Notes from Megameeting 12th January 2009

Attendees:

BarbaraSierman Koninklijke Bibliotheek, Netherlands
HelenTibbo UNC
JohnGarrett GSFC
KatiaThomaz INPE
MarieWaltz Center for Research Libraries
MarkConrad NARA
RobertDowns CIESIN, Columbia University
SimonLambert STFC

Sections C3.2 and C3.3 of the working document were discussed and amendments were agreed. Work will resume next time from C3.4.

Actions:

  • MarkConrad to make agreed changes to C3.2 and C3.4.
  • Others to complete actions from last week's meeting.

Although January 19th is a holiday in the US, the meeting will go ahead on that day since sufficient people seem to be available.

Mark Conrad >> (All): We were discussing whether or not we should meet next 
week. Next Monday is a Federal Holiday here in the U.S.
JohnGarrett >> (All): The government folks at our site get off, but in general 
contractors need to work on Feb 20.
Mark Conrad >> (All): John, What about the 19th of January?
Mark Conrad >> (All): Let me ask the question this way... Who will be available 
to meet next week?
JohnGarrett >> (All): Actually for my company, the company has decided to let 
the holiday on the 19th be used either on the 19th or 20th.  So I can go either 
day.
JohnGarrett >> (All): I can be available
Helen >> (All): Ah, I hadn't realized that MLK Day and Inauguration Day were 
back to back this year - very appropriate!
SimonLambert >> (All): I think David and I would be available on 19
KatiaThomaz >> (All): I can
Helen >> (All): I can if enough other folks are going to participate
RobertDowns >> (All): I am off, but expect to be available unless my family has 
made plans for me.
Mark Conrad >> (All): Ok. It looks like the majority of folks will be available. 
I will not be available and Bruce will not be available, but we can catch up 
with you all the following week.
Mark Conrad >> (All): So how should we proceed today? I have not completed my 
redraft of B. 6. Bruce is not here to discuss his redraft of C1.1 to C1.3. 
Marie, are you ready to discuss C.1.4-6? 
Marie Waltz >> (All): I am not ready, sorry, it went totally out of my head, 
last week was busy.
RobertDowns >> (All): I updated C.3.2 - C.3.4
Mark Conrad >> (All): So should we cover C.3.2.-C.3.4. or John, do you want to 
discuss C.1.7-10 first?
Helen >> (All): Thank you Robert and John!
JohnGarrett >> (All): Hi sorry, my connection dropped out there.  I'm OK 
addressing either one.
Mark Conrad >> (All): Yes, Thank you. 
Marie Waltz >> (All): I think we should do C3 it is sort of stand alone, and we 
need to look at the flow as much as the individual metrics.
Mark Conrad >> (All): Ok. Let's look at C.3.2. then.
Mark Conrad >> (All): C.3.2. looks great to me.
BarbaraSierman >> (All): hi all
Mark Conrad >> (All): Hi Barbara.
Mark Conrad >> (All): Any comments on Robert's proposed text for C.3.2.?
JohnGarrett >> (All): Looks OK to me.
KatiaThomaz >> (All): no comments
Helen >> (All): c3.2 looks fine to me.
Mark Conrad >> (All): Any objections to C.3.2. as written? Going once.. Going  
twice..
BarbaraSierman >> (All): ok, but it is related to 3.1
BarbaraSierman >> (All): and where do you find the defined security needs?
KatiaThomaz >> (All): see this comment: ChrisRusbridge - 18 Jul 2007 - Better 
surely to say that the repository maintains adequate security protection for the 
task in hand, following codes of practice such as ISO 27000 etc (plus perhaps 
the FIPS and other equivalents), with evidence being relevant certification... 
KatiaThomaz >> (All): in th old version...
Mark Conrad >> (All): Barbara, My understanding is that the security needs are 
identified in the analysis to be carried out in C.3.1.
Helen >> (All): I think this has to be somewhat general in that security 
threats, while perhaps of specific types, are always changing so citing 
standards that also must be kept up to date.
BarbaraSierman >> (All): ok, there is the connection
Helen >> (All): C3.2 will be more specific than C3.2
Mark Conrad >> (All): Katia, Are you saying that a change needs to be made to 
C.3.2. based on Chris Rusbridge's comment?
Helen >> (All): That's c3.1 will be more specfic
KatiaThomaz >> (All): maybe
Mark Conrad >> (All): Katia, What change are you suggesting?
JohnGarrett >> (All): We could add ISO 27000 certification to the examples
KatiaThomaz >> (All): i think substitute ISO 17799 to 27000...
