CSA Mobile Application Security Testing (MAST) Initiative Revised Project Charter

Similar documents
CHARTER OF THE NOMINATING AND CORPORATE GOVERNANCE COMMITTEE OF THE BOARD OF DIRECTORS OF PLURALSIGHT, INC. Adopted May 3, 2018

Engineering IT Application Development Governance Workflow

TERMS OF REFERENCE FOR THE PROVISION OF OUTSOURCED INTERNAL AUDIT SERVICE

AUDIT & RISK COMMITTEE CHARTER

ACI-NA Marketing and Communication Committee Participation Plan

Audit Committee Charter

Sempra Energy Environmental, Health, Safety and Technology Committee Charter

This is a living document that can be adjusted by a majority of the NDS Steering Committee, in consultation with the NDSC general membership.

THE CLOROX COMPANY AUDIT COMMITTEE CHARTER. [Effective May 8, 2017]

Audit and Risk Management Committee Charter

Audit & Risk Committee Charter

Goshen STAFF Alumni Association Proposal Chapter 2: For the next 50 Years! Last edited

AUDIT & RISK COMMITTEE (ARC)

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Independent Director and Audit Committee

Policy Planning and Analysis Team (PAT) Charter

AUDIT, RISK MANAGEMENT AND COMPLIANCE COMMITTEE CHARTER

Policy and Procedures Date: April 23, Subject: Policy and Procedures for Establishment of New Schools at Virginia Tech

Employee Advisory Council

*** A DRAFT starting point *** South Central Fresno Community Steering Committee Charter

CHARTER OF RESERVES, HEALTH, SAFETY, ENVIRONMENT AND SOCIAL RESPONSIBILITY COMMITTEE 2018

Steering Committee of the Global Nuclear Safety and Security Network (GNSSN)

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF ON DECK CAPITAL, INC.

AUDIT and ASSURANCE COMMITTEE TERMS OF REFERENCE

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF DROPBOX, INC.

Risk and Audit Committee charter

APPLICATION FORM FOR ASSISTANCE FROM THE AFRICAN WORLD HERITAGE FUND

GENERAL MOTORS COMPANY AUDIT COMMITTEE CHARTER. Amended and Restated: December 13, 2017

Health, Safety and Environment Committee Charter

Powerlink - Corporate Entertainment & Hospitality - Policy

Section 4: Nominating Committee. Approved: 07/24/17. Policy

TASSAL GROUP LIMITED ABN

HUMAN RESOURCES AND COMPENSATION COMMITTEE CHARTER

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF PLURALSIGHT, INC. Adopted May 3, 2018

Board Committee Charters

Audit Committee Charter

NARACOORTE LUCINDALE COUNCIL COUNCIL POLICY 94 PUBLIC CONSULTATION AND COMMUNITY ENGAGEMENT

Terms of Reference - Board of Directors (approved by the Board on 12 April 2018)

TERMS OF REFERENCE. Audit and Risk Committee (the "Committee") of Wilmcote Holdings Plc (the "Company")

Enforceable Undertakings Operational Policy

Corporate Governance Charter

ENNHRI Operational Plan 2018

Frequently Asked Questions: Broader Public Sector Procurement Directive

Policy Coversheet. Link Tutors: appointment and responsibilities

HEIDRICK & STRUGGLES INTERNATIONAL, INC. Corporate Governance Guidelines

Annex 03 - Recommendation #3: Redefining ICANN s Bylaws as Standard Bylaws and Fundamental Bylaws

Board Perspective Outline for Leadership Labs

Active Sussex. Trustee Recruitment Pack

CONSTITUTION. Association for Office Professionals of South Africa

Collaboration Assessment Worksheets

AUDIT COMMITTEE CHARTER

Work Instruction. for Change Management. Work Instruction Administrator John Doe Chief Corporeal Officer ACME

Intellectual Property Policy

[AGENCY NAME] Mandate and Roles Document. (Pure Advisory Committees)

Telephone: Fax: Web: Job Description

NANOSTRING TECHNOLOGIES, INC. COMPENSATION COMMITTEE CHARTER. (Adopted as of October 16, 2012 and amended as of April 26, 2017)

PRIMERICA, INC. COMPENSATION COMMITTEE CHARTER Adopted on March 31, 2010 and revised as of August 15, 2018

Neighborhood Tool Kit. Office of Neighborhood Vitality City of Mesquite, Texas

HOW TO RUN A MEETING

CORPORATE GOVERNANCE, NOMINATING & RISK COMMITTEE CHARTER

Copiague Chamber of Commerce

Park Square Capital, LLP (the Firm, Park Square ) Remuneration Policy Statement

EAC Bylaws Revisions and Election Procedures from the EAC Election Bylaws Committee 9/16/15

School Business Manager

The Committee is specifically charged with the following duties and responsibilities:

Corporate and Academic Governance Framework

NOMINATION AND ELECTION POLICY AND PROCEDURE PREAMBLE BOARD COMPOSITION

School Travel Forum Ltd

Producer Statements will be accepted only in accordance with this policy.

