Hi everyone, please find below the minutes from our recent workshop session.
Agenda Items (AIs)
1. CCMv4.0 mapping projects and their progress status
2. CCMv4.0 Implementation Guidelines final review
3. AoB
Participants (7):
Angell Duran
Bala Kaundinya
Claus Matzke
Vani Murthy
Johan Olivier
Thomas Sager
Lefteris Skoutaris (PM)
Meeting Minutes (MMs)
1. CCMv4.0 mapping projects and their progress statusCCMv4.0 - TSC 2017 Mapping
- Mapping is complete,
- 17/17 domains have been mapped and reviewed by CCM WG professionals and validated by the AICPA group,
- Lefteris (PM) to adjust the mapping to CSA's presentation style prior to publication by 6/5 (AP1).
2. CCMv4.0 Implementation Guidelines final review
- CCMv4.0 IG document used for the review (includes open peer review + Google's comments),
- The WG has kicked-off the final review of the CCMv4.0 Implementation Guidelines on 22/4,
- The review will be conducted by 3 groups and in 4 phases (see snapshots below) and will be supervised by CCM WG co-chair Harry Lu,
- Claus and Johan asked whether the auxiliary verbs 'should/may' are to be consistently used in the IGs instead of 'must/shall', based on a comment provided by Google to replace the latter with the former in one of the controls. The group agreed that IGs are developed in form of recommendations, and adhere to organizations best practices for the implementation of CCM controls, hence and the verbs 'should/may' seem more appropriate, as also agreed in past meetings of the CCM WG,
- Phase 2 contains a list of activities that are to be followed by professionals per domain review (see bullet points bellow),
- All professionals are kindly invited to provide their feedback under Phase 2 activities by May 6th (deadline).
3. AoB
- Next CCMv4 workshop call is scheduled on May 6th, 6 pm EEST (9 am PST/ 5 pm CET/ 12 pm EST).
- Next CCMv4.0 Implementation Guidelines 2 hours review session (with Harry) is scheduled on May 7th.
Action Points (APs)
AP1: Lefteris (PM) to adjust the mapping to CSA's presentation style prior to publication.
AP2: The BCR domain is pending a 2nd review by Johan who offered to be 2nd reviewer and carry on the activity.
AP3: The SEF domain is pending final consolidation of 3 comments received from Geoff.
Please let me know if anything important is missed above.
Thank you all for being active and supporting us!
Best regards,------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------