Mark Conrad >> (All): Why not have both?
KatiaThomaz >> (All): but have we decide not to mention any specific standard?
Mark Conrad >> (All): These are examples so they are not mandatory and these are 
ISO standards so that should be ok shouldn't it?
KatiaThomaz >> (All): ok
JohnGarrett >> (All): Yes, I think we decided not to require any other specific 
standard, but I think it would be OK to mention them in examples.
Mark Conrad >> (All): Does anyone object to adding ISO 27000 to the examples 
section for C.3.2.?
Marie Waltz >> (All): No objection
JohnGarrett >> (All): No objection
RobertDowns >> (All): No objection
KatiaThomaz >> (All): no objection
Helen >> (All): no objection
Mark Conrad >> (All): Ok. With that addition is everyone happy with C.3.2.?
KatiaThomaz >> (All): 27000 series
JohnGarrett >> (All): Yes
Marie Waltz >> (All): yes
RobertDowns >> (All): yes
Helen >> (All): yes
JohnGarrett >> (All): That's yes with making it ISO 27000 series certification
KatiaThomaz >> (All): and I think they replace 17799
Mark Conrad >> (All): So the text would read something like, employs the codes 
of practice found in the ISO 27000 series of standards?
RobertDowns >> (All): That seems appropriate.
KatiaThomaz >> (All): good
JohnGarrett >> (All): No, I was just thinking of adding it as an example of way 
repository can meet this requirement.
JohnGarrett >> (All): OK, I guess that's where you intended to add it also
Mark Conrad >> (All): I am not sure I understand why we would want to drop ISO 
17799 certification from the list of examples.
Mark Conrad >> (All): John, I meant to add the phrase about the ISO 27000 series 
to the examples section.
JohnGarrett >> (All): I don't think we need to drop 17799.  I think it is still 
an active standard
JohnGarrett >> (All): Yes, Mark, that's what I figured out.  OK with me.
KatiaThomaz >> (All): Remembering ISO/IEC 17799:2005 Information technology -- 
Security techniques -- Code of practice for information security management 
Mark Conrad >> (All): I was suggesting somethiing like, ISO 17799 certification; 
system control list; risk, threat, or control analyses; addition of controls 
based on ongoing risk detection and assessment, employs the codes of practice 
found in the ISO 27000 series of standards. 
Mark Conrad >> (All): Katia, Are you suggesting that ISO 17799 would be better 
placed under C.3.1.?
KatiaThomaz >> (All): no
Mark Conrad >> (All): Then what are you suggesting?
KatiaThomaz >> (All): it is ok if you keep ISO17799, but 27000 series come to 
substitute that
Mark Conrad >> (All): The ISO 27000 portal does not specifically cite ISO 17799 
as a related standard. It does indicate that many of the ISO 27000 standards are 
yet to be developed. I would include both in the examples.
KatiaThomaz >> (All): for example 27002 is the same 17799
Mark Conrad >> (All): Does anyone object to: "ISO 17799 certification; system 
control list; risk, threat, or control analyses; addition of controls based on 
ongoing risk detection and assessment; employs the codes of practice found in 
the ISO 27000 series of standards.
JohnGarrett >> (All): OK with me.
Helen >> (All): This sounds fine
RobertDowns >> (All): Ok with me, too.
KatiaThomaz >> (All): ok with me
Marie Waltz >> (All): Its fine
BarbaraSierman >> (All): ok
Mark Conrad >> (All): Ok. On to C.3.3.
Mark Conrad >> (All): C.3.3. looks ok to me. Does anyone else have any comments?
BarbaraSierman >> (All): no, I have not
Marie Waltz >> (All): Not me
Helen >> (All): no
KatiaThomaz >> (All): ok for me
JohnGarrett >> (All): I think the text here is OK, but I have a question of 
placement of this requirement.   Not sure why this and C3.4 are in the security 
section.  
JohnGarrett >> (All): I had other items discussing change control up in C1 and 
had a requirement regarding security updates in C1 that probably belongs down 
here.
Helen >> (All): System change would be a clear point of risk - greater risk than 
day-to-day operations. Is that why it is singled out here?
Mark Conrad >> (All): John, I believe that C.3.3. is about compartmentalization 
of authority for changes to the system.
Mark Conrad >> (All): Where would you put that if not under security?
JohnGarrett >> (All): I don't have a problem with the requirement, but all the 
other change control stuff seems to be in C1 - System Infrastructure.  I think 