PROJECT SUPPORT FUND OVERVIEW

CRSP Index Governance Committees Terms of Reference. Introduction... 2 Governance and Oversight Control Framework... 3 Index Oversight Committee...

Huntington Bancshares Incorporated

Commission d évaluation de l enseignement collégial. Analytical Framework. Evaluating the Effectiveness of Strategic Plans in the Cégeps

VIVINT SOLAR, INC. COMPENSATION COMMITTEE CHARTER. (Adopted as of May 9, 2014)

UNITED NATIONS OFFICE FOR PROJECT SERVICES (UNOPS) INTERNAL AUDIT REPORT 3 JUNE 2014

National Management Group

External auditor appointment and independence

Board of Directors Job Description

Significant Financial Disclosure Policy for Investigators

TERMS OF REFERENCE FOR CONSULTANTS

Corporate Governance Principles

Job Description. Division/Company: Risk Function, Faster Payments Scheme Limited & Mobile Payments Service Limited

Local Code Of Corporate Governance

BOARD OF DIRECTORS. Trust Quality Governance Structure Review

BY-LAWS OF THE. Wisconsin Juvenile Detention Association ARTICLE I. Name

AACIDs TRANSIT FEASIBLITY STUDY: PUBLIC INVOLVEMENT PLAN (PIP)

Critical Incident Policy

Employee Hardship Assistance Policy

Governing Rules of English for Specific Purposes

CHAIR AND MEMBERS COMMUNITY AND PROTECTIVE SERVICES NOVEMBER 15, 2016 ART ZUIDEMA CITY MANAGER COMMUNITY DIVERSITY AND INCLUSION STRATEGY UPDATE

By- Laws ARTICLE 1- NAME, MISSION, PURPOSE, OBJECTIVES. The name of the organization shall be Montana Organic Association.

Emergency Support Function (ESF) 18 Business and Industry

CÉGEP HERITAGE COLLEGE POLICY # 42 CONCERNING THE CONTRACT RULES COMPLIANCE MONITOR (CRCM) ADMINISTRATOR: Director of Building and Computer Services

SUMMARY: CONFLICTS OF INTEREST AND ETHICS PRACTICES REVIEW

DVACROA - Constitution

inemi Statement of Work (SOW) Name TIG Name Project

Information concerning the constitution, goals and functions of the agency, including 1 :

Canadian Association for the Study of the Liver Endorsement Policy

Call for nomination for members of the CSEM (civil society engagement mechanism) Advisory group in UHC2030

Summary of Dodd-Frank Provisions

Transcription:

CSA Mbile Applicatin Security Testing (MAST) Initiative Revised Prject Charter 14 th March, 2018

Table f Cntents INITIATIVE EXECUTIVE OVERVIEW 3 PROJECT RESPONSIBILITIES 4 SCOPE 4 DELIVERABLES/ACTIVITIES 5 Q2 2018 5 Q3 2018 5 Q4 2018 6 PROJECT MEMBERSHIP 6 Sub-Wrk Grups 7 Cmmunicatins Methds 7 Infrastructure & Resurce Requirements 8 Wrk Grup Cnference Calls and In-persn Meetings 8 Decisin-making Prcedures 8 Operatins 9 Advisry 9 Research Lifecycle 9 Peer Review 9

