Date   

OCA PGB Sbomarama action item

sfractal
 

I mentioned the CISA SBOMarama at the PGB meeting. For those interested, the websites are now up. See:

For those who already expressed interest, my understanding is you will get an email either today or Monday showing you are on the mailing list for the meeting. Meeting will be open to anyone wanting to attend. The teams links are on the 2nd link above.

sbom@... is the official sbom email to send question/comments/etc to USG.

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Jason Keirstead via lists.oasis-open-projects.org <Jason.Keirstead=ca.ibm.com@...>
Date: Thursday, December 2, 2021 at 9:29 AM
To: oca-pgb@... <oca-pgb@...>
Cc: vshanks@... <vshanks@...>, r.nadkarni@... <r.nadkarni@...>, c.bradley@... <c.bradley@...>, valeriy.leykin@... <valeriy.leykin@...>, cmurphy@... <cmurphy@...>, sam.curry@... <sam.curry@...>
Subject: [oca-pgb] PGB Agenda

Hi all; today in the final call of 2021 - I want to very much focus on governance & strategy of the organization.

 

- We have failed to recruit non-maintainer volunteers for the TSC


- We continue to have relatively low participation ( ~ 50% or less ) at many PGB sessions. How to remedy? Do we need to choose a new time? Is the issue technical?

 

- Duncan has proposal that the TSC should simply be constituted of a federation of the key project maintainers and make them responsible for technical governance. Do we want to make these changes?

 

- Other topics: Duncan has agenda items he wants to raise around SBOM and potential inbound projects.

NOTE: I am taking the initiative to manually CC every PGB member to this email who did not attend the last call, in an effort to confirm everyone sees the message. I continue to be concerned that invites to the PGB mailing list are going "into the ether". If you receive this note, and you were unaware that a PGB meeting was scheduled today / it is not in your calendar, please let me know. If necessary we will organize a second ad-hoc meeting or set up a 1:1 meeting so we can discuss how to make PGB meetings work for your schedule. I very much want to figure out how to improve our participation in 2022.

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org
 

 


Upcoming Events #cal-summary

oca-pgb@lists.oasis-open-projects.org Calendar <oca-pgb@...>
 

Open Cybersecurity Alliance Project Governing Board Upcoming Events

Architecture Workgroup Meeting

When:
Thursday, December 9, 2021, 4:00pm to 5:00pm
(GMT-05:00) America/New York

Where:
https://ibm.webex.com/meet/russell.warren\n1-844-531-0958 (United States Toll Free)\n+1-669-234-1178 (United States Toll)\nAccess code 928 711 512 #

Organizer: "Russell Warren/Raleigh/IBM" russell.warren@...

View Event


Zero Trust Workgroup Meeting

When:
Monday, December 13, 2021, 4:30pm to 5:30pm
(GMT-05:00) America/New York

Where:
https://ibm.webex.com/meet/russell.warren\n1-844-531-0958 (United States Toll Free)\n+1-669-234-1178 (United States Toll)\nAccess code 928 711 512 #

Organizer: "Russell Warren/Raleigh/IBM" russell.warren@...

View Event


OCA Monthly Developer Office Hours

When:
Tuesday, December 21, 2021, 10:00am to 11:00am
(GMT-05:00) America/New York

Where:
https://zoom.us/j/99676071745?pwd=clpteGdLRUhQR1VNSThQK21VMEdPdz09 Passcode: 230155

Organizer: Dee Schur 941-321-6733

Details:

Roseann Guttierrez (IBM) will host a monthly developer office hours about OCA projects and topics/concerns in cyber security!
https://zoom.us/j/99676071745?pwd=clpteGdLRUhQR1VNSThQK21VMEdPdz09
Passcode: 230155
Or iPhone one-tap : 
    US: +19292056099,,99676071745#,,,,*230155#  or +13017158592,,99676071745#,,,,*230155# 
Or Telephone:
    Dial(for higher quality, dial a number based on your current location):
        US: +1 929 205 6099  or +1 301 715 8592  or +1 312 626 6799  or +1 669 900 6833  or +1 253 215 8782  or +1 346 248 7799 
Webinar ID: 996 7607 1745
Passcode: 230155
    International numbers available: https://zoom.us/u/abPieGwfbb

View Event


OCA PGB Monthly Call

When:
Thursday, January 6, 2022, 1:00pm to 2:00pm
(GMT-04:00) America/Halifax

Where:
+18445310958,,927997469 https://ibm.webex.com/meet/jason.keirstead Join by phone Access code: 927 997 469 United States of America Toll Free 1-844-531-0958 United States of America Toll +1-669-234-1178 United Kingdom Toll Free 0808-234-3612 Israel Toll Free 180-940-5356 Australia Toll Free 1-800-87-5043 International numbers: https://ibm.webex.com/cmp3200/webcomponents/widget/globalcallin/globalcallin.do?siteurl=ibm&serviceType=MC&ED=555779422&tollFree=1 +18445310958,,927997469 https://ibm.webex.com/meet/jason.keirstead Join by phone Access code: 927 997 469 United States of America Toll Free 1-844-531-0958 United States of America Toll +1-669-234-1178 United Kingdom Toll Free 0808-234-3612 Israel Toll Free 180-940-5356 Australia Toll Free 1-800-87-5043 International numbers: https://ibm.webex.com/cmp3200/webcomponents/widget/globalcallin/globalcallin.do?siteurl=ibm&serviceType=MC&ED=555779422&tollFree=1

Organizer: "Jason Keirstead/CanEast/IBM" Jason.Keirstead@...

