[Owasp-board] FW: [Global_industry_committee] NIST doco we should review &comment on

Tom Brennan tomb at owasp.org
Mon Mar 2 15:04:45 UTC 2009


Topic for the board meeting - kate can you add this to the agenda

Industry Committee - Administrative Support.

On Fri, Feb 27, 2009 at 12:57 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Hi Tom
>
> In sequence to the email I just sent to the Industry committee, although
> Paulo would be a perfect candidate for this type of role and activity, he is
> completely maxed out at the moment in dealing with the closure of SoC 08,
> launching the next season of code and handling the 50 odd emails he get a
> day related to specific issues related to active (and new) OWASP projects.
>
> Sorry, he can't help you here :)
>
> At the current pace, this type of 'offical OWASP response' is NOT going to
> happen (note that there were another similar UK Governement policy paper
> that we recently missed the deadline to comment),  my recomendation to you
> are:
>    a) make the case to the board to hire (full time or part time) one
> dedicated resource to this committee (which btw I will FULLY support you
> on), or , as I suggest on that email),
>    b) you get the guys from the Industry Committee to apply for a SoC 09
> grant to get a temporary resource for 6 months. Note that a 10k or 20k SoC
> 09 sponsorship for one (or more) person(s) to work on these type of
> 'official OWASP responses' would be a VERY easy to approve SoC 09 project
> :)  (as long as there is a detailed action-plan and proposed deliverables)
>
> Dinis
>
>
> 2009/2/27 Paulo Coimbra <paulo.coimbra at owasp.org>
>>
>> Hello Dinis,
>>
>>
>>
>> I need to answer Tom ASAP and your guidance would be appreciated. Can I
>> have it please? I of course will do whatever Board decides I must do but, as
>> you know, we haven’t completely closed the SoC 08, we are struggling yet to
>> put together the next season of code and to previously update our assessment
>> criteria.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Paulo Coimbra,
>>
>> OWASP Project Manager
>>
>>
>>
>> From: Tom Brennan - OWASP [mailto:tomb at owasp.org]
>> Sent: sexta-feira, 27 de Fevereiro de 2009 12:25
>> To: Paulo Coimbra
>> Subject: Fw: [Global_industry_committee] NIST doco we should review
>> &comment on
>> Importance: High
>>
>>
>>
>> This committee could use your help
>>
>> Any questions, give me a call at 973-202-0122
>>
>>
>>
>> -----Original Message-----
>>
>> From: Rex Booth <rex.booth at owasp.org>
>>
>>
>>
>> Date: Fri, 27 Feb 2009 05:38:01
>>
>> To: David Campbell<dcampbell at owasp.org>
>>
>> Cc: <Global_industry_committee at lists.owasp.org>
>>
>> Subject: Re: [Global_industry_committee] NIST doco we should review &
>> comment on
>>
>>
>>
>>
>>
>> Okay gents - let's tackle this in earnest.
>>
>>
>>
>> As David and Colin mentioned, this is THE document that drives IT
>>
>> compliance in the US Federal sector, so we want to be involved as much
>>
>> as possible.  I'd like to gauge two things:
>>
>>
>>
>> 1) Who on the industry committee can dedicate time to this (comments are
>>
>> due March 27, though we should aim to be done about a week in advance of
>>
>> that)
>>
>>
>>
>> 2) Are we collectively interested in inviting others outside this
>>
>> committee into the review process?
>>
>>
>>
>> I'm happy to step in as a project manager of sorts on this effort.  I
>>
>> also think we should invite the general OWASP population to contribute.
>>
>>
>>
>> Thoughts?
>>
>>
>>
>> Thanks,
>>
>> Rex
>>
>>
>>
>>
>>
>>
>>
>> David Campbell wrote:
>>
>> > Colin,
>>
>> >
>>
>> > I agree that asking for comments from *.leaders would be messy++.
>>
>> >
>>
>> > Does google docs give us a broader "track changes" ability that we could
