Adam Jones – Microsoft
Ben Wilson – Mozilla
David Kluge – Google
Jozef Night – Disig
Paul van Brouwershaven – Entrust
Prachi Jain – Fastly
Rebecca Kelley – Apple
Tim Crawford – BDO
Wendy Brown – FPKI
Read Antitrust Statement
Clint Wilson read the antitrust statement
2. Roll Call
No new members in attendance
3. Review Agenda
Review and Approval of Nov 8th and F2F in Oct minutes
New Meeting times in 2023 (NEXT MEETING JAN 3rd)
Will send out poll to vote on what time works best for all.
Risk Assessment/ Cloud Services review (David Kluge)
Continue Air Gapped CAs project (Ben Wilson)
5. Risk Assessment/ Cloud Services
Not ready at the point to draft ballot, but did have a call to proceed with the Cloud Requirements.
Chose a CCM (Cloud Security Alliance Risk Control Matrix) as the standard to align with
Compliance department made a mapping between the CCM and the NSRs, and found the CCM (in the short amount of time) had significant changes, and the mapping was no longer valid.
Requested a new mapping, for the most recent version of the CCM to the NSRs.
Received this mapping
c. Next step is to map the results of the Threat Modeling against the CCM.
a. If a good mapping, then work on the CCM instead of drafting new requirements.
d. David Kluge showed the map, and reviewed findings with group
e. Paul van Brouwershaven shared a link that shows a mapping between CCM and CIS
b. https://www.cisecurity.org/controls/cis-controls-navigator/ (click add on the right top to add frameworks to compare, click the individual items to see the control numbers)
f. Is there a licensing concern if we utilized CCM? Auditors would have to decide.
8. Air-Gapped Systems document (Redline)
Comparing the existing NSRs Requirements, to the new Requirements that would be set up for Air Gapped CAs.
b. Ben compared the one way mapping that was discussed, and made marks in the documents where the comparisons fit best.
c. Ben made some edits sections 1-4
a. Add phrase “air-gapped CA” I sections 1-4, identifying it as a separate systems
b. Need to differentiate between the systems, to avoid overlap in definitions.
d. Ben asked if “Air-Gapped” needs to be redefined to make it more clear on which one is offline CAs and the other is Air Gapped systems.
a. Need requirements to focus more specifically to help define the difference.
e. Paul van Brouwershaven mentioned this topic has been frequently debated in the Net Sec meetings before.
a. Would it help to make requirements under each description?
b. Ben brought up having objectives and controls
d. Ben brought up the idea of reorganizing the document to make it easier for mapping, audit frameworks, and cross-referencing.
e. More discussion went into the definition of Air Gapped systems and Air Gapped CA Systems.