Details:
<1611673324300>":Online meeting: https://ibm.webex.com/meet/jason.keirstead

Setting up OCA PGB calls for 2021

View Event


SBOM-preferred, VEX-preferred

sfractal
 

WRT: “Duncan has agenda items he wants to raise around SBOM and potential inbound projects

 

For those of you who are not aware, CISA has taken the lead from NTIA on implementing SBOM (software bill of materials) wrt EO 14028 (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/). There will be an SBOMarama on Dec 15,16 (15 for tutorial and getting newbies up to speed, 16 for planning work going forward on industry providing input to CISA).

 

I think OCA members should consider attending CISA meeting to support OCA PACE work and tie in to other OCA projects.

 

I think OCA should consider having a “SBOM-preferred” program a la STIX-preferred. Ditto VEX-preferred.

 

My personal opinion is SBOM-preferred may take awhile to get going but someone is going to do it if we don’t. It will probably start with just ‘USG critical infrastructure’, but I suspect it will not take long to be all software everywhere due to the interconnected nature of open source and due to the rising importance of cybersecurity. There has already been noise being made in the SBOM meetings for something like it – usually by particular industry groups proposing something for their industry. Or being proposed by one of the 3 formats (LF SPDX, OWASP CycloneDX, NIST SWID). We really need something overarching across formats and across industries. We are in a good position to do it, and we have the PACE project to use as an anchor to start the work from.

 

You all have to decide whether you want it here or will let it occur somewhere else. And if something needs to get done, then somebody has to do it. But these are just my opinions and I have no financial stake in any of this and only so many hours to push on this wet noodle.

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Jason Keirstead via lists.oasis-open-projects.org <Jason.Keirstead=ca.ibm.com@...>
Date: Thursday, December 2, 2021 at 9:29 AM
To: oca-pgb@... <oca-pgb@...>
Cc: vshanks@... <vshanks@...>, r.nadkarni@... <r.nadkarni@...>, c.bradley@... <c.bradley@...>, valeriy.leykin@... <valeriy.leykin@...>, cmurphy@... <cmurphy@...>, sam.curry@... <sam.curry@...>
Subject: [oca-pgb] PGB Agenda

Hi all; today in the final call of 2021 - I want to very much focus on governance & strategy of the organization.

 

- We have failed to recruit non-maintainer volunteers for the TSC


- We continue to have relatively low participation ( ~ 50% or less ) at many PGB sessions. How to remedy? Do we need to choose a new time? Is the issue technical?

 

- Duncan has proposal that the TSC should simply be constituted of a federation of the key project maintainers and make them responsible for technical governance. Do we want to make these changes?

 

- Other topics: Duncan has agenda items he wants to raise around SBOM and potential inbound projects.

NOTE: I am taking the initiative to manually CC every PGB member to this email who did not attend the last call, in an effort to confirm everyone sees the message. I continue to be concerned that invites to the PGB mailing list are going "into the ether". If you receive this note, and you were unaware that a PGB meeting was scheduled today / it is not in your calendar, please let me know. If necessary we will organize a second ad-hoc meeting or set up a 1:1 meeting so we can discuss how to make PGB meetings work for your schedule. I very much want to figure out how to improve our participation in 2022.

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org
 

 


TSC

sfractal
 

WRT: “Duncan has proposal that the TSC should simply be constituted of a federation of the key project maintainers and make them responsible for technical governance.

 

My proposal is slightly more than that. I think each project should have two maintainers, ideally from two different companies, and they should be on TSC by definition. If they can’t contribute to TSC at least a little, then they shouldn’t be maintainers. But ideally I think there should be TSC members in addition to the project maintainers. Neither the “two companies” nor the “members beyond maintainers” are requirements, just desirable. But project maintainers on TSC would be a requirement.

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Jason Keirstead via lists.oasis-open-projects.org <Jason.Keirstead=ca.ibm.com@...>
Date: Thursday, December 2, 2021 at 9:29 AM
To: oca-pgb@... <oca-pgb@...>
Cc: vshanks@... <vshanks@...>, r.nadkarni@... <r.nadkarni@...>, c.bradley@... <c.bradley@...>, valeriy.leykin@... <valeriy.leykin@...>, cmurphy@... <cmurphy@...>, sam.curry@... <sam.curry@...>
Subject: [oca-pgb] PGB Agenda

Hi all; today in the final call of 2021 - I want to very much focus on governance & strategy of the organization.