>>
>> > limit to the people who have the time and energy to put thoughtful
>>
>> > comments into this?
>>
>> >
>>
>> > FYI NIST 800-53 is *the* document that currently drives the *entire*
>>
>> > compliance programs for most US federal agencies, so we must *not* miss
>>
>> > this deadline.
>>
>> >
>>
>> > I'll jump back on this thread as soon as I have time but I likely will
>>
>> > have zero time for the industry committee until after 6 March due to
>>
>> > 'real work' and the Colorado OWASP conf.
>>
>> >
>>
>> > DC
>>
>> >
>>
>> >
>>
>> > Colin Watson wrote:
>>
>> >
>>
>> >> Hi David and Rex
>>
>> >>
>>
>> >>
>>
>> >>
>>
>> >>> At this point I don't have the bandwidth to be a lead on this.
>> >>> Perhaps
>>
>> >>> Rex can step up, or per Tom's suggestion we send a request to the
>>
>> >>> Leaders list for help.  This i big one, and shouldn't be ignored.
>>
>> >>>
>>
>> >>>
>>
>> >> Yes, that would be a good idea.  What would be the best way to manage
>>
>> >> this?  We could easily be inundated with comments and suggestions from
>>
>> >> the Leadership list.  If it's by email, it will be difficult to deal
>>
>> >> with.
>>
>> >>
>>
>> >> Would it be worth dividing the document up into sections and asking
>>
>> >> people on the Leadership list if they would like to volunteer to draft
>>
>> >> a suggested response for sections they are particularly interested in,
>>
>> >> publish this on the wiki as a draft and then be a point of contact for
>>
>> >> feedback?
>>
>> >>
>>
>> >> The contents list is:
>>
>> >>
>>
>> >> CHAPTER ONE INTRODUCTION
>>
>> >>
>>
>> >> 1.1 PURPOSE AND APPLICABILITY
>>
>> >> 1.2 TARGET AUDIENCE
>>
>> >> 1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS
>>
>> >> 1.4 ORGANIZATIONAL RESPONSIBILITIES
>>
>> >> 1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION
>>
>> >>
>>
>> >> CHAPTER TWO THE FUNDAMENTALS
>>
>> >>
>>
>> >> 2.1 SECURITY CONTROL ORGANIZATION AND STRUCTURE
>>
>> >> 2.2 SECURITY CONTROL BASELINES
>>
>> >> 2.3 COMMON CONTROLS
>>
>> >> 2.4 SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS
>>
>> >> 2.5 SECURITY CONTROL ASSURANCE
>>
>> >> 2.6 REVISIONS AND EXTENSIONS
>>
>> >>
>>
>> >> CHAPTER THREE THE PROCESS
>>
>> >>
>>
>> >> 3.1 MANAGING RISK
>>
>> >> 3.2 CATEGORIZING THE INFORMATION SYSTEM
>>
>> >> 3.3 SELECTING SECURITY CONTROLS
>>
>> >> 3.4 MONITORING SECURITY CONTROLS
>>
>> >>
>>
>> >> APPENDIX A REFERENCES
>>
>> >> APPENDIX B GLOSSARY
>>
>> >> APPENDIX C ACRONYMS
>>
>> >> APPENDIX D SECURITY CONTROL BASELINES – SUMMARY
>>
>> >> APPENDIX E MINIMUM ASSURANCE REQUIREMENTS
>>
>> >> APPENDIX F SECURITY CONTROL CATALOG
>>
>> >> APPENDIX G INFORMATION SECURITY PROGRAMS
>>
>> >> APPENDIX H INTERNATIONAL INFORMATION SECURITY STANDARDS
>>
>> >> APPENDIX I INDUSTRIAL CONTROL SYSTEMS
>>
>> >>
>>
>> >> If we go this way, does anyone on this list want to select a section
>>
>> >> for themselves?
>>
>> >>
>>
>> >> Regards
>>
>> >>
>>
>> >> Colin
>>
>> >>_______________________________________________
>>
>> >> Global_industry_committee mailing list
>>
>> >> Global_industry_committee at lists.owasp.org
>>
>> >> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>
>> >>
>>
>> >>
>>
>> >
>>
>> >_______________________________________________
>>
>> > Global_industry_committee mailing list
>>
>> > Global_industry_committee at lists.owasp.org
>>
>> > https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>
>> >
>>
>> _______________________________________________
>>
>> Global_industry_committee mailing list
>>
>> Global_industry_committee at lists.owasp.org
>>
>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>



-- 
Tom Brennan
Board Member
OWASP Foundation
Tel: 973-795-1046 x112
Url: www.owasp.org



More information about the Owasp-board mailing list