...
Westin (5 star rating)
Golden Tulip Warsaw Centre (4 star rating)
Hilton (5 star rating)
Intercontinental (5 star rating)
For people with limited budget: Hotel Campanile Warszawa (3 star rating)
Proposed Agenda
...
| Time | TopicTop | Driver/Presenter | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 28 November | |||||||||
| 9:00 - 9:15 (15min) | Status of the Casablanca Priorities 30min | Amy | |||||||
| 9:15 - 10 45min | Outline Dublin Security Priorities | Create Amy | Create the Dublin security priorities draft to review with seccom and present to the TSC30min | ||||||
| 10 - 10:30 30min | Vulnerability Management Process Review (SECCOM-66) | Robert | Updates to the vulnerability management process an | ||||||
| 10:30 -10:45 | Break | ||||||||
| 10:45 11:15 30min | Silver CII Badging | Amy | Determine the Silver requirements the projects need to focus on for Dublin | ||||||
| 30min11:15 - 12 45min | Relation between vulnerability and vulnerability reviews and release gates | Amy | Lessons learned from the Beijing and Casablanca reviews Enumerate the vulnerability mitigates tasks for each milestone and release candidate. This will help the projects schedule package upgrades, replacements, and the development of compensating controls early in the release cycle. | 1hr | Vulnerability Management Process Review (SECCOM-66) | Lessons learned from the Beijing and Casablanca reviews Modify the review table to clarify the information the projects must provide Suggestion of how to improve the review process | |||
| 30mins 12-1 | Lunch | ||||||||
| 1 - 1:45 45mins | Vulnerability handling clarifications (SECCOM-74) | Create a simple workflow | |||||||
| 1:45 - 2:30 45min | API Security | Natacha | Review the ETSI API security recommendations and requirements | ||||||
| 2:30 - 2:45 | break | ||||||||
| 1hr2:45 - 3 | Risk Assessment Review | Pawel/Samuli | Review the findings from the risk assessments Discuss the questionnaire proposed by Robert to help identify risk in projectsReview the | 1hr | API Security | Review the ETSI API security recommendations and requirements | 1hr | MSB Security Requirements | Review MSB communication security andprojects |
| 3 - 4 | Risk Assessment Overall Plan | Pawel/Samuli | Define the scope of the risk assessment and the plan to complete the assessment Focus on some selected areas of risk | ||||||
| 4-4:15 | Break | ||||||||
| 4:15 -5 | wrap up | ||||||||
| 29 November | |||||||||
| 9 - 10 1hr | ONAP Communication Security Requirements | Pawel | Review communication security between ONAP components and ensure that the transactions exchange between the different components are secure | 1hr | Security Guidelines | Develop a plan to document the security of ONAP | (Authentication, Authorization, Confidentiality) | ||
| 30mins | Security by design | TBD | What guidelines are required to projects and the milestones to place security first and foremost. Discussion
| 1hr | Review of Action Items |
| |||
| 10:30-10:45 | Break | ||||||||
| 10:45-11:15 | Security Guidelines | Zygmunt | Develop a plan to document the security of ONAP | ||||||
| 11:15-12:30 | Discussion and Review Action Items | Amy | Review the meeting; assign action items | ||||||
| 12:30-1:30 | Lunch | ||||||||
| 1:30-4 | Backup if needed |
Proposed Topics
- Relation between vulnerability and release passing the gates
- To clarify the importance of vulnerability management and its impact on passing the project release management gates. To study the relevance to link the release management and the vulnerability management processes.
- Vulnerability Management process review
- The goal is to ensure that the process is completed (lack of TBD items, added workflow and other comments coming from Robert) and well known by security subcommittee members and other ONAP members (at least PTLs). A follow-up per project could be considered in order to encourage them to make progress, or at least a Dashboard in order to have a clear overview. Lessons learned.
- Risk Assessment review
- Review by community the table developed during series of risk assessment meetings and discussion on questionnaire proposed by Robert to identify risks from projects with closed questions types.
- API security
- To review existing recommendations and focus on missing part. ETSI has published recommendations on API security, and could be a useful contribution.
- CII Badging silver
- To handle and highlight updates for silver level.
- CII Badging update proposal
- To review proposals made for CII badging based on our risk assessment exercise. First step back of the ongoing risk assessment process, and then brainstorming regarding potential additional questions.
- Review of Casablanca priorities and Dublin priorities
- Review of the backlog for Casablanca and self-assessment of deliverables produced + focus on priorities for Dublin release- identification of tasks and their owners/leaders.
- MSB security requirements
- As MSB is crucial communication medium, it is very important to review its communication security aspects and to ensure that the transactions exchange between the different components are reliable.
- Security guidelines
- Document the security of ONAP
...