This wiki has undergone a migration to Confluence found Here
Difference between revisions of "CMHAFF call, Thursday, Oct 19"
Jump to navigation
Jump to search
m |
|||
| Line 1: | Line 1: | ||
| − | ATTENDEES: David Tao, Frank | + | ATTENDEES: David Tao, Frank Ploeg, Adamu Haruna |
AGENDA | AGENDA | ||
Latest revision as of 16:06, 1 December 2017
ATTENDEES: David Tao, Frank Ploeg, Adamu Haruna
AGENDA
- Finish review of short descriptions (3.4.6 and following) -- DONE. Revisions made and accepted.
- Review cMHAFF Label, a visual summary of key facts about an app and its conformance to cMHAFF (David)
- Review of Label format and "consumer friendly language" descriptions (new Section 2.2 in cMHAFF document), including the notes that suggest how a section could be scored Green, Yellow, or Red, and who should decide (self-attestation vs inspection vs test vs ____?). SEE DISCUSSION IN SUB-BULLETS BELOW.
- RED is easy to define. The app fails to meet one or more of the applicable SHALL conformance statements. "Applicable SHALL" includes the SHALL[IF] statements for which the [IF] condition is true.
- GREEN vs YELLOW is trickier. We initially proposed GREEN for the app meeting all applicable SHALLs and SHOULDS, and YELLOW for the app meeting all applicable SHALLs but not all applicable SHOULDS. But we questioned whether that would be too stringent, causing some excellent apps to be yellow if they failed one SHOULD recommendation. We will revisit and consider an alternative such as a percentage of SHOULDS, or else a custom definition of GREEN vs YELLOW for each category.
- Adamu pointed out that there may be a disconnect between the cMHAFF categories, which are intended for DEVELOPERS, vs the label which is intended for CONSUMERS. Perhaps the consumer does not need to see all 19 categories. Some could be combined into higher level concepts that consumers care about, such as "TRUST" (e.g., combining Authentication, Authorization, Security at Rest, Security in Transit, Provenance, Audit). "PRODUCT INFORMATION," "PRODUCT DEVELOPMENT AND SUPPORT" (4 categories), etc.
- Work through two sections as examplars: Product Information and User Authorization (Consent) for Data Collection and Use, to work through how the label score might be determined by assessment against conformance statements. (STARTED BUT NOT FINISHED)
- Review of Label format and "consumer friendly language" descriptions (new Section 2.2 in cMHAFF document), including the notes that suggest how a section could be scored Green, Yellow, or Red, and who should decide (self-attestation vs inspection vs test vs ____?). SEE DISCUSSION IN SUB-BULLETS BELOW.
- Review and decision on specific comments (RAN OUT OF TIME -- DEFER UNTIL NEXT WEEK)
- DKT7 -- Environmental Scan
- DKT8 -- Are all aspects of the product development life cycle appropriate to mention, if there are not corresponding conformance criteria for all of them?
- DKT9 -- Secure Coding practices reference
- DKT13&14 -- Risk Management references
- DKT22 -- Liability discussion. Frank disputes this one. Appropriate?
- DKT31 -- Strong authentication options
- DKT49 -- Initial set of definitions. Check for important missing terms.
- DKT50 -- Platform-specific considerations
- Review of changes made, based on Adamu's recommendations from U.K. PAS277 Guidelines. Comments have been added, but specific wording has not all been incorporated yet.
