OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dcml-appserv message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [dcml-frame] FW: Groups - oasis - Ballot "DCML: Process Subgroup Objectives" has closed


Persons outside our group are on BCC.  If the blind copy is not working, please can I be notified immediately.
 
 
Standards TC has a great synergy with the current news  Computerworld news mail is quoted below.  (if you join, I do not allow cookies and popups.  Site is advertising heavy.)
The articles about OASIS and MASS enterprise government standards came from here.   I posted them to the group about one month ago.  The articles included Microsoft attempts to become the Open Source standard, and that no one bought it, recognizing OASIS as the one and only leader for this space.
 
I've been suggesting we align with ISO/IEC 15026 and review the frameworks established at the Common Criteria Portal.
 
The overarching reason for an ontology of correctly applied standards is also the main focus of work by CSRC and NIST
http://csrc.nist.gov/publications/nistbul/b-11-05.pdf and subject of a lot of work for ISSA, ISACA and IEC collaboration, as well as OGC, ISO alignment.
 
SAML team has members for the 2.0 release show IEC members who applied current government RFC to their work.  We ought to consider their involvement. 
 
ISACA is evolving their mapping very heavily with ISO and ITIL.  I am going to copy Ron Hale and Tom Lamm because they are more aware of the evolution of Liaison work between groups than any other persons I can imagine.  I repost this link.  If Zeula, Darrel, Fred are not ISACA members, I urge you to become members.  The cost is far outweighed by the benefit.
 
I also urge alliance to NIST language in our group.  Dr. Ron Ross published this in October 2005.  We are looking at a country just beginning to realize the impacts of FISMA and other US Laws around technology.  Regulation of federal records and FOIA are small potatoes compared to computer abuse and fraud ACT, the evolving data notification rulings modeled after California SB notification laws.
 
http://www.owasp.org/docroot/owasp/misc/OWASP_DC_2005_Presentations/Track_1-Day1/AppSec2005DC-Ron_Ross-FISMA.ppt#256
 
 
I thought the activities of Common Criteria Project were aligned to this mission, although they currently focus to software that supports security programs and not the correct application of best class standards per any industry.
 
here's that article.
rb
 
Directly quoted without any authority to reproduce, here is text of article and link is in text.
 
OMG pushes standards for verifying software security
Framework would be an aid to vendors, government buyers



 



"News Story by Jaikumar Vijayan

DECEMBER 16, 2005 (COMPUTERWORLD) - A report released early this month by a task force within the Object Management Group outlines the standards needed to develop a consistent process for verifying the security of software sold to government agencies.

The task force, which is composed of representatives from private-sector companies and government agencies, is part of a broader effort to ensure that software products used by the government meet consistent and defined security standards.

"What the OMG is hoping to achieve in putting together these standards. is to have a formal way of measuring if software is trustworthy," said Djenana Campara, co-chairman of the Architecture-Driven Modernization Task Force within the OMG.

The standards will give vendors and software purchasers a consistent way to evaluate a system's design robustness, reliability, process integrity and configuration controls, said Campara, who is also CTO of Klocwork Inc., a Burlington, Mass.-based vendor of vulnerability analysis software.

Such a framework is crucial to allowing software suppliers and buyers to represent their claims and requirements along with a way to verify them, said Joe Jarzombek, director of software assurance at the National Cyber Security Division of the U.S. Department of Homeland Security.

"When vendors make claims about the safety, security and dependability of products, what is the standard by which they are making those claims and what are the minimum levels of evidence" that are needed? he asked. "The reason to have a standard is it tells you, Here's how you can make a claim, here are the attributes we are looking for, and here are the things you need to include when making a claim," he said.

Having a process for enabling security verification is becoming important because of the increasing complexity of software systems, their growing interconnectedness and the globalization, of software developers, Campara said.

Government systems that are used for national security purposes already need to go through a Common Criteria Certification process to determine whether they meet security requirements. OMG's framework -- which still has to go through a long approval process -- will give another option to agencies that are not mandated to use the Common Criteria process, Jarzombek said.