 

- We have failed to recruit non-maintainer volunteers for the TSC


- We continue to have relatively low participation ( ~ 50% or less ) at many PGB sessions. How to remedy? Do we need to choose a new time? Is the issue technical?

 

- Duncan has proposal that the TSC should simply be constituted of a federation of the key project maintainers and make them responsible for technical governance. Do we want to make these changes?

 

- Other topics: Duncan has agenda items he wants to raise around SBOM and potential inbound projects.

NOTE: I am taking the initiative to manually CC every PGB member to this email who did not attend the last call, in an effort to confirm everyone sees the message. I continue to be concerned that invites to the PGB mailing list are going "into the ether". If you receive this note, and you were unaware that a PGB meeting was scheduled today / it is not in your calendar, please let me know. If necessary we will organize a second ad-hoc meeting or set up a 1:1 meeting so we can discuss how to make PGB meetings work for your schedule. I very much want to figure out how to improve our participation in 2022.

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org
 

 


PGB Agenda

Jason Keirstead
 

Hi all; today in the final call of 2021 - I want to very much focus on governance & strategy of the organization.
 
- We have failed to recruit non-maintainer volunteers for the TSC

- We continue to have relatively low participation ( ~ 50% or less ) at many PGB sessions. How to remedy? Do we need to choose a new time? Is the issue technical?
 
- Duncan has proposal that the TSC should simply be constituted of a federation of the key project maintainers and make them responsible for technical governance. Do we want to make these changes?
 
- Other topics: Duncan has agenda items he wants to raise around SBOM and potential inbound projects.

NOTE: I am taking the initiative to manually CC every PGB member to this email who did not attend the last call, in an effort to confirm everyone sees the message. I continue to be concerned that invites to the PGB mailing list are going "into the ether". If you receive this note, and you were unaware that a PGB meeting was scheduled today / it is not in your calendar, please let me know. If necessary we will organize a second ad-hoc meeting or set up a 1:1 meeting so we can discuss how to make PGB meetings work for your schedule. I very much want to figure out how to improve our participation in 2022.
 
-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 
Assistant - Mauricio Durán Cambronero (mauduran@...)
Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board
www.opencybersecurityalliance.org
 



Re: [oca-marketing] Outline for proposed home page on new web site

sfractal
 

What is logic on the ordering of the projects? It seems neither chronological nor alphabetical. I’d vote alphabetical. 

iPhone, iTypo, iApologize


From: oca-marketing@... <oca-marketing@...> on behalf of Paige Montgomery via lists.oasis-open-projects.org <pmontgomery=prophecyinternational.com@...>
Sent: Tuesday, November 30, 2021 3:07:39 PM
To: oca-marketing@... <oca-marketing@...>; oca-pgb@... <oca-pgb@...>
Subject: Re: [oca-marketing] Outline for proposed home page on new web site
 
Hey Russ,

Looks good. I always recommended to clients during my agency days to move testimonials or associated brand logos higher up the home page if possible. I think the sponsors below the Mission and intro copy would be a good look considering the incredible logos associated.

Always a fan of simple UX.

Paige


Paige Montgomery

Global Marketing Director

Prophecy International

8480 E. Orchard Road, Ste. 4350 Greenwood Village, CO 80111
Book a Meeting

Email: 

pmontgomery@...

Web

www.prophecyinternational.com

www.emite.com

Mobile: 

+1 720.646.0442

 

www.snaresolutions.com

 

 

 

 

 

 

 



 

Confidential Email. The information in this message(including attachments) is the exclusive, private and confidential property of the sender. It is intended solely for use by the sender and the intended recipient(s). If you are not that intended recipient, you are advised that any unauthorised disclosure, copying, distribution or action taken as a result of the information in this message is strictly prohibited. The information may be privileged and confidential. If you have received this message in error, please notify the sender immediately by return email or contact the head office on +61 8 8213 1200 and destroy this message and any copies in any form immediately. Any views expressed in this message are those of the individual sender. Finally, you should check this message and any attachments for the presence of viruses. Prophecy International Pty Ltd does not accept liability for damage caused by any viruses transmitted with this message. Thank you for your co-operation.



From: oca-marketing@... <oca-marketing@...> on behalf of Russell Warren <russell.warren@...>
Sent: Tuesday, November 30, 2021 12:49 PM
To: oca-marketing@... <oca-marketing@...>; oca-pgb@... <oca-pgb@...>
Subject: [oca-marketing] Outline for proposed home page on new web site
 

Here is a proposed outline for the new home page.  Left side for technical material and information (for technical folks); right side for activities/calendar and news/blog info.  Under these is info on how to join OCA, sponsors and
testimonials.  OCA introduction will be a full width. 2 columns below would split the width.

