International Standardization Council

Meeting summary for International Standards Council Monthly Meeting (02/15/2024)

Attendees: John DiMaria, Rachelle Summers, Claude Baudoin, Jim Angle, Tyler Messa - CSA, Erik Johnson, CA and SC7 Liaison Steven Woodward, Claude Baudoin (OMG), Eric Hibbard (ISC CO-Chair), David Harris

John DiMaria introduced Tyler Messa - CSA as the new Star Technical Director at CSA. Tyler, who joined CSA on January 29th, comes with a background in standardization work and previous experience with AWS Security Assurance. He expressed enthusiasm about his role in the committee and his commitment to supporting the team. John also mentioned that while Tyler would be taking on more responsibilities, he would continue to be involved in coordinating efforts.

The discussion then shifted to operational resilience standards, with John DiMaria emphasizing the importance of understanding and applying these standards effectively. Tyler Messa - CSA and Eric Hibbard shared their roles in leading a new project, 20996, which aims to create a Cloud Service Customer Business Continuity and Resilience standard within SC 38. This project seeks to address the challenges customers face in interpreting and applying existing standards to cloud environments. Tyler suggested strengthening the liaison relationship with the IEEE to ensure coordination and partnership on this work.

Eric Hibbard discussed the complexities involved in developing a broader topic by SC 38. He explained the necessity for SC 38 to collaborate with SC 27 and possibly other stakeholders to create a joint working group, highlighting several challenges this posed. Towards the end of the discussion, Eric shared that the Cybersecurity and Privacy Standards Committee had submitted a project authorization request for a standard on cloud computing operational resilience, anticipating its final approval soon. This standard aims to serve as a foundational document for cloud service providers, customers, and partners to ensure operational resilience.

Furthermore, Eric Hibbard discussed the formation of a new working group in the Cyber Security and Privacy Standards Committee, focused on cloud computing security. This group, open to anyone worldwide, aims to facilitate engagement from interested parties. Eric mentioned the anticipation of approval for the group and the ongoing preparations for its setup. He also noted the potential collaboration with SC 38 on this project.

John DiMaria and Steven Woodward shared their insights on the topic, while John DiMaria and Erik Johnson discussed their research focus on organizational resilience, particularly in relation to cloud and multi-cloud environments. Erik clarified that their current work does not focus on trust but is architecturally planned to address it. Tyler Messa - CSA sought clarification on the nature of the work, with Eric Hibbard explaining the focus through the lens of cloud computing. Eric also mentioned that their work would likely acknowledge the broader context and be built as a framework, suggesting monitoring the discussions and possibly joining the working group. Erik Johnson and Eric Hibbard confirmed that hybrid environments would also be in scope, with the workgroup expected to continue even after the project's completion.

John DiMaria and Eric Hibbard discussed various developments related to SC 27 and SC 38, highlighting significant changes and challenges encountered in the revision of ISO/IEC 27701, including its transformation into a management standard. John expressed his opposition to these changes through a strongly worded letter. Eric also mentioned the completion of his project, 27040, and upcoming changes to 27001 and 27002. Rachelle Summers briefly mentioned ongoing work on 27090, while Claude Baudoin shared updates on two papers he's working on, one on domain taxonomies for data governance and another on AI and the cloud. He expressed concerns about the scope of the AI and the cloud paper and plans to monitor its progress.

Claude Baudoin announced a brief update session on March 20th, encouraging attendees to contact him for invitations and to be added to the mailing list. John DiMaria brought up an issue of no longer receiving meeting invites, which Claude agreed to address. The discussion also covered the timing of a working session, with Claude suggesting Wednesday at 10 AM Eastern. After a scheduling conflict was mentioned by Erik Johnson, Claude agreed to reschedule to accommodate. The working session will be a Zoom call, with details sent to the mailing list. Further meetings in March and a planned meeting in June were also discussed.

Eric Hibbard talked about the potential for the NIST secure software development framework to become an ISO standard. John DiMaria introduced an updated SDO steering committee list and sought volunteers to serve as liaisons to working groups, emphasizing the need for connections between their standards work and related research at CSA. Erik Johnson suggested Ron Martin as a candidate for a Zero Trust role, which Eric confirmed based on Ron's leadership in an IEEE subgroup. Tyler Messa - CSA recommended reviewing a document on multi-cloud concepts and suggested following the SC 38 ad hoc group's discussions on cloud computing as critical infrastructure.

John and Eric discussed the access and sharing of pre-publication documents, particularly ISO documents, agreeing to limit their distribution to maintain control. They noted that some ISO documents are publicly available but typically of limited interest. John suggested exploring the BSI program for a business standards subscription, which could benefit the current group and other departments. The team decided to further examine this subscription opportunity.

John DiMaria discussed the importance of completing liaison reports, particularly for SC 38, which was due the next day. He sought Eric Hibbard's input on standards and research perspectives to keep the team updated. Eric agreed to prepare a SC 38 dump for John's review. Finally, David Harris shared his expertise in exporting open-source software and managing source code repositories, with Eric suggesting David's participation in the NIST activity related to this topic.

------------------------------
JOHN DIMARIA
ME
CSA
[email protected]
------------------------------