International Standardization Council

Meeting Summary for Open Certification Framework WG Meeting
Oct 10, 2024 08:56 AM Central Time (US and Canada) ID: 824 4620 8798Attendees: John DiMaria, read.ai meeting notes, Gary Nelson, John Yeoh, HoD US, Hibbard Eric (IEEE CS, SC 38, DMTF), SwamiR, Eric Hibbard, Lefteris Skoutaris, Ryan Mackie, Abhishek Yadav, Tim Dafoe, Gov. Ontario Cyber, Willy Fabritius.

Quick recap
John DiMaria led a meeting discussing the aftermath of a hurricane and the launch of the CAIQ-Lite, emphasizing the importance of critical controls for organizations. Lefteris provided updates on ongoing projects, including a major upgrade to the CCM and the addition of 20 new controls. The meeting also covered the AI initiative, with John Yeoh providing an overview of the draft of around 30 new controls specific to AI. The conversation ended with discussions about forming an OCF subgroup focused on the AI initiative and the star for AI program.

Action Items
John DiMaria to issue a call for volunteers for OCF co-chair position.

Eric Hibbard to review OCF policies, procedures, and charter for potential adjustments.

John DiMaria to implement a roster and voting structure for OCF starting January 2025.

OCF members will review OCF documents and charters for 2025 initiatives in January.

John Yeoh to loop in Brian Russell from CSA IoT group on the T-SECTS project.

Summary
Hurricane Impact and CAIQ-Lite Launch

John DiMaria led a meeting discussing the aftermath of the hurricane and its impact on team members. He mentioned Tyler had left his position, with John temporarily taking over. The launch of the CAIQ-Lite was discussed, which had gone off without a hitch. John clarified that the CAIQ-Lite is not permissible for level 2 certifications or attestations, primarily for level 1 submissions. He encouraged everyone to research the CAIQ-Lite and its FAQ for further understanding.

Critical Controls, CCM Upgrade, and Industry Initiatives

John DiMaria emphasized the importance of critical controls for organizations, regardless of size or budget, and encouraged the team to familiarize themselves with these controls. Lefteris provided an update on the upcoming major upgrade to the CCM, aligning it with evolving technologies and enhancing security best practices, which is expected to be completed around Q3 2025. Lefteris also discussed ongoing projects, including a working group for performance control, mapping activities with the automotive industry, and adding 20 new controls requiring a transition period. Lefteris mentioned a new initiative to define technical controls for Sas service providers, with a draft expected in December. John DiMaria announced two significant updates: the NIST CSF Compendium Crosswalk for Cloud now includes mappings to the Ccm and the reverse mapping, and the ENX TISAX mapping has been completed, which is significant for the automotive industry. John also expressed interest in discussing a potential STAR for Automotive with ENX.

AI Initiative Overview and New Controls Discussion

John DiMaria initiated a discussion about the AI initiative, seeking input from John Yeoh. John Yeoh then provided an overview of the AI initiative, explaining that it involved two groups assessing existing cloud controls and AI threat taxonomies. The first group evaluated the applicability of existing controls to artificial intelligence, while the second group developed new controls to prevent threats such as data poisoning and prompt injection. The result was a draft of around 30 new controls specific to AI. John Yeoh also mentioned that the meeting was productive and involved representatives from different countries and industries.

AI Initiative and Star for AI Subgroup

John DiMaria proposes forming an OCF subgroup focused on developing schemes and processes related to the AI initiative and the STAR for AI program. The subgroup will align with international standards like 42001 and report progress to OCF meetings. Gary Nelson expressed interest in participating in the subgroup for the TISAX STAR initiative. John Yeoh suggests involving Brian Russell from the CSA IoT group due to potential synergies with the IoT matrix, particularly in automotive and manufacturing contexts.

Standards Updates and Cloud Operational Resilience

John DiMaria introduced Eric Hibbard, who provided an overview of significant developments in standards updates. Eric discussed the progress of security and privacy standards, SC 27 and SC 38, and the updates to the cloud SLA framework. He also mentioned the potential for a minor revision to the privacy information management system, which could become a standalone management standard. Eric and John are involved in a cloud operational resilience project, which may be jointly developed with SC 38. Lastly, Eric hinted at a potential revision to ISO/IEC 27001, including discussions about the future of Annex A.

Transition to Fal Con, SE 27 Meetings, and Standardization Progress

Eric discussed the transition from Johann Amsenga to Fal Con (Spelling) as the new convener, emphasizing the importance of avoiding duplication with IEEE. He also mentioned upcoming SE 27 meetings in March and September, and the progress of standardization activities in organizations such as ISO and CSA. Eric agreed to share his findings with John and mentioned his involvement in privacy and security projects in the computer society. John expressed interest in having Eric as a co-chair for their team, given his connections with standardization activities and experience as an auditor. John also mentioned the addition of Ronald Tse to their team, who is based in Hong Kong and faces challenges in joining meetings.

Co-Chair Necessity and CSA Operations Reboot

John DiMaria emphasized the need for at least two active co-chairs to maintain smooth operations and avoid issues due to absentees. He also mentioned plans to reboot the system in January, maintaining a roster of voting members. Eric suggested a call for volunteers for the co-chair position, stressing the importance of a diverse mix of candidates. They agreed on a more structured voting process for certain activities, particularly those related to core CSA materials, and planned to review OCF documents and initiatives in January. John suggested having multiple co-chairs for the workgroup, a practice they had previously used. Eric agreed on the necessity of a healthy structure for the work group's deliverables.

CSA Subcommittees, Work Groups, and Liaison Relationships

John Yeoh sought clarification from Eric about the number of subcommittees and work groups that CSA has. Eric explained that CSA has two formal liaison relationships, one with SC 27 and one with SC 38. He also mentioned discussions about establishing relationships with IoT (SC 41) and AI (SC 42), but these still need to be established. Eric further clarified that CSA could engage in these groups, including making project proposals, but they do not have a voting status like a national body.