Comments pls
Thank you
Russ



Confidential Email. The information in this message(including attachments) is the exclusive, private and confidential property of the sender. It is intended solely for use by the sender and the intended recipient(s). If you are not that intended recipient, you are advised that any unauthorised disclosure, copying, distribution or action taken as a result of the information in this message is strictly prohibited. The information may be privileged and confidential. If you have received this message in error, please notify the sender immediately by return email or contact the head office on +61 8 8213 1200 and destroy this message and any copies in any form immediately. Any views expressed in this message are those of the individual sender. Finally, you should check this message and any attachments for the presence of viruses. Prophecy International Pty Ltd does not accept liability for damage caused by any viruses transmitted with this message. Thank you for your co-operation.'



Outline for proposed home page on new web site

Russell Warren
 

Here is a proposed outline for the new home page.  Left side for technical material and information (for technical folks); right side for activities/calendar and news/blog info.  Under these is info on how to join OCA, sponsors and
testimonials.  OCA introduction will be a full width. 2 columns below would split the width.

Comments pls
Thank you
Russ




Architecture Workgroup Meeting

Russell Warren
 

Description



Zero Trust Workgroup Meeting

Russell Warren
 

Description



Upcoming Events #cal-summary

oca-pgb@lists.oasis-open-projects.org Calendar <oca-pgb@...>
 

Open Cybersecurity Alliance Project Governing Board Upcoming Events

Zero Trust Workgroup Call

When:
Monday, November 29, 2021, 4:00pm to 5:00pm
(GMT-05:00) America/New York

Where:
https://ibm.webex.com/meet/russell.warren\n1-844-531-0958 (United States Toll Free)\n+1-669-234-1178 (United States Toll)\nAccess code 928 711 512 #

Organizer: "Russell Warren/Raleigh/IBM" russell.warren@...

View Event


Zero Trust Workgroup Call

When:
Monday, November 29, 2021, 4:30pm to 5:30pm
(GMT-05:00) America/New York

Where:
https://ibm.webex.com/meet/russell.warren\n1-844-531-0958 (United States Toll Free)\n+1-669-234-1178 (United States Toll)\nAccess code 928 711 512 #

Organizer: "Russell Warren/Raleigh/IBM" russell.warren@...

Details:
<FFFE__=8FBB0D04DFDEFA3A8f9e8a93df938690@...>":Moving back 30 minutes

View Event


OCA PGB Monthly Call

When:
Thursday, December 2, 2021, 1:00pm to 2:00pm
(GMT-04:00) America/Halifax

Where:
+18445310958,,927997469 https://ibm.webex.com/meet/jason.keirstead Join by phone Access code: 927 997 469 United States of America Toll Free 1-844-531-0958 United States of America Toll +1-669-234-1178 United Kingdom Toll Free 0808-234-3612 Israel Toll Free 180-940-5356 Australia Toll Free 1-800-87-5043 International numbers: https://ibm.webex.com/cmp3200/webcomponents/widget/globalcallin/globalcallin.do?siteurl=ibm&serviceType=MC&ED=555779422&tollFree=1 +18445310958,,927997469 https://ibm.webex.com/meet/jason.keirstead Join by phone Access code: 927 997 469 United States of America Toll Free 1-844-531-0958 United States of America Toll +1-669-234-1178 United Kingdom Toll Free 0808-234-3612 Israel Toll Free 180-940-5356 Australia Toll Free 1-800-87-5043 International numbers: https://ibm.webex.com/cmp3200/webcomponents/widget/globalcallin/globalcallin.do?siteurl=ibm&serviceType=MC&ED=555779422&tollFree=1

Organizer: "Jason Keirstead/CanEast/IBM" Jason.Keirstead@...

Details:
<1611673324300>":Online meeting: https://ibm.webex.com/meet/jason.keirstead

Setting up OCA PGB calls for 2021

View Event


OCA Monthly Developer Office Hours

When:
Tuesday, December 21, 2021, 10:00am to 11:00am
(GMT-05:00) America/New York

Where:
https://zoom.us/j/99676071745?pwd=clpteGdLRUhQR1VNSThQK21VMEdPdz09 Passcode: 230155

Organizer: Dee Schur 941-321-6733

Details:

Roseann Guttierrez (IBM) will host a monthly developer office hours about OCA projects and topics/concerns in cyber security!
https://zoom.us/j/99676071745?pwd=clpteGdLRUhQR1VNSThQK21VMEdPdz09
Passcode: 230155
Or iPhone one-tap : 
    US: +19292056099,,99676071745#,,,,*230155#  or +13017158592,,99676071745#,,,,*230155# 
Or Telephone:
    Dial(for higher quality, dial a number based on your current location):
        US: +1 929 205 6099  or +1 301 715 8592  or +1 312 626 6799  or +1 669 900 6833  or +1 253 215 8782  or +1 346 248 7799 
Webinar ID: 996 7607 1745
Passcode: 230155
    International numbers available: https://zoom.us/u/abPieGwfbb

View Event


Re: Background for our next Zero Trust Call (Nov 29)

sfractal
 

Several things come to mind reading this. 

