December 15, 2015 Security Conference Call

Attendees

Back to Security Main Page

Agenda DRAFT

1. ( 5 min) Roll Call, Agenda Approval
2. ( 5 min) Approve December 08 Meeting Minutes
3. ( 5 min) Healthcare Security and Privacy Access Control Catalog Update - Rick, Suzanne
4. ( 5 min) Joint Vocabulary Alignment Update - Diana
5. ( min) FHIR Security report out - John
6. ( 5 min) PASS Access Control Conceptual Model (SOA) ballot reconciliation Update - Diana, Don, Mike, Dave
7. Remaining meetings for 2015, beginning of 2016 - December 22, 29; January 5
8. (10 min) Upcoming HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG - AGENDA ITEMS
9. Update Preview of Audit Functional Model - Dave

• in future to update the PASS Audit

Meeting Minutes

Motion to Approve December 8 meeting minutes

Objections: none; meeting minutes approved: 12

no update

• no comments returned, no voting returned

joint vocabulary Alignment update

• came to understanding for originate
• latest version is available for review on the Vocabulary alignment wiki
• links added to CBCC and Security to access
• work is progressing, trying to find common ground/common process - we are getting there
• tried to build definition off a standard model of fairly smple functional/control systems as an alternative to definitions
• struggling on the first basic set of things (last 4-6 weeks), getting comfortable withehe representation, artifacts, details of each of the articles--how we want them to be
  • input, output, etc wills serve us to tackle the rest of the vocabulary
  • would like to present in more detail to the security group (it is in alignment w/security, provenance) now and going forward to retrieve feedback. expect good reviews from the security group

add to agenda for security WG as a follow up - to review the items

FHIR Security

• resolved one CP last week - results are now in the current build (essentially renaiming of audit events so they are the same as in provenance... preference of the W3C of entity and agency vs ATNA 'participant' and 'object')

PASS Access Control Conceptual Model

• comments returned from Alex (Bernd's comment)
• is there further ballot reconciliation to be done?
  • only what Alex sent out
• request to withdraw sent to VA and DoD folk - votes have not been withdrawn
  • suggesting to add a capability to our trust framework - along the lines to describe trusted attributes
• we believe that the response should be 'for future use' as a response - we are moving in that direction, (there is a gap); but at this time it is not
  • Alex - maybe leave as an open issue and fix in a future build

ACTION: Alex to approach/confirm Bernd with this resolution and ask if this resolution is okay.

• Diana will confirm that the resolution are in the spreadsheet and notify Alex/Bernd when they are ready for Bernd to respond

remaining 2015, early 2016 meeting

• December 22 - meet; yes
• December 29 - no (Mike is not available)
• January 5 - ? just before WGM (Mike is not available)
• following week is the WGM

Proposal: (as above) (Glen/JohnM) - objections: none; abstentions: none; motion passed meeting only on the 22nd

• confirm quorum at the FHIR meeting this afternoon - TBD
• John M is available if meetings are held

Agenda items for upcoming HL7 WGM JANUARY 2016 - Orlando, Florida USA Security WG Suzanne to update the calendar to be review for review on the 22nd meeting

• Wednesday Q2 - remove SOA Security, add PSS Audit Services
• ADD to Tuesday Q3 (joint) ; Privacy Protection for the internet of things setting up a call with Helen - briefing on the background of the group is (Steve Moeller,Kantara) will also join; does the security wg consider emerging technologies that have not been a topic of our work - HEART, privacy protective (what Helen has proposed) how they all fit together health internet of things - ADD
  • would indicate whether or not the WGM is a place to host a meeting... presentation with Alex's students
• remove: Tuesday Q2 PASS AC Ballot reconciliation

800-53 Security Controls to the Functional Model

• displayed by Dave Silver

• we will publish the FM along with the text of the FM (description of the functions)

The table with the mapping - we have not written up the logic of why they are mapped the way they are. this is our view at this point. the mapping to the 800-53 gives us a way of organizing the functions. some of the 80-53 controls are mapable to one or more of the FM model functions. the FM is not conical in this sense (one and only one ) this is something to note. i.e. protection of audit information;

• provide FM in a word document
• asking for comments on what we have so far - a precursor to our Audit standing (w/SOA) will be going into more detail at the January WGM. this is where we are right now, looking a the model this
• mike would like to solicit any other suggestions. the audit model is traceable other standards that we have (ISO, ASTM...) that are used in the usage of terms and concepts. may not be seen here at this point.

• have you exposed the Security WG to the audit FM before? yes, two weeks ago.

• a link will be provided to the items being presented today
• each of the functions is described in the word document - they should be familiar
• is there a cross walk to 800-92 (a functional model for audit logging) ? no, this the only cross walk done at this time
  • its unfortunate that 800-92 did not clearly do that for us.

• at the WGM, we may have the requirements ready for presentation ; approx. 250 requirements written
  • we want to have the requirements traceable to 800-53

ACTION: Two documents forwarded to Security WG listserve (Suzanne)

Meeting adjorned at 1357 AZT --Suzannegw (talk) 16:09, 15 December 2015 (EST)