OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

oasis-board-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: ISP- final draft

Forwarded to Board-comment list

-----Original Message-----
From: von Riegen, Claus 
Sent: Dienstag, 14. Dezember 2010 15:07
To: 'Jim Hughes (LCA)'; 'board-agenda@lists.oasis-open.org'
Subject: RE: ISP- final draft


Thanks for providing this very comprehensive policy.

A few questions & suggestions:
1. As to the name (Information Security Policy), is it intentional that it is not called Information Security Program as by the Commonwealth of Massachusetts Regulation (this very term is also being used in the employee acknowledgement form of the policy, thus, I would propose to use the one or the other.

2. As to the content, to what extent can we ensure upfront that this policy complies with the regulation? Have you verified with (or actually copied from) the guide for small businesses at http://www.mass.gov/Eoca/docs/idtheft/sec_plan_smallbiz_guide.pdf?

3. As to the global nature of OASIS, I understand that the regulation determines how personal information of Massachusetts residents need to be managed, but agree with the current intent, i.e., to apply this to all OASIS members and employees globally. In this regard I concur with Eduardo's earlier comment to not restrict to terms that are used in the US only. First name and last name have a different (or even no) meaning in other geographies, same for social security number.
Can we perhaps at least change the beginning of section II. to read "For purposes of this ISP and applicable to residents of the Commonwealth of Massachusetts, USA, "Personal Information" means ..." and add a sentence at the end "Applicable to residents outside of the Commonwealth of Massachusetts, USA, "Personal Information" means a person's name in combination with corresponding data elements that are used in such other jurisdictions."
The alternative would be to abstract to globally understandable terms (such as "a person's given name and family name in combination with any data elements that uniquely identify that person ..."). Of course, we need to balance this with our immediate need to comply with the regulation, which might be compromised by not using the specific terms.

4. As to the employee acknowledgement form, I would suggest to remove it from the policy itself and to use it OASIS-internally only.

Best regards,

Claus von Riegen
Dietmar-Hopp-Allee 16
69190 Walldorf, Germany
T +49 6227 7-42589
F +49 6227 78-19953
M +49 160 8896870

Pflichtangaben/Mandatory Disclosure Statements: http://www.sap.com/company/legal/impressum.epx

Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.

This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

-----Original Message-----
From: Jim Hughes (LCA) [mailto:Jim.Hughes@microsoft.com] 
Sent: Mittwoch, 8. Dezember 2010 21:45
To: board-agenda@lists.oasis-open.org
Subject: [board-agenda] ISP- final draft

Posting the new Information Security Program/Policy for approval at next week's board meeting - agenda item 6.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]