One is to distinguish between securing our systems and providing tools to secure client systems. Eg. Securing the instantiation of stixshifter itself vs using stixshifter to help client achieve ZT. We need to do both, but important to know which one we are talking about at any given time.

Another is I think it is a mistake that some of the slides treat ZT like a binary thing (ie you have it or you don't). I'll oversimplify ZT to authentication, authorization, and least privilege.
They have been around forever, but ZT is actually implementing true least privledge, only to authorized parties who really need it at this instant, that we really know both sides of the interaction are who they are supposed to be. We have done a certain amount of these things in the past, the ideal is doing them perfectly, and there are many possible in-betweens that are "better" than status quo, but are just stepping stones on the way to the ideal. Just because they aren't at ideal yet doesn't mean they aren't better than what is done today.

One final point is I think we need to distinguish between people and systems. We then to be anthropomorphic and treat elements in the system like they are the person that trigged the action. M2M is different then H2M - both in the problems set and in the solutions. Part of the 'authorized at this instant' is the context of upstream systems, sometimes leading back to a human but more often not, expecially as ML/AI kicks in.

Just some top of head thoughts before unplugging for the Holiday.
Happy Thanksgiving.
Duncan



iPhone, iTypo, iApologize

Duncan Sparrell
sFractal Consulting, LLC
I welcome VSRE emails. Learn more at http://vsre.info/


From: oca-pgb@... <oca-pgb@...> on behalf of Russell Warren via lists.oasis-open-projects.org <russell.warren=us.ibm.com@...>
Sent: Wednesday, November 24, 2021 9:19:55 AM
To: oca-architecture-wg@... <oca-architecture-wg@...>; oca-pgb@... <oca-pgb@...>
Subject: [oca-pgb] Background for our next Zero Trust Call (Nov 29)
 

Dennis has pulled together some background for your pre-reading.   Please review and come prepared to discuss ideas on how the work group can progress and provide suggestions on what the work group can produce.
See page 22 for some questions to consider!


(See attached file: ZT Applied to Existing Systems.pptx)


Background for our next Zero Trust Call (Nov 29)

Russell Warren
 

Dennis has pulled together some background for your pre-reading.   Please review and come prepared to discuss ideas on how the work group can progress and provide suggestions on what the work group can produce.
See page 22 for some questions to consider!


(See attached file: ZT Applied to Existing Systems.pptx)


Zero Trust Workgroup Call

Russell Warren
 

Description

    Moving back 30 minutes
Moving back 30 minutes


Protecting your calls from gate-crashers

Chet Ensign
 

Team leaders,

From time to time, we get reports of outsiders crashing team calls. There has been a recent spate of such disruptions again. The effect of these interruptions can be anywhere from merely annoying to very upsetting. Either way, you may want to take steps to protect your meetings from unwanted intruders. Feel free to share this with others in your committee. 

- First, please note that anything in your calendar entry is publicly visible. It takes a bit of digging, but it is accessible. So you don't want to put info that will allow access to the event there, particularly passcodes. Instead, consider putting the information on accessing the meeting in a file that only team members can access or sending the details in a private message to participants before the meeting starts. For TC members using Kavi, information can be entered in an action item. Only logged in TC members have access to those.

- Always use a password if the tool allows it. Zoom allows you to set up a passcode in the security section. Teams does not but apparently you can configure access rules to hold unknown parties in a lobby until you can verify their identity. 

- If the tool allows for a waiting room or lobby area, consider using it. The 'Join before host' will not work and you, as host, will have to start the meeting before others can come in and start discussion. However, a waiting room will let you keep people you don't recognize out of your call.

- In Zoom, if the waiting room is enabled, you can click the More button to the right of a guest's name in the meeting Participants display, then select 'Put in waiting room' to send them back outside of your meeting.

- If you can collect identifying information on the intruder, we can report them to Zoom. While it may not have an immediate effect, users who abuse access to Zoom can be banned from the platform.

- According to Zoom, while in a meeting, you can report a participant for inappropriate behavior. Reported participants are removed from the meeting.

To do this:

* As the meeting host or a participant, click the meeting information icon  in the top-left corner of the window.
* In the bottom-left corner of the meeting information dialog, click the red Report link.
* Fill out the dialog box; enter the participant(s) you would like to report and the reason for reporting the person.
* If you are not currently signed in to your Zoom account, enter your email address.
* (Optional) Select the Include desktop screenshot check box to include a current screenshot of your desktop.
* Click Submit.
You will receive a notification that your report was sent successfully.

More information on responding to inappropriate behavior can be found at https://support.zoom.us/hc/en-us/articles/360042791091

No one likes having to take these sorts of precautions. But it is a fact of our modern life that we have to. We hope these suggestions help you avoid hassles. If you have any tips of your own, please send them along so that we can share them. 

Thanks & best regards, 

/chet

--

Chet Ensign

Chief Technical Community Steward

OASIS Open

   
+1 201-341-1393
chet.ensign@...
www.oasis-open.org


Re: OCA Project Governance

sfractal
 

I agree Governance should be a focus. Our website claims:

Governance

Developers, corporate supporters, and technology consumers all have a voice in decision-making.

