|
The council has a perspective that is distinct from the TCs as users of the products of TC efforts, hence a unique emphasis on adoption, effectiveness and operationalization challenges of current and prospective users.
So, as was discussed on the call, the council's feedback to the TC's should include assessments and recommendations of TC efforts/products along usage/utility focused dimensions.
I also think that the council has an additional and strategic interest in the relationships and usages across TC efforts (i.e across threat, vulnerability, C2 communications intelligence, context,
risk modeling, mitigation, remediation, attestation, analytics... information ). The council's cross cutting feedback may be beyond the internal scope of any of the TCs in isolation, but should be considered from a more comprehensive cyber security standards
portfolio perspective.
So, I'd like to suggest an ongoing work stream of the council, that focuses on developing a cybersecurity standards user "big picture" and "portfolio gap analysis" that would focus on how a) the various cyber security standards TC scopes fit together
, and b) whether the adequately cover cyber security need/opportunity. The resulting efforts could provide significant insight into how we might better address misalignment, misconfiguration, complexity and operational efficiency across the standards-enlightened
security portfolio. :-)
I hope this makes sense, and I would volunteer my efforts in this direction, if the council agrees.
Thanks,
Dennis
Dennis Moreau
Senior Engineering Architect
Office of the CTSO
VMware
719.964.0836
Dear all,
Thanks for participating the call today. Please find below the minutes of the call – feel free to comment and enhance. As soon as the wiki is set-up I’ll place this there.
Discussion on topics and way to proceed reg. “content” we identified to streams to follow-on in parallel:
- Learning about landscape, practises and expriences
- Identify topics/goals to focus on
Further we agreed to follow on providing input on interop group (=who can take lead on this?) and MISP (see my email during the call) and follow on the discussion raised during the f2f in NYC about possible use cases
that are currently not covered by existing standards to put those on our todo list as well (=who can take lead on this?).
Administrative topics:
- Set-Up Wiki (via Chet) and send note once this is set-up (Joerg)
- List upcoming events, conferences etc. on the website (Carol, all)
- Recruit co-chair candidates to , as discussed on call would be good to have at least one person from financial industry, possibly one from healthcare and one from critical infrastructures (Carol, all)
Discussion on need for voting/authorization “mechanism”:
- adhere to standard oasis customs reg. voting rights and continuity vs. informal style of participation on base of interest/occasion and voting
- procedure required to "authorize" official communication/output of the council is required.
Assumption is to start with general consensus and detail or formalize when needed
- reach out for feedback to the members
=> Pls give us your opinion and thoughts on this topics to follow the rather strict approach (e.g. voting right tied to regular participation and contribution) vs. a more informal approach as some members might only be interested in certain topics but should
be able to vote on those .
Best wishes from sunny Cologne,
Joerg
|