In addition, a systems and software assurance standard that's being finalized by the International Standards Organization (ISO/IEC 15026) will also give government agencies a standard they can use for assessing software security sometime next year, he said. The ISO standard is focused on the management of risk and assurance of safety, security and dependability of systems and software, he added. "


From: Thomas, Darrel [mailto:darrel.thomas@eds.com]
Sent: Friday, December 16, 2005 4:14 PM
To: dcml-frame@lists.oasis-open.org; dcml-appserv@lists.oasis-open.org
Subject: [dcml-frame] FW: Groups - oasis - Ballot "DCML: Process Subgroup Objectives" has closed

Hello All,

 

The results from the process subgroup ballot are in, and we've been approved by a 4-to-2 vote. I'd, however, like to clarify the objectives that Zulah and Fred put forth to look to obtain unanimity.  Here's the premise:

 

·         On Zulah’s point about defining processes and services, I'd agree, to the point that IDENTIFYING those processes (since CfM is such a process, we've identified it, and next need to identify thru industry concurrence of best practice the process mapping of CfM for the purposes of codifying the interfaces thru the Interfaces Subgroup) and services that should be codified by the Interfaces subgroup from the identified best practice mappings gathered by the Process Subgroup.  Fred actually made the point of including services, so the reference of processes and services as examples of things to be identified, mapped, and codified is the point here.

·         On Fred’s point, I believe my attempt at a clarification in the first point clears up the thoughts around process and service work.  Understanding the interfaces from the best practice mappings is EXACTLY what we want to do, rather than creating them with a narrow view from the Member Section.  The idea is to use our reach to industry organizations, members, analytics, and so forth to gather this information for the identification, mapping, and codification by the Interfaces Subgroup.  We're starting with the CfM process, so identifying this as initial scope in the subcharter should help scope the ambition to something immediately achievable…

 

This should help, I believe…

 

Regards,

jDT

 

J. Darrel Thomas

Distinguished SE

Chief Technologist, Datacenter Services Portfolio

Electronic Data Systems Corporation

5400 Legacy Drive

Mail Stop H3-5A-34

Plano, Texas  75024

972-797-9695 (Office)

972-679-5943 (Cell)

Darrel.Thomas@EDS.Com (Email)

 

"Of all the things I've  lost, the one I miss the most is my mind..."

 

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.

 

 

-----Original Message-----
From: workgroup_mailer@lists.oasis-open.org [mailto:workgroup_mailer@lists.oasis-open.org]
Sent: Friday, December 16, 2005 3:01 PM
To: Thomas, Darrel
Subject: Groups - oasis - Ballot "DCML: Process Subgroup Objectives" has closed

 

OASIS DCML Framework TC member,

 

A ballot presented to OASIS DCML Framework TC has closed.

The text of this closed ballot is as follows:

---

"DCML: Process Subgroup Objectives"

Please provide your approval for the following:

 

The Process subgroup is tasked with defining the standard processes, interdependencies, and requirements for the Interfaces/Implementation Subgroup to use to create DCML standard implementations and reference models.  This include the definition of inputs and outputs, best practice workflows and process flows, and inter-process dependencies from one targeted process framework to another.  The initial work of the Process Subgroup will center around the interactions and interdependencies of the Configuration Management Process, its workflows, and orchestration of domain-based management within the IT Services lifecycle.  The output of this work effort will be the specifications, requirements, process diagrams, and process flows used by the Interfaces group to codify the standard interfaces of the CfM Process and its interactions, inputs and outputs, as well as reference implementation of a multi-layered CfM process within a working model.

 

Future prospective processes to be defined and mapped include:

 

  The Processes of the ITIL Process Framework (Change, Release, Incident, Problem, etc.)

 

  Service-Oriented Processes

 

  Business Processes

 

Outputs from the mapping and modeling work by the Process subgroup will include:

 

-  Process diagrams and models outlining each process to be implemented by the Implementation/Interfaces subgroup

 

-  Use cases to accompany process models and diagrams, as well as prescriptive relevance to industry usage

 

-  Specifications on interrelationships for a process to other processes

 

-  Other interfaces and dependencies on non-process oriented artifacts, if any, to accompany process outputs

 

-  Detailed description and definition of process to be mapped/modeled

 

-  Detailed project plan with milestones and dates

 

-  User Guides and Documentation

 

- Yes

- No

- Abstain

 

---

 

Quick Summary of Voting Results:

 - Yes received 4 Votes

 - No received 2 Votes

 - Abstain received 0 Votes

 

 6 of 8 eligible voters cast their vote before the deadline.

 

Voting results for all closed ballots are available on the dcml-frame eVote Archive at:

http://www.oasis-open.org/apps/org/workgroup/dcml-frame/ballot_archive.php

 

Thank you,

OASIS Open Administration

GIF image

GIF image



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]