The PGB has a responsibility to walk the governance talk. That’s the top-down view. If it delegated it to the TSC, the PGB is still accountable if the TSC hasn’t done anything. If nothing else, each project should have a bottom up of how they are governed today. Who approves PR’s? Are there different roles (eg Maintainer) and how are they selected? Are there project meetings that prioritize or approve whatever? Are they open to all? Which governance model (from in https://www.redhat.com/en/blog/understanding-open-source-governance-models) is followed. And all this should be written somewhere. Stixshifter has a half decent ‘how to contribute’ but it doesn’t mention governance and how it’s done. Eg anybody can submit a PR – but can anybody approve a PR? People won’t contribute if they feel a project is controlled by a corporation or an opaque bunch of insiders.

 

What is the current state of the TSC? IMHO there should be a correlation between projects and some of the TSC members. For example each project should have two maintainers (ideally from different companies, approved by PGB) and they are on the TSC representing their project. Ideally there would be some additional TSC members as well taking a more ‘across projects’ approach.

 

Is the architecture group a part of the governance process? Is it a committee of the PGB or of the TSC or something else entirely? It is not mentioned on the website governance page.

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Jason Keirstead via lists.oasis-open-projects.org <Jason.Keirstead=ca.ibm.com@...>
Date: Friday, November 19, 2021 at 7:52 AM
To: oca-pgb@... <oca-pgb@...>
Cc: oca-pgb@... <oca-pgb@...>
Subject: Re: [oca-pgb] OCA Project Governance

Hi Duncan;

 

I have not forgotten about this email. As you know - we have a lot of open switches around project governance in the OCA.

Despite our best efforts we are having a lot of trouble bringing it to a close. This is also related to our issues fielding the TSC. Despite having the recruitment window open for an extended period and many CTA - including trying to cast a wider net - we did not get any volunteers, not even from OCA sponsors. Without a diverse TSC who has some minimal cycles to organize governance, it is hard to execute.

We are very open to suggestions on how we can both fill some seats in the TSC, and create a more solid governance structure around the projects. 

We have a PGB meeting on Dec 2, and I would suggest this should be the primary focus of the session. I also think we should do individual reach-outs to members to try to encourage attendance in this meeting. 

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org
 

 

 

----- Original message -----
From: "sfractal" <duncan@...>
Sent by: oca-pgb@...
To: "oca-pgb@..." <oca-pgb@...>
Cc:
Subject: [EXTERNAL] [oca-pgb] OCA Project Governance
Date: Tue, Nov 16, 2021 1:26 PM
 
PACE is now a new OCA project. It would help me to understand the governance models of the other existing OCA projects and if there are rules or guidance from the OCA PGB on the governance models of new projects. If we use the terms in ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

 

PACE is now a new OCA project. It would help me to understand the governance models of the other existing OCA projects and if there are rules or guidance from the OCA PGB on the governance models of new projects. If we use the terms in https://www.redhat.com/en/blog/understanding-open-source-governance-models, what are the existing projects governance models?

 - stix-shifter

 - ontology (btw didn’t we change the name from open-d ontology which is what the OCA website still says), 

  - kestrel, 

  - scapv2 (is this still an active project?)

 

If their governance models are known, are they also documented? If they aren’t known, shouldn’t we decide and document them?

 

Note there are pros and cons to the various models and combinations are allowed.

 

iPhone, iTypo, iApologize

 

Duncan Sparrell

sFractal Consulting, LLC

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 


Re: OCA Project Governance

Jason Keirstead
 

Hi Duncan;
 
I have not forgotten about this email. As you know - we have a lot of open switches around project governance in the OCA.

Despite our best efforts we are having a lot of trouble bringing it to a close. This is also related to our issues fielding the TSC. Despite having the recruitment window open for an extended period and many CTA - including trying to cast a wider net - we did not get any volunteers, not even from OCA sponsors. Without a diverse TSC who has some minimal cycles to organize governance, it is hard to execute.

We are very open to suggestions on how we can both fill some seats in the TSC, and create a more solid governance structure around the projects. 

We have a PGB meeting on Dec 2, and I would suggest this should be the primary focus of the session. I also think we should do individual reach-outs to members to try to encourage attendance in this meeting. 
 
-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 
Assistant - Mauricio Durán Cambronero (mauduran@...)
Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board
www.opencybersecurityalliance.org
 
 
 

----- Original message -----
From: "sfractal" <duncan@...>
Sent by: oca-pgb@...
To: "oca-pgb@..." <oca-pgb@...>
Cc:
Subject: [EXTERNAL] [oca-pgb] OCA Project Governance
Date: Tue, Nov 16, 2021 1:26 PM
 
PACE is now a new OCA project. It would help me to understand the governance models of the other existing OCA projects and if there are rules or guidance from the OCA PGB on the governance models of new projects. If we use the terms in ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
 
PACE is now a new OCA project. It would help me to understand the governance models of the other existing OCA projects and if there are rules or guidance from the OCA PGB on the governance models of new projects. If we use the terms in https://www.redhat.com/en/blog/understanding-open-source-governance-models, what are the existing projects governance models?
 - stix-shifter
 - ontology (btw didn’t we change the name from open-d ontology which is what the OCA website still says), 
  - kestrel, 
  - scapv2 (is this still an active project?)
 
