Serverless

Back to discussions
Expand all | Collapse all

Meeting Minutes 15th of July.

  • 1.  Meeting Minutes 15th of July.

    Posted Jul 21, 2022 08:45:00 AM
    Edited by Marina Bregkou Jul 21, 2022 08:55:08 AM
    Dear Serverless working group members,

    Here are the notes from the meeting the working group had on the 15th of July.

    Regarding work on the 'NIST controls for Serverless FaaS focusing in Security and Compliance (Control families based on NIST 800 - 53, rev.5)' document:
    • Reviewers were assigned to cross-check the sub-controls of each control family
    • Missing control families that have no author: AT - Awareness and Training
    • Control Family that has no sub-controls matched is that of SA: System and Services Acquisition assigned to @Rajiv Gunja
    • Discussed that Data Management (mTLS, data encryption at rest, etc.) in the context of Serverless is an overall entity level control.
    Action points:
    • Marina to contact Rajiv @Rajiv Gunja and see if he's available to finalize his category of RA - Risk Assessment and SA - System and Services Acquisition.
    • Brynna @Brynna Nery to finalize columns G (Implementation Details for Serverless) and H (Why is it Relevant for Serverless) for her control category 'AC: Access control'.
    • Eric Peeters to finalize column G for his control category 'AU: Audit and Accountability'
    • Vishwas @Vishwas Manral to fill out columns G and H for his control category 'CA: Assessment, Authorization, and Monitoring'
    • Vani @Vani Murthy to finalize column H of her control category 'IA: Identification and Authentication'. Lines 88,89,90,91, 93, 96, 97,98 are missing.
    • Rajiv @Rajiv Gunja to fill out columns columns G and H for his control category 'RA: Risk Assessment' and to identify the sub-controls for the 'SA: System and Services Acquisition'  control category.
    • Vishwas @Vishwas Manral to fill out columns columns G and H for his control category 'SC: System and Communications Protection'.
    • Eric Peeters to finalize column H for his control category 'SI: System and Information Integrity' and fill out column G.

    Assigned reviewers that will cross check the identified sub-controls as well the justification in columns G and H:

    Reviewer

    Control Category

    Joseph Arcelo

    1.     Access Control

     

    2.     Awareness and Training

     

    3.     Audit and Accountability

    Vrettos Moulos

    4.     Assessment, Authorization, and Monitoring 

    Vrettos Moulos

    5.     Configuration Management

    Tom Koval

    6.     Identification and Authentication

     

    7.     Risk Assessment

     

    8.     System and Services Acquisition

     

    9.     System and Communications Protection

    Aradhna Chetal

    10.  System and Information Integrity


    Next working group call:
    Friday, 29th of July, at 09:00 a.m. PST / 12:00 p.m. EST / 17:00 GMT / 18:00 CET
    url: https://zoom.us/j/98681420926  (Meeting ID: 986 8142 0926)

    Kind regards,

    Marina
    ​​​​​​​​​



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------