Request to form Liaison with ISO/IEC JTC 1/SC 27/WG 1

["Patrick Gannon" <pgannon@warningsystems.com>]

OASIS EM Adoption TC Members,

On Thursday 30 Apr, I was able to speak directly with Charles Provencher to
discuss this request from his Working Group 1 (within SC 27 of the ISO/IEC
JTC1).  Abbie Barbir from Nortel had forwarded the attached documents to my
attention.

After speaking with Charles Provencher, I believe that it makes sense for
the OASIS Emergency Management Adoption TC to request Category C Liaison
with SC 27.  The purpose of the liaison with the EM Adoption TC would be to
facilitate information exchange as to the need which the SC 27 / WG 1 has to
develop a profile of the CAP (and possibly EDXL-DE) for use in exchanging IT
Security Information for Inter-Sector communications about critical
infrastructures.

OASIS has facilitated such liaisons with other ISO and ISO/IEC JTC1 groups.

As Charles Provencher indicated in his email, the SC 27 working groups are
meeting next week in China to further discuss this plan.  It would
facilitate this activity if they were to receive acknowledgement from our
new TC that we wish to pursue the establishment of the Category C liaison.
Therefore, I will bring a motion before the TC today that we agree to
request OASIS Staff support in establishing a Category C Liaison with SC 27.

Please see this relevant section of the OASIS Liaison Policy for guidance on
this process.
http://www.oasis-open.org/committees/liaison_policy.php#liaisons


Such liaison will require that at least one person be a member of both
groups. If we have an existing member who wishes to pursue membership
through their country's Head-of-Delegation, that would work.  Otherwise, we
can ask someone already on the SC27 / WG1 to become an OASIS Member and
participate in the EM Adoption TC.

Any comments?


Best regards,

Patrick Gannon
President & COO
Warning Systems, Inc.
+1 256 880 8702 x104  (office)
+1 256 468 4055  (mobile)
+1 978 458 7478  (home-office)






-----Original Message-----
From: Charles Provencher [mailto:cprovencher@provencher.net] 
Sent: Monday, April 27, 2009 12:54 PM
To: Patrick Gannon; bpoletti@deloitte.lu
Cc: abbieb@nortel.com; THOMAS FERRENTINO; Krystyna Passia
Subject: Re: ISO/IEC JTC 1/SC 27/WG 1 N17607


Good day all,

Note I'm speaking for Benoit and myself, co-editors

SC27 has launched a project/standard numbered ISO/IEC 27010, currently named
"Information Security Management for Inter-Sector Communications"; the name
is to be reviewd in Beijing next week, to be more contextual to what it
addresses, 
1) which is communications for organizations working in sectors of critical
infrastructure, and 
2) formal communication of "IT security information" between authenticated
organizations.

The base concept is similar to what FIRST is doing for its members, but we
would be going farther in the communications side, while not offering a
central coordination such as FIRST. Organizations would commnicate securely
and effectively using an advanced template ( ex: OASIS CAP), but it's up to
them or their  governments as to how agreements are established, for example
in Canada, it would probably be the Department of Public Safety Canada, but
in the energy sector, NERC could/would play a central role for the
electrical grid.

This standard once published should be a formal communications channel
between organizations within a given sector (ex. energy, telecom, financial,
etc (we have 10 sectors identified, based on the Canadian model)), either in
one country or spanning many countries. It should also do the same for
communications between different sectors in a country or many countries. At
the point were many sectors in a country communicate we've found that the
government of that country is involved and governments play a proxy role
among themselves to cover for example a continent.

Currently a major concern is SCADA that covers many "critical
infrastructure" sectors over many countries. Another issue we're seeing is
the way governments do not like that organizations like ISOor ITU may
provide direction in establishing "work help" methods in facilitating
communication when it comes to critical infrastructure. (I am being honest
as to set a straight picture!). To some countries, critical infrastructure
is the government's jusrisdiction, without outside influence.

Where the OASIS CAP is of importance to us is in the use of a mature
communications protocol to communicate "IT security" information to
authenticated organizations, similar to Annex A (DHS Warning). What we were
considering was possibly adding an "IT Security Profile", given what the
various contents would be, such classification or description or proposed
solutions or...

Such content type would be decided as we move along in the evolution of the
standard with the contributions of various participants such as OASIS or
FIRST or Govts or... We would obviously ask OASIS to approve what we wanted
to do.

So we were going to ask that you liaise with SC27, specifically with WG1
(Management Working Group) to contribute to this project; it's just that we
needed some consensus from the members working on this project/standard at
the Beijing meeting. As a member of the Canadian SC27 pointed out, Canada
would be very partial for 27010 to adopt OASIS CAP V1.1 or a specific
version (with IT Security Profile), as Canada recognizes this protocol for
alerts and warnings.

should you want to express an interest in seeking a "Category C" Laison with
SC27 while we are sitting in Beijing, meeting 4-8 May and plenary 11-12 May,
you are more than welcome to do so, and in fact it would help us if it were
sooner than later. This can easily be done by sending a Cat C liaison
request to our Secretariat (Krystyna Passia, email bellow), the sooner the
better.       

I trust this is a good base explanation and I look forward to any comments
or questions you may have.


Best regards,

Charles Provencher

Co-Editor 27010;
HoD for Canada to SC27

 Charles Provencher,
Montreal, Canada.
cprovencher@provencher.net / cpprovencher@yahoo.com



----- Original Message ----
From: Patrick Gannon <pgannon@warningsystems.com>
To: bpoletti@deloitte.lu; cprovencher@provencher.net
Cc: abbieb@nortel.com; THOMAS FERRENTINO <tferrentino@verizon.net>
Sent: Monday, April 27, 2009 9:59:26 AM
Subject: FW: ISO/IEC JTC 1/SC 27/WG 1 N17607

Dear Benoit Poletti and Charles Provencher,

Members of the OASIS Emergency Management Adoption TC were recently made
aware of the work of the ISO/IEC JTC1  SC27 WG1 related to the above
referenced adoption proposal of the Common Alerting Protocol (CAP) OASIS
Standard.

Would you be so kind as to provide us with information on the goals of WG1
with respect to CAP?

Then we can aid in establishing any needed liaisons between the respective
organizations.


Best regards,

Patrick Gannon
President & COO
Warning Systems, Inc.
+1 256 880 8702 x104  (office)
+1 256 468 4055  (mobile)
+1 978 458 7478  (home-office)



e)

WG1_PoW_Oct2008.57590.pdf

N7607_Proposed_outline_27010-2_V1_3_20090413.pdf