INITIATIVE EXECUTIVE OVERVIEW Mbile Applicatins are becming an integral part f nt just mdern enterprises but als f human existence and a huge part f this shift is due t the emergence f clud cmputing. Clud cmputing has allwed fr the instantaneus utilizatin f applicatins which imparts tremendus agility t the enterprise. Accmpanying such cnvenience are risk management challenges due t a lack f transparency, leading t security cncerns that include applicatins. 1 CSA released the initial Mbile Applicatin Security Testing (MAST) whitepaper in June 2016 which defines a framewrk fr secure mbile applicatin develpment, achieving privacy and security by design. Implementatin f MAST will result in clearly articulated recmmendatins and best practices in the use f mbile applicatins. Mbile applicatin security testing and vetting prcesses utilized thrugh MAST invlve bth static and dynamic analyses t evaluate security issues f mbile applicatins fr platfrms such as Andrid, ios and Windws. These prcesses cver permissins, expsed cmmunicatins, ptentially malicius functinalities, applicatin cllusins, bfuscatins, excessive pwer cnsumptins and traditinal sftware vulnerabilities. Testing and vetting prcesses will als cver internal cmmunicatins such as debug flag and activities, as well as external cmmunicatins such as Glbal Psitining System (GPS), Bluetth, Near Field Cmmunicatin (NFC) and Glbal System fr Mbile cmmunicatin (GSM) accesses. Apart frm mbile applicatin security testing and vetting, a mbile applicatin security incident respnse plan will als be develped. The WG will aim t create a safer clud ecsystem fr mbile applicatins by creating systematic appraches t applicatin testing and vetting that helps integrate and intrduce quality cntrl and cmpliance t mbile applicatin develpment and management. The WG hpes that mre research int mbile applicatin security vetting and testing will help reduce the risk and security threats that rganizatins and individuals expse themselves t by using mbile applicatins. 1 https://dwnlads.cludsecurityalliance.rg/assets/research/mbile/mast_white_paper.pdf

PROJECT RESPONSIBILITIES Specific fields f actin f the WG culd include: T develp a reference dcument that fits int the OCF framewrk/star Prgram and is independent frm prprietary / implementatin details;. T develp a testing / vetting tlkit (i.e. apprval-rejectin basis) fr mbile applicatins, including a framewrk f cntrls and testing mechanisms based n the high level requirements included in the MAST white paper. T determine whether CSA can develp a certificatin scheme fr mbile applicatin security; T eventually develp a certificatin scheme fr mbile applicatin security t be included in the CSA STAR Prgram. SCOPE The app security testing and vetting prcess uses bth static and dynamic analysis t analyse the applicatin. The testing and vetting prcess cvers: Permissins (Culd be segregated int mandatry and ptin Authenticatin and authrizatin Expsed cmmunicatins Data prtectin (Encryptin In Mtin, at Rest and In Use, etc.) Ptentially dangerus functinality Applicatin cllusin Cde bfuscatin Excessive pwer cnsumptin Auditing and lgging Input validatin Passwrd management Applicatin cnfiguratin Access cntrl mechanisms Traditinal sftware vulnerabilities

In additin t security testing and vetting, the prject will als develp prcesses and prcedures fr security incidence respnse pertaining t a mbile breach. DELIVERABLES/ACTIVITIES Q2 2018 Deliverables: Charter- Peer reviewed and final versin f the Charter Deliverables: Prject Plan- with the estimated start date and the finish date f the prject deliverables Deliverables: Mbile Applicatin Vetting Whitepaper- Develp a reference dcument that fits int the OCF Framewrk / STAR Prgram and is independent frm prprietary / implementatin detail. The reference dcument shuld detail cntrls (analgus t CCM) and assertins (analgus t CAIQ) that are transparent and nn-prprietary, s that it can serve as basis fr the next step, which is t develp a certificatin prgram fr inclusin in STAR. Mbile app develpers can use this as a basis fr self-assessment (like in OCF level 1), and tlkit develpers & certificatin bdies can develp testing tls and certify mbile app (like in OCF level 2) Q3 2018 Activities: Prject Executin and Outreach Activities: Prject Executin- Develp a testing / vetting tlkit (i.e. apprval-rejectin basis) fr mbile applicatins, including a framewrk f cntrls and testing mechanisms based n the high level requirements included in the MAST white paper Q4 2018 Deliverable: Prpsed Applicatin Testing / Vetting Tlkit

