We had an AI participant taking notes. I've not reviewed the notes carefully. Here it is.
Eleftherios Skoutaris shared QSS Subgroup - Quantum Safe Security Governance notes with you.
Date: 19 Apr 2024, 14:29 Z
Attendees: Cory Missimore, John Jiang, Lefteris Skoutaris
Meeting Summary
* AI summaries may contain mistakes. Consider checking important information.
The meeting covered various topics, including discussions on creating a supplement to the CCM implementation guides focusing on quantum technologies, updating guidelines and controls related to the Cloud Controls Matrix (CCM), and explaining the Self-Security Responsibility Model (SSRM) expressions. Concerns were raised about key management issues in the draft, and decisions were made to continue with the presentation, start and continue supplements separately, and consider merging them later. Tasks were assigned to create empty columns for each CCM control and add implementation suggestions, while plans for an upgrade to version 4.1 of the standard were discussed. Additionally, the meeting addressed evaluating the risk management program, emphasizing the importance of assessing data risks and implementing business continuity and operational resilience controls. John Jiang agreed to include risk assessment and impact analysis in the GRC and suggested splitting off a control under GRC02 instead of creating a new one.
Next Steps
- A task was assigned to create an empty column for each control of the CCM and add suggestions for implementation guidelines.
- John Jiang agreed to include risk assessment and impact analysis in the GRC.
AI Insights
The meeting exhibited strong performance across key performance indicators (KPIs). Clear next steps were moderately defined with discussions on risk assessment and control implementation guidelines. Engagement was high, with active involvement in various topics such as guidelines updates and business continuity controls. The meeting adhered to the scheduled time, showcasing good time management. Participation was also high, with participants actively contributing and interacting on topics like quantum technology integration and control discussions.
Topics & Highlights
1. Discussion on Supplement to CCM Implementation Guides
- Lefteris raised concerns about the highlighted controls in the draft, indicating that key management issues were incorrectly addressed, potentially compounding existing problems.
- John acknowledged the potential error in referencing CCM 5 and agreed to continue with the presentation. Lefteris offered to provide an update on the guidelines and standards.
2. Discussion on Updating Guidelines and Controls
- It was decided to start out and continue the supplements separately and consider merging them later.
- The fact that an upgrade to version 4.1 of the standard is planned, with a review of controls and implementation guidelines expected by the end of Q1 2025.
3. Discussion on Self-Security Responsibility Model (SSRM)
- Lefteris Skoutaris explains the Self-Security Responsibility Model (SSRM) and its expressions, such as CSP-owned, CSC-owned, CERT Independent, and CERT Dependent, detailing the responsibilities of service providers and customers in implementing controls in the cloud.
4. Data Risk Management Program Evaluation
- John Jiang mentions the importance of assessing the risk and impact of data to be protected, including personal data and other critical data.
- Lefteris Skoutaris explains the process of identifying, assessing, and treating risks within the risk management program, implying the inclusion of data security and privacy risks.
- John Jiang expresses the need for a statement to apply the risk management program, indicating the importance of implementing the program.
5. Business Continuity and Operational Resilience Controls
- John Jiang decided to suggest splitting off a control to exercise under GRC02 instead of creating a totally new control.
MeetGeek is the meeting automation platform that enhances the productivity of your meetings.
------------------------------
John Jiang
------------------------------
Original Message:
Sent: Apr 13, 2024 07:06:27 AM
From: John Jiang
Subject: QSS Subgroup - Quantum Safe Security Governance meeting on April 13, 2024
Prius, Morning and John met in the Zoom. John updated the status of the activities:
- The subgroup has proposed QSS relevant additions to the currently published CCM implementation guides and audit guides. The next step should be to move the proposed additions to the CCM5, which is in draft. The result can be either 1) part of the CCM5 publication if the CCM WG accepts, or 2) supplement to the CCM5 from the QSS WG. Need Hillary and Morning's help to connect to the CCM WG. (After the meeting, John drafted the QSS_Implementation_Guide.docx and put it in the shared subgroup folder.)
- Need to present the subgroup's work to the QSS WG in the April 23rd WG meeting. Prius and John agreed that this presentation may be best merged with the idea of preparing an easy-to-understand guide for GRC practitioners who may not be familiar with CSA CCM. This idea has been proposed several times in the subgroup meetings.
In addition, Morning proposed that he might be able to help with the "Quantum Physics 101" writing of WG (not in the scope of the subgroup). John suggested he could co-author the tutorial with Morning and get it started from Roger's current version. John would take this proposal to the next WG meeting.
------------------------------
John Jiang
------------------------------