If their governance models are known, are they also documented? If they aren’t known, shouldn’t we decide and document them?
 
Note there are pros and cons to the various models and combinations are allowed.
 
iPhone, iTypo, iApologize
 
Duncan Sparrell
sFractal Consulting, LLC
I welcome VSRE emails. Learn more at http://vsre.info/
 
 



Upcoming Events #cal-summary

oca-pgb@lists.oasis-open-projects.org Calendar <oca-pgb@...>
 

Open Cybersecurity Alliance Project Governing Board Upcoming Events

Zero Trust Workgroup Call

When:
Monday, November 29, 2021, 4:00pm to 5:00pm
(GMT-05:00) America/New York

Where:
https://ibm.webex.com/meet/russell.warren\n1-844-531-0958 (United States Toll Free)\n+1-669-234-1178 (United States Toll)\nAccess code 928 711 512 #

Organizer: "Russell Warren/Raleigh/IBM" russell.warren@...

View Event


OCA PGB Monthly Call

When:
Thursday, December 2, 2021, 1:00pm to 2:00pm
(GMT-04:00) America/Halifax

Where:
+18445310958,,927997469 https://ibm.webex.com/meet/jason.keirstead Join by phone Access code: 927 997 469 United States of America Toll Free 1-844-531-0958 United States of America Toll +1-669-234-1178 United Kingdom Toll Free 0808-234-3612 Israel Toll Free 180-940-5356 Australia Toll Free 1-800-87-5043 International numbers: https://ibm.webex.com/cmp3200/webcomponents/widget/globalcallin/globalcallin.do?siteurl=ibm&serviceType=MC&ED=555779422&tollFree=1 +18445310958,,927997469 https://ibm.webex.com/meet/jason.keirstead Join by phone Access code: 927 997 469 United States of America Toll Free 1-844-531-0958 United States of America Toll +1-669-234-1178 United Kingdom Toll Free 0808-234-3612 Israel Toll Free 180-940-5356 Australia Toll Free 1-800-87-5043 International numbers: https://ibm.webex.com/cmp3200/webcomponents/widget/globalcallin/globalcallin.do?siteurl=ibm&serviceType=MC&ED=555779422&tollFree=1

Organizer: "Jason Keirstead/CanEast/IBM" Jason.Keirstead@...

Details:
<1611673324300>":Online meeting: https://ibm.webex.com/meet/jason.keirstead

Setting up OCA PGB calls for 2021

View Event


Agenda for tomorrow's call

Russell Warren
 

Dennis Moreau will describe his progress on extending the use case to include EDR, and possibly NDR. His first step has been to identify candidate actions, enabled by APIs for representative EDR and NDR technologies. He will also describe how EDR usage, moderated by OpenC2 style communication, might fit into typical EDR use cases/workflows.

I have starting engaging the OpenC2 technical committee on the proposed EDR actuator and identifying where OCA will leverage the existing draft and where we need extensions.

Please respond with any questions and comments.
See y'all tomorrow

Thank you
Russ




OCA Project Governance

sfractal
 

PACE is now a new OCA project. It would help me to understand the governance models of the other existing OCA projects and if there are rules or guidance from the OCA PGB on the governance models of new projects. If we use the terms in https://www.redhat.com/en/blog/understanding-open-source-governance-models, what are the existing projects governance models?
 - stix-shifter
 - ontology (btw didn’t we change the name from open-d ontology which is what the OCA website still says), 
  - kestrel, 
  - scapv2 (is this still an active project?)

If their governance models are known, are they also documented? If they aren’t known, shouldn’t we decide and document them?

Note there are pros and cons to the various models and combinations are allowed.

iPhone, iTypo, iApologize

Duncan Sparrell
sFractal Consulting, LLC
I welcome VSRE emails. Learn more at http://vsre.info/


Re: PACE Ballot - Closing Friday November 5th, 16:00 EST

Dee Schur
 

I look to the STIX-Shifter readme here, https://github.com/opencybersecurityalliance/stix-shifter#readme as a good example for our individual projects with a well organized overview, https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/OVERVIEW.md.

 

I understand that PACE will not be nearly as comprehensive but should we use the STIX Shifter as a template?

 

Chet and Claudia are discussing templates so maybe they can weigh in on this.

 

We do need some sort of a readme before the press release. My timing for the press release was to begin sharing draft with OCA sponsors tomorrow, I am waiting on chairs and contributors approval. This process of collecting quotes will take a few weeks. Can we have the readme ready by then?

 

Thanks team!

