...
3. Alf tells us about the comparison he has done of SCI V1 against ISO27001 ISO27002 and the Sirtfi published V1 document (see our documents page). This is not that he wants us as a group to adopt ISO27K but aimed more at seeing how things map and what is missing or in conflict.
His initial findings that SCI is very much based on operational security and simple. SCI is more practical with ISO more on policy and organisation. Alf also notes that the Refeds Sirtfi activity has changed some of the wording in Incident Response. We should consider merging their changes back into SCI V2. We could also consider looking at US NIST requirements and the Trusted Introducer maturity assessment.
Romain encourages us to keep SCI simple - this can then be used when trying to build trust with new infrastructures.
4. Dave shows the current (self) assessment spreadsheet (see documents page). He explains that the sub points lines (numbered e.g. 1.1, 1.2, 1.3) are all sub components of one numbered requirement from the SCI document e.g. IR1 and just correspond to the different requirements expressed so that the assessment is forced to consider each of the requirements in turn - rather than just one statement which may miss some sub-points.
Here again it is agreed that a guidance document would be useful. This could describe exactly what the requirement means and guidance on what sort of documents are needed rather than exactly specifying how to meet the requirements, e.g. how many hours is timely response? needs to be left for each infrastructure to define rather than SCI specifying the number.
5. We agree that the next step should be for members to consider sections 4 (operational security) and section 5 (incident response) of SCI V1 and prepare answers for our infrastructure to these (either a document or the spreadsheet). Discussing these will hopefully assist us in seeing what guidance is required.
Dave also encourages people to edit the wiki page on scope with further ideas as to what exactly our mandate/goals should be.
6. 5. Next meeting. There will be just one meeting between now and the TNC2016 BoF session. Proposed dates are 31 May, 1 June or 2 June. Dave will send a Doodle poll. The agenda will be to look at the SCI V1 comparisons (section 4 OS and section 5 IR) and decide what to present at the TNC BoF (e.g. an agreed mandate statement).
...