all the change control stuff should be grouped together in one of the sections. 
JohnGarrett >> (All): I don't think of compartmentalization of authority as only 
a security requirement.  I don't think we need to solve this today.  We can look 
at it again when we go through C3.1.
Mark Conrad >> (All): Ok. So is the text of C.3.3. acceptable to everyone? 
Should we add the phrase to the examples section about the ISO 27000 series like 
we did in C.3.2.?
KatiaThomaz >> (All): ok
BarbaraSierman >> (All): ok
Marie Waltz >> (All): ok
Helen >> (All): yes
RobertDowns >> (All): ok
Mark Conrad >> (All): Ok as written or ok with the ISO 27000 addition to the 
examples section?
KatiaThomaz >> (All): with 27000
Marie Waltz >> (All): with 27000
BarbaraSierman >> (All): with 27000
Helen >> (All): OK
JohnGarrett >> (All): OK to add 27000
RobertDowns >> (All): with 27000
Mark Conrad >> (All): Very good. On to C.3.4.
Mark Conrad >> (All): I would suggest adding the ISO 27000 series to the 
examples section here.
Mark Conrad >> (All): Other than that I believe it is fine as written.
Mark Conrad >> (All): Does anyone else have comments?
Marie Waltz >> (All): Should specific disaster plans be "appropriate to the 
physical location?"
JohnGarrett >> (All): The "unspecified situations" wording under discussion 
could be changed to something like "situations not covered elsewhere in the 
plan"
BarbaraSierman >> (All): I agree John
Helen >> (All): It seems there might be specific plans for "standard" types of 
disasters and something more general for unforeseen disasters. I know the whole 
point of a disaster plan is to avoid/recover from the unforeseen, however, new 
things come along all the time like Bird Flu and no one could report to work, 
etc.
Mark Conrad >> (All): John, I disagree. I think the way that unspecified 
situations is used here is to say, there may be any number of unspecified 
reasons why you can't access the building, but you must have a plan that 
addresses not being able to enter the building.
KatiaThomaz >> (All): about iso 17799 and iso 27000 series i ask you to see 
http://www.17799.com/
Helen >> (All): Right, that's what I am getting at with the Bird Flu example. 
What happens if the building is closed due to radon? What is the backup 
procedure? Clean suits or a mirror site?
Mark Conrad >> (All): Katia, Is there something specific you want us to look at 
on that page?
BarbaraSierman >> (All): oh, I did not read it that way
KatiaThomaz >> (All): for example: 1) Why has ISO 17799 been renamed to ISO 
27002?The rename was initiated by ISO, who wanted to align the information 
security standards under a common naming structure (the 'ISO 27000 series'). 
KatiaThomaz >> (All): and more...
Mark Conrad >> (All): So are you suggesting taking out the references to ISO 
17799?
KatiaThomaz >> (All): yes because iso 17799 was renamed to iso 27002
Mark Conrad >> (All): Does anyone object to removing the references to ISO 17799 
and just inserting the phrase about ISO 27000 series in the examples sections of 
C.3.2. - C.3.4.?
Marie Waltz >> (All): I'm beginning to wonder if we need something so specific.
JohnGarrett >> (All): Mark, I didn't read it that way, but if that is what is 
intended then I think it needs to be rewords as "situations resulting from any 
number of unforeseen reasons".  
JohnGarrett >> (All): I also think we need the discussion of unspecified 
situations also.
Mark Conrad >> (All): What are you suggesting for the discussion?
JohnGarrett >> (All): It's OK with me to remove 17799.  Not sure why ISO doesn't 
just remove 17799 from its list of standards if it is identical to 27002.
KatiaThomaz >> (All): i vote to remove iso 17799 and i must leave you now. have 
a nice week and bye.
Mark Conrad >> (All): Bye, Katia.
KatiaThomaz >> (All): thanks too.
Mark Conrad >> (All): I have to leave now too. I will make the agreed changes to 
C.3.2. and C.3.3.
Mark Conrad >> (All): Simon, Can you grab the chat?
Marie Waltz >> (All): OK bye
SimonLambert >> (All): Yes OK
Mark Conrad >> (All): Thank you. I guess you can pick up with C.3.4. next week. 
I will talk to you in two weeks.
Helen >> (All): Bye
SimonLambert >> (All): Bye

-- SimonLambert - 12 Jan 2009

Topic revision: r1 - 2009-01-12 - SimonLambert
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback