, energy, defense, finance, etc).

PROCESS

Assign Sections to Authors/Editors
àNo assignments were made
Plan next and future Meetings
àNext Meeting same time and location as this on May 5, 2004 .
Review Assignment of Action Items
àSubmit Revised PAR (Jack)
àCirculate draft Operating Procedures to the WG (Jack)
àBegin draft standard (Jack, Stuart)
Meeting adjourned at 3:30pm ET

ATTENDANCE

T. Scott Ankrum/MITRE
Alicia Clay/NIST
Jack Cole/ARL
John James/USMA
Stuart Katzke/NIST
Charles Kennedy/ARL
Dan Lindner/DoD
John Sforza/ISRisk
Eric Speight/PricewaterhouseCoopers
Nat Subramonian/IDA
Jim Veneziano/JHUAPL
Richard Walker/DISA

updated Thursday, April 1, 2004
Contact Webmaster