International Standardization Council

Meeting summary for International Standards Council Monthly Meeting (12/21/2023)

Date: 21 Dec 2023, 08:58 CST

Attendees: Eric Hibbard (Samsung), Fabritius, Willy SGS, John DiMaria, Claude Baudoin (cébé) #493, CA and SC7 Liaison Steven Woodward

Quick recap

Eric, John, Fabritius,, and others discussed updates on various proposals and standards related to their work. They talked about the Phips 140 Certification, Voice 7 of 6 part one, the Cybersecurity Labeling Framework for Consumer IoT, and an initial consultation on secure smart contracts. They also discussed the formation of a subgroup to work on a framework document and a guides document. The conversation also touched on operational resilience in cloud computing, potential collaborations, and the importance of clearly defining parties versus roles. The meeting concluded with a discussion on making standards available at no cost and the involvement of the Business Continuity Institute in cyber and operational resilience related papers.

In the meeting, the speaker discussed various ongoing projects and consultations related to ISO standards, FIPS 140 certification, auditing requirements, cybersecurity labeling framework, and secure smart contracts. They also mentioned potential collaboration with other organizations and the importance of the operational resilience project. Stakeholders in operational resilience were identified as consumers, cloud resources, suppliers, and cloud service providers, with regulators and financial services being potential interested parties. Existing standards related to business continuity and risk are likely to be included in the operational resilience framework, along with the potential inclusion of the IEEE project on adaptive management of cloud computing. The SC38 materials have been realigned since the divorce with ITUT, and the possibility of setting up an IEEE certification program for proof of data eradication was discussed. An operational resilience project focusing on product-oriented validation and common criteria was mentioned, as well as a liaison agreement with CSA. Balloting and key management standards, changes in ISO 27001-1, ISO 5338, sustainability efforts, OMG paper on domain taxonomies for cloud data governance, and White House healthcare requirements were also discussed. Tasks were assigned to update liaisons, cover changes in working group schedules, and update the charter for 2024.

John, Fabritius,, and Eric discussed updates on various proposals and standards related to their work. Eric shared updates on the FIPS 140 Certification, -2 and - 3, the Cybersecurity Labeling Framework for Consumer IoT, and an initial consultation on secure smart contracts. They also discussed upcoming deadlines and ongoing systematic reviews. Eric mentioned that they are forming a subgroup to work on two projects - a framework document and a guides document - and are anticipating a large number of people unfamiliar with their processes. To facilitate quick orientation, Eric has prepared some slides to share with John.

Cybersecurity Standards Development and Collaboration

Eric, as the Standards committee chair within the Computer Society, shared about their involvement in the Cybersecurity and Privacy Standards Committee. They touched on the process of developing standards and mentioned a proposed Operational Resilience working group that is under review. Eric also highlighted the potential role of a work group in standardizing cloud-oriented materials without going through the ISO site, and discussed possible collaborations. They further noted the involvement of various individuals in different roles within the Society, including the vice chair of CPSC as the convener for the Workgroup for S27 and Laura Lindsay, the treasurer of CPSC, in the chair support position for S27.

Eric discussed the scope of a new standard focusing on operational resilience in cloud computing. They explained that the standard is intended to identify what operational resilience means, but it won't offer any specific guidance. Eric anticipated the potential for multiple additional standards to be developed in the future. They also highlighted that the standard is likely to be of interest to financial services and regulators, and could potentially integrate existing standards related to business continuity and risk management. Claude raised a question about the connection between resilience and adaptive management, which Eric acknowledged has not yet been considered by the project team.

Cloud Computing Standards and Resilience Efforts

Eric discussed the potential collaboration between the new working group and the Cloud Computing Standards Committee. They noted that the committee's work has been too "mist oriented" and discussed a specific instance where their proposal was not accepted due to terminology misalignment. Eric also mentioned the operational resilience project's intention to track the ISO path. Later, John brought up Steve's comments about IT resilience efforts in Canada, where a group has been working on cloud audit and terminology for the past two years following a major outage.

