April 12, 2011 Security Conference Call
Security Working Group Meeting
1. (05 min) Roll Call, Approve Minutes & Accept Agenda
2. (15min) REMINDER for next week please review**New*** Risk Assessment request: hData REST spec so that we can begin Risk Assessment
- Note: Gerald B would like to complete by May WG Meeting in Orlando
3. (15min) Emerging mapping of Security Privacy Ontology to the Security and Privacy DAM - Tony Weida
4. Security and Privacy Ontology - Latest posting
Risk Assessment of hData
- hData Security Risk Assessment - Postponed
Security and Privacy Ontology Ballot Update A call was held last week with the Steering Division as to whether we had completed all the hoops for the ballot. The Steering Division checked and as far as they were concerned no further action was required. The TSC had approved our ballot.
We are going forward as Informative for this ballot but DSTU possibly for September. (The Steering Division has approved the ballot) The only confusion that is remaining is how the ballot appears. Are there any other issues that we have to deal with?
Tony – There is a desktop page which provides a table for ballot document pools and links to documents themselves or links to HL7 version 3 ballot pages which in turn contains Version 3 specifications. The confusion may have to do with the ballot is a V3 spec or not.
(Showing ballot desktop page. ) Ballot is located on the Ballot Desktop page: If you scroll down, there is a row for HL7 V3 Standards Security and Privacy Ontology - Release 1; at the moment it is being categorized as a DSTU*. (It should be informative). My source of confusion is that if you look at the V3 ballot site, for May 2011, our ballot is not included in this structure.
* Mike had submitted this ballot as Informative however, the project plan says DSTU; this was an automatic input thing--and was not discovered until we starting doing some tracking. Our committee does not have to accept the ballot as a DSTU—even if it is balloted as such. We can take it as what it was intended for---an Information ballot. We will take any comments on the current status of the document so that we can incorporate the information and re-ballot in September 2011 as DSTU as planned. There is really nothing negative about being out there as a DSTU now. It doesn’t put any other obligations on different than what we had planned as whether it’s an informational or DSTU; it’s a process thing.. It looks great otherwise. We we’ll treat it internally as informative; we simply want to get comments and plan to re-ballot as DSTU in September 2011. (No plan change).
May 2011 WGM in Orlando - Agenda We have a pro-forma kind of agenda that Security goes in to. There has been one recent change; we had planned on Q3-4 to meet with CCOW on Tuesday but there was a conflict. We changed the meeting to Q3 on Wednesday (tentative). ACTION: Mike to take action item for pro-forma agenda, create a generic agenda and send to Suzanne for posting NOTE: We typically do joint WG meetings on Wednesday. NOTE: We typically do not historically announce our agenda out in the open.
Security Risk Assessment Cookbook The purpose of the cookbook was for different WGs to be able to use it to do their own agenda; it wasn’t for us to individually support 'EACH' WG. If we’re changing our philosophy on how we do Risk Assessments---it should be added to the agenda. I (Mike) personally do not have the bandwidth to support all the WGs—that was the reasoning behind writing the cookbook so we did not have to do that. We are doing training sessions, tutorials during the periods so that WGs can become informed on what they need to do. I was surprised that the current direction seems to be mostly hands-on.
I (Suzanne) believe that to start off we need to do some hands with the WGs who come forward. We initially went through the process with two pilot projects using the cookbook to make sure we have our ducks in a row. But the process is still new and I see that until some of the WGs have gone through the process we will need to do some hand-holding and answer immediate questions in support of our document. Then other WGs can collaborate between themselves and will work out and discuss their issues instead of coming directly to Security.
Mike – That wasn’t our plan—-I don’t have resources to continue to support that. It’s a change in strategy.
Suzanne - We may have to suggest to HL7 to have Security provide more tutorials and not continue to do hand-holding.
Mike - We did this during the pilot. we will need to put on the agenda as a discussion item. I don’t know how we think we can support this if there is much hand-holding. I don’t’ know who is offering up doing the hand-holding because it’s not what the Security WG agreed to do when we created the Risk Assessment. This chair – is not aware of an agreement to do hand-holding.
Jon - If we can get some confirmation that the tool/document and the process are adequate then it’s a very valid exit strategy to just say no. If inadequate then we need make a decision as to whether we invest our sources to make it adequate.
Mike – I don’t disagree with that statement. The document was prepared and sent out to a number of WGs for review and comment before the launch of the project. We did a pilot with one; we’ve incorporated the information at the time; if further experience deems we need to make changes then fine, we should do that. That's appropriate. We’ve offered to do training sessions; i.e. Australia was specifically interested in doing that; but we weren’t able to put that together. I think you’re right; and it’s a proper way of dealing with it short of having some designated person to go to different WGs and help them with them their Risk Assessment. There is no exit strategy here for that piece as we never offered to do that. We offered to provide a document and training but we never said we would provide hand-holding.
One of the things we had discussed (do we still have an issue list?) Privacy Input spreadsheet – mapping domain specific class diagram to a set of standards and references within a Domain An Action that we had earlier was to go through information model and attempt to create a domain specific class diagram by mapping it to a set of standards and references within a domain. … Suzanne and Richard had the task for the privacy part of the model; I would like to come back to this subject for the next call. So some coordination between Suzanne and Richard needs to happen to bring up for next meeting.
Clarification: This was the spreadsheet? Yes, this was an Artifact in the form of spreadsheet that Jon had worked on originally but we were looking to continue that. We were looking for input specifically from privacy.
Meeting adjourned at 10:29AM PST
ACTION: Mike to take action item for pro-forma agenda, create a generic agenda and send to Suzanne for posting