PROJECT MEMBERSHIP The MAST WG is structured as fllws: Tw r mre c-chairs (and their alternates) wrking grup members a representative f the CSA / subject matter expert a representative f the CSA / OCF Secretariat (T be intrduced during the certificatin develpment phase) Only CSA Crprate Members are eligible fr the rle f c-chairs. If a crprate member is nt available fr nminatin r an individual with a unique skill-set is required, an exceptin can be filed fr nn-member nminees by cntacting exec@cludsecurityalliance.rg. The rle f MAST c-chairs entails the fllwing respnsibilities: Define the wrk plan fr each year (e.g., meetings and expected deliverables) Ensure prgress f wrk accrding t the wrk plan Reprt t the CSA Executive Team n executin risks and suggest pssible slutins Cnvene meetings when necessary and act as Chairpersn f MAST WG. Lead the preparatin f draft deliverables, r identify a suitable persn within the MAST WG wh will take the rle f main editr/rapprteur f the deliverable Ensure that guidance prvided in the current MAST WG charter is fllwed Ensure that relevant dcuments are circulated t MAST WG members The rle f CSA Subject Matter Expert(s) entails the fllwing respnsibilities: Can be either a CSA Staff member r an expert nminated by the CSA Prvide subject matter expertise, in the frms f cntributin t deliverables and advice t the MAST WG c-chairs The rle f CSA Secretariat entails the fllwing respnsibilities:

Will be a CSA Staff member Prvide secretariat and prject management supprt t the c-chairs (e.g. create the virtual shared wrkspace, manage the mailing list, cllect input frm members, assist the preparatin f the wrk plan, arrange fr lgistics f bth virtual and physical meetings, supprt meeting minutes preparatin, etc.) The rle f MAST WG Members entails the fllwing respnsibilities: Cntribute t the definitin f the wrk plan Cntribute t the definitin f the MAST deliverables Sub-Wrk Grups Ad hc sub-wrk grups cmprised f subject matter experts may be frmed t plan r execute any related utreach, awareness r research pprtunities. Such sub-wrking grups shall reprt directly t the main wrking grup. The initiative may als chse t allw resurce sharing between clud cmmunities and ther CSA wrking grups t assist in the timely cmpletin f prjects, prgrams and ther activities needed t supprt/enable the initiative s defined bdy f wrk. Cmmunicatins Methds Infrastructure & Resurce Requirements The initiative will be cmpsed f CSA vlunteers; it will have a steering cmmittee and c-chairs. The initiative will require typical prject management, nline wrkspace and technical writing assistance. Wrk Grup Cnference Calls and In-persn Meetings The initiative will hld cnference calls n less than bi-mnthly. Attendance by the Principal r Alternate is required. The Alternate must have full authrity t act n behalf f the Principal if the Principal is absent. In-persn meetings will happen nce a year in a lcatin t be determined. Decisin-making Prcedures Definitin f a majrity 1. A majrity shall cnsist f mre than half f the members present and vting. 2. In cmputing a majrity, members abstaining shall nt be taken int accunt. 3. In case f a tie, a prpsal r amendment shall be cnsidered rejected.

4. Fr the purpse under this Charter, a member present and vting shall be a member vting fr r against a prpsal, including prxy representative. Prxy where authrity is delegated thrugh a written statement r nn-repudiated email shuld be declared and inspected fr validity by the chair befre vting starts. Abstentins f mre than fifty percent 1. When the number f abstentins exceeds half the number f vtes cast (fr, against, abstentins), cnsideratin f the matter under discussin shall be pstpned t a later meeting, at which time abstentins shall nt be taken int accunt. Vting prcedures 1. The vting prcedures are as fllws: a. By a shw f hands as a general rule unless a secret ballt has been requested; if at least tw members, present and entitled t vte, s request befre the beginning f the vte and if a secret ballt under b) has nt been requested, r if the prcedure under a) shws n clear majrity b. By a secret ballt, if at least five f the members present and entitled t vte s request befre the beginning f the vte (nline vting is applicable) 2. The Chair(s) shall, befre cmmencing a vte, bserve any request as t the manner in which the vting shall be cnducted, and then shall frmally annunce the vting prcedure t be applied and the issue t be submitted t the vte. The Chair(s) shall then declare the beginning f the vte and, when the vte has been taken, shall annunce the results. 3. In the case f a secret ballt, the secretariat shall at nce take steps t ensure the secrecy f the vte. Operatins Advisry The CSA Wrking Grup will be advised by the CSA Subject Matter Expert (SME) Advisry Cuncil, Internatinal Standardizatin Cuncil (ISC), and CSA Executive Team t ensure that the research under this initiative is within the scpe f the CSA and aligns with ther industry partner research. The research will remain unique t industry and make reference t any redundant r replicated wrks. Research Lifecycle The CSA Wrking Grup will fllw the develpment f the CSA research lifecycle fr all prjects and initiatives: https://dwnlads.cludsecurityalliance.rg/initiatives/general/csa_research_lifecycle_final.pdf

Peer Review We will seek CSA s help in reaching ut t peers fr reviewing ur charter and ther dcumented activities f the initiative.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback