This document outlines the mission, scope, and objectives of the Common Cloud Controls (CCC) Security WG.
This WG defines how a threat-informed control catalog can be used to assess the security of the common cloud services defined by the CCC services taxonomy working group.
The mission of the Security WG is to develop, maintain, and enhance a comprehensive threat-informed security control catalog specifically tailored to the CCC cloud services taxonomy. As part of the mission, the working group will explore how existing catalogs, knowledge bases and assessment frameworks can be leveraged to assess the security posture of CCC-relevant cloud services and ensure alignment with industry standards and best practices.
This group will:
- Collaborate with the [Duplication Reduction WG] to evaluate existing security controls catalogs, threat knowledge bases, risk-based assessments, assessment formats, and testing procedures
- Define and maintain effective measures to mitigate identified threats relative to the CCC services taxonomy
- Collaborate with industry experts, security researchers, and cloud service providers to ensure the accuracy and relevance of the project approaches and outputs
- Regularly update and expand the catalogs, assessment methodologies, and exploration of existing control catalogs to reflect evolving threats, emerging technologies, and best practices in cloud security
- Collaborate with the Delivery WG to determine an appropriate release process and cadence
- Review and incorporate relevant feedback gathered by the Communications WG from the community and end users
The following artifacts will be created and stored in the project GitHub repo:
- Catalog of security threats for each cloud service type
- Catalog of security controls for each cloud service type
The following activities will not be performed by this group:
- Technicial work that does not pertain to the development of its deliverables.
- Public-facing communications outside of the project repository
This WG will remain compliant with all applicable community policies. At the guidance of the WG Lead, this group will seek to implement [guidelines] set forth by the [Community Structure WG].
The membership structure of this working group:
- WG Lead: Michael Anthony Lysaght
- SC Sponsor: Jonathan Meadows
This group is authorized to create independent sub-groups.
This may be done by modifying this document to include a link to the relevant sub-group charter. Such modifications require PR approval from the WG Lead and one SC member.
The following WG have been chartered by and are accountable to this group:
- None
- This working group will use the mail group ccc-security@lists.finos.org for regular communications.
- This group will host an informal WG meeting no less than once every three (3) weeks, excluding November and December.
- The WG Lead or their delegate must present verbal or written updates to the SC at its regular public meetings.
Any functional changes to this charter must be approved through a majority vote by the SC. Minor changes such as formatting may be merged upon approval from any SC member.