Dee

 

 

Dee Schur

Senior Manager, Development & Advocacy

OASIS Open

 

 

 

+1-941-321-6733

dee.schur@...

www.oasis-open.org/

 

 

From: Jason Keirstead <Jason.Keirstead@...>
Sent: Tuesday, November 16, 2021 11:06 AM
To: oca-pgb@...
Cc: dee.schur@...; oca-pgb@...
Subject: RE: [oca-pgb] PACE Ballot - Closing Friday November 5th, 16:00 EST

 

We need a URL to be referenced in the press release, to send people to. So I would suggest we need to work with Dee on the timing

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

 

 

----- Original message -----
From: "Claudia Rauch" <claudia.rauch@...>
Sent by: oca-pgb@...
To: oca-pgb@..., "Dee Schur" <dee.schur@...>
Cc:
Subject: [EXTERNAL] Re: [oca-pgb] PACE Ballot - Closing Friday November 5th, 16:00 EST
Date: Tue, Nov 16, 2021 12:03 PM
 
On Tue, Nov 16, 2021 at 4:50 PM Jason Keirstead <Jason.Keirstead@...> wrote: The project already exists at https://github.com/opencybersecurityalliance/PACE/ OASIS is reaching out to sponsors for quotes for the press release now ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

 

 

 

On Tue, Nov 16, 2021 at 4:50 PM Jason Keirstead <Jason.Keirstead@...> wrote:

The project already exists at https://github.com/opencybersecurityalliance/PACE/

OASIS is reaching out to sponsors for quotes for the press release now (see previous email)

 

We need to figure out what we want to do with the website, as a brand new one is being created. We need to decide if we want to simply add PACE there or also do the work on the existing site.

 

Happy to add a tile for PACE to the current website tomorrow. That'd be a quick fix until the new site is up and running. Not sure, though, if that should wait until the press release or not.

 

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

 

 

----- Original message -----
From: "sfractal" <duncan@...>
Sent by: oca-pgb@...
To: "oca-pgb@..." <oca-pgb@...>
Cc: "oca-pgb@..." <oca-pgb@...>
Subject: [EXTERNAL] Re: [oca-pgb] PACE Ballot - Closing Friday November 5th, 16:00 EST
Date: Tue, Nov 16, 2021 11:41 AM
 
So what happens next to set stuff up? Eg who adds pace to https://opencybersecurityalliance.org/ projects? How do communication and governance channels get set up? Etc. -- Duncan Sparrell sFractal Consulting LLC ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

So what happens next to set stuff up? Eg who adds pace to https://opencybersecurityalliance.org/ projects? How do communication and governance channels get set up? Etc.

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Jason Keirstead via lists.oasis-open-projects.org <Jason.Keirstead=ca.ibm.com@...>
Date: Tuesday, November 16, 2021 at 10:38 AM
To: oca-pgb@... <oca-pgb@...>
Cc: oca-pgb@... <oca-pgb@...>
Subject: Re: [oca-pgb] PACE Ballot - Closing Friday November 5th, 16:00 EST

Hi Duncan - yes the ballot did pass (celebration!). PACE is now an official project.

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

Book a meeting with me - https://calendly.com/jason-keirstead

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

 

 

----- Original message -----
From: "sfractal" <duncan@...>
Sent by: oca-pgb@...
To: "oca-pgb@..." <oca-pgb@...>
Cc:
Subject: [EXTERNAL] Re: [oca-pgb] PACE Ballot - Closing Friday November 5th, 16:00 EST
Date: Mon, Nov 15, 2021 2:36 PM
 
Now that it is past Nove 5th, did this pass? Assuming it did, what are next steps? Apologies is this is documented somewhere and I missed it. Below is the last email I could find, and I couldn’t find anything on the website. ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd
 

Now that it is past Nove 5th, did this pass? Assuming it did, what are next steps? Apologies is this is documented somewhere and I missed it. Below is the last email I could find, and I couldn’t find anything on the website.

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Jason Keirstead via lists.oasis-open-projects.org <Jason.Keirstead=ca.ibm.com@...>
Date: Tuesday, November 2, 2021 at 2:51 PM
To: oca-pgb@... <oca-pgb@...>
Subject: [oca-pgb] PACE Ballot - Closing Friday November 5th, 16:00 EST

Hello PGB members;

 

I am pleased to inform that as of right now, the vote to onboard the PACE project that was submitted by CIS is passing. Thank you for your support in casting these votes.

 

We plan to close the ballot November 5th at 16:00 EST, and members have up until that time to cast any uncast votes, or, if you decide, to change your vote.

 

Thank you for your participation!

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management

Assistant - Mauricio Durán Cambronero (mauduran@...)
www.ibm.com/security

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

 

 

 

 

 

 

 

 

 



--

 

 

 

 

 

 

 

Claudia Rauch

Open Projects Program Manager

OASIS Open

 

 

 

Pronouns:

She/Her

Timezone:

GMT+2

Website:

www.oasis-open.org

 

 

1 - 20 of 479