Re: FW: ISP- final draft

[Scott McGrath <scott.mcgrath@oasis-open.org>]

Hi Claus,

See my replies inline to your comments below.

Scott...

---Original Message-----
> From: von Riegen, Claus [mailto:claus.von.riegen@sap.com]
> Sent: Wednesday, December 15, 2010 8:09 AM
> To: oasis-board-comment@lists.oasis-open.org
> Subject: [oasis-board-comment] FW: ISP- final draft
>
> Forwarded to Board-comment list
>
> -----Original Message-----
> From: von Riegen, Claus
> Sent: Dienstag, 14. Dezember 2010 15:07
> To: 'Jim Hughes (LCA)'; 'board-agenda@lists.oasis-open.org'
> Subject: RE: ISP- final draft
>
> Jim,
>
> Thanks for providing this very comprehensive policy.
>
> A few questions & suggestions:
> 1. As to the name (Information Security Policy), is it intentional that it is not called Information Security Program as by the Commonwealth of Massachusetts Regulation (this very term is also being used in the employee acknowledgement form of the policy, thus, I would propose to use the one or the other.
>
> 2. As to the content, to what extent can we ensure upfront that this policy complies with the regulation? Have you verified with (or actually copied from) the guide for small businesses at http://www.mass.gov/Eoca/docs/idtheft/sec_plan_smallbiz_guide.pdf?
>
[Scott said:]
We started with that guiding document, but made some minor
modifications at the advice of outside counsel expert in these
matters.  After the Massachusetts law was adopted several other states
followed quickly with their similar, but of course not exact
duplicate, versions of a law protecting personal financial
information.  Counsel approved the document submitted to the Finance
Committee.
>
>
> 3. As to the global nature of OASIS, I understand that the regulation determines how personal information of Massachusetts residents need to be managed, but agree with the current intent, i.e., to apply this to all OASIS members and employees globally. In this regard I concur with Eduardo's earlier comment to not restrict to terms that are used in the US only. First name and last name have a different (or even no) meaning in other geographies, same for social security number.
> Can we perhaps at least change the beginning of section II. to read "For purposes of this ISP and applicable to residents of the Commonwealth of Massachusetts, USA, "Personal Information" means ..." and add a sentence at the end "Applicable to residents outside of the Commonwealth of Massachusetts, USA, "Personal Information" means a person's name in combination with corresponding data elements that are used in such other jurisdictions."
> The alternative would be to abstract to globally understandable terms (such as "a person's given name and family name in combination with any data elements that uniquely identify that person ..."). Of course, we need to balance this with our immediate need to comply with the regulation, which might be compromised by not using the specific terms.

[Scott said:]
When the policy comes to a motion, amendments could be offered to:
a.) replace resident with person in Section II.
b.)  add some global clarity to the terminology, but please do not
assume given and family names is a phrase often understood by US
citizens.  (They often don't know what A4 paper is either ;-))
>
> 4. As to the employee acknowledgement form, I would suggest to remove it from the policy itself and to use it OASIS-internally only.

[Scott said:]
That is a vestige of the MA guidance document you reference above, and
was in our earlier draft approved by counsel.  As part of a motion for
that change and subsequent discussion, I would personally benefit from
learning how that would improve the policy.

>
> Best regards,
>  Claus
>
> Claus von Riegen
> SAP AG
> Dietmar-Hopp-Allee 16
> 69190 Walldorf, Germany
> T +49 6227 7-42589
> F +49 6227 78-19953
> M +49 160 8896870
> claus.von.riegen@sap.com
> http://www.sdn.sap.com/irj/sdn/standards
> http://www.sdn.sap.com/irj/sdn/opensource
> www.sap.com
>
> Pflichtangaben/Mandatory Disclosure Statements: http://www.sap.com/company/legal/impressum.epx
>
> Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
>
> This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.
>
>
>
>
> -----Original Message-----
> From: Jim Hughes (LCA) [mailto:Jim.Hughes@microsoft.com]
> Sent: Mittwoch, 8. Dezember 2010 21:45
> To: board-agenda@lists.oasis-open.org
> Subject: [board-agenda] ISP- final draft
>
> Posting the new Information Security Program/Policy for approval at next week's board meeting - agenda item 6.
>
> Jim
>
>
>
>



-- 
Scott McGrath
Senior Director of Member Services and COO
scott.mcgrath@oasis-open.org

NEW:
Tel +1 781-425-5073 x202
Fax +1 781-425-5072

New to OASIS?
Take a 3-minute tour:
http://www.oasis-open.org/home/tour.php