There was a discussion about the participation and alignment of different groups in a project, with a focus on key terminologies and definitions. The participants highlighted the importance of clearly defining parties versus roles and the ongoing challenge of dealing with intellectual property rights. They concluded with an agreement on the need for better documentation and alignment of terms. This was in relation to the use, customization, and copyright issues of NIST documents within the Canadian Federal Government. The participants noted that while these documents are freely available for use and modification, there are challenges related to copyright. They agreed on the need for careful navigation to address these copyright challenges.

Eric shared their experiences and insights on making standards available at no cost. They mentioned a program where a group or consortium can pay a fee to make documents available. They also talked about the possibility of adopting a sunset standard and the challenges they faced in Europe due to the secure data deletion requirement. Eric also discussed the possibility of setting up a cybersecurity scheme for formal certification programs. They clarified that this would be more product-oriented rather than focusing on the operation side.

John and Eric discussed the involvement of the Business Continuity Institute in cyber and operational resilience related papers. Eric plans to meet with someone from the Institute in January to learn from their experiences, particularly in relation to a cyber resilience project. The Accredited Standards Committee X.9, Inc. has signed a liaison agreement with CSA to develop standards for the financial services industry. Claude updated the team on the status of the X.9 ballot, which passed the ballot but is still undergoing validation. The process was delayed due to not reaching the required number of affirmative votes, but Claude expressed hope that this cycle would be completed by early January. John then shifted the conversation to the 27006-1, noting that it now has a table that specifies certain details.

John discussed changes in certification functions, audit time calculations, and testing requirements. They expressed concern about how these changes might affect certifications and announced plans to evaluate their impact on the star program. Eric responded with insights on the potential future of 27001 as a standalone document and its potential impact on part one. The conversation also touched upon ongoing involvement in AI, with John mentioning the development of an AI for Star and CCM's work on 42001. They concluded with a discussion about obtaining a copy of ISO 5338.

Eric raised a question about CSA's involvement in sustainability, specifically in terms of technology reuse. John admitted they were unsure and promised to check with the research team. Eric shared their experiences with hyper scalers putting pressure on the industry for more sustainable practices, which led them to join for voting status on the ASTM Committee dealing with sustainability. They expressed interest in accessing the ISO 323 projects and mentioned the open compute project and Microsoft and Google's involvement in this area. John acknowledged the importance of the issue and agreed to look deeper into CSA's potential involvement.

John, Claude, and Jim had a discussion about a recent paper on domain taxonomies for cal data governance, which Claude had published and shared with the Cloud working group. The team also discussed the expectations for new requirements from the White House for healthcare. John mentioned upcoming tasks for 2024, such as operation resilience, reviewing the SDO listing, appointing new liaisons, adjusting working group schedules, and updating the charter. John expressed their gratitude to the team for their contributions and wished everyone a safe and happy holiday season.

• Eric will share his spreadsheet with John.

• Eric will share his slides with John.

• Eric will share the materials with John and Doug. 

• Eric will try to obtain a copy of ISO 5338. - DONE

• John will check with research on CSA's involvement in sustainability.

• Claude will send a message to the Cloud working group with a link to the OMG paper on domain taxonomies for cloud data governance. - DONE

On December 7, OMG’s Platform Task Force on Middleware and Related Services (MARS PTF) approved for publication the Cloud Working Group’s discussion paper on Domain Taxonomies for Cloud Data Governance.

 This is publicly available at https://www.omg.org/cgi-bin/doc?mars/23-12-05.pdf.

This substantial paper (55 pages, 14 tables…) “describes taxonomies of sensitive data in several areas (personally identifiable information, trade control, intellectual property, defense information) that requires specific governance attention.”

 OMG will probably issue a press release in January. Meanwhile, you can download and read (or at least browse…) the paper at your convenience, use its content as appropriate, and please let others know about it.