Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
送信日時: 2021年11月3日 15:32
宛先: Takashi NINJOUJI <takashi.ninjouji@...>; Shane Coughlan <scoughlan@...>
CC: main@... <main@...>
件名: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Hi Tak,
>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.
One can declare conformance with the guide. According to section 3.4.2:
ÿ 3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation.
Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.
>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.
Please let us know if you would like additional clarification.
best,
Mark
Mark Gisi
Director, Open Source Program Office
Empowering Engineers & Customers to Prosper using Open Source
(510) 749-2016
Sent: Tuesday, November 2, 2021 3:16 PM
To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Cc: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
[Please note: This e-mail is from an EXTERNAL e-mail address]
Hello Mark and Shane,
I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:
(1)
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.
(2)
In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Are all of the above OK?
Best Regards
Tak
On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:
Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.
Regards
Shane
Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting: