|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Mark Gisi
Hi Tak,
>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.
One can declare conformance with the guide. According to section 3.4.2: ÿ 3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation. Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.
>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.
Please let us know if you would like additional clarification.
best, Mark
Mark Gisi Empowering Engineers & Customers to Prosper using Open Source (510) 749-2016
From: Takashi NINJOUJI <takashi.ninjouji@...>
[Please note: This e-mail is from an EXTERNAL e-mail address] Hello Mark and Shane,
I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.
(2) In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Best Regards Tak
On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Christopher Wood
Hello Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item? Thanks Chris
On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:
|
|
|
|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Takashi Ninjouji
Hello Mark and Shane, I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something: My understandings are: (1) This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately. (2) In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant. Are all of the above OK? Best Regards Tak
On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
OpenChain Japan Work Group Meeting #21 – 2021-10-20
Full recording (Japanese) available here. Excellent on-boarding point for your Japanese team or suppliers:
https://www.openchainproject.org/news/2021/11/02/jp-wg-21
|
|
|
|
Regional Traction: 2,100 Eyes on Japanese FAQ
The OpenChain Project often highlights global news. However, it is important to remember that the majority of activity is truly distributed around the world, especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US work groups. Today we are taking a moment to shine a spotlight on a specific example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is focused on providing answers to frequently asked questions, chaired by Ouchi San from Fujitsu. The FAQ document produced by the group has been downloaded over 2,100 times so far, demonstrating the extent of information dissemination in a specific geography. If you have a Japanese office (or you represent a Japanese company), please be aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All welcome. ・日時:11月8日(月) 15:00〜17:30 ・チャタムハウスルールを採用しています。 (誰が言ったかは口外禁止、得た情報は自由利用可) ・オンライン会議(Zoom): Zoom のURLはFAQ-SGのSLACKに掲載予定です。 (Japan WGのSLACKとは異なります) 以下のメーリングリストへご連絡願います。 • https://lists.openchainproject.org/g/japan-sg-faq/messages
|
|
|
|
FW: [education] Event: Web based training finalization
#cal-invite
Balakrishna Mukundaraj
Web based training finalization When: Where: Organizer: Balakrishna Description:
|
|
|
|
Re: REMINDER OpenChain Bi-Weekly Webinar - 2021-11-02 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST
Our meeting begins in about ten minutes.
toggle quoted messageShow quoted text
Please note: this is a webinar for people completely new to the OpenChain Project. It features a walkthrough of the website and so on.
On Nov 2, 2021, at 13:12, Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
REMINDER OpenChain Bi-Weekly Webinar - 2021-11-02 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST
Our regular webinar starts in just under two hours.
Today we are going to record a “newbies” guide to the OpenChain website and resources. This is intended to help support companies that are just learning about us in countries like China, Japan and Korea. Join Zoom Meeting https://zoom.us/j/4377592799 Meeting ID: 437 759 2799 One tap mobile +13017158592,,4377592799# US (Washington DC) +13126266799,,4377592799# US (Chicago) Need to confirm your timezone? OpenChain Bi-Weekly Webinar - 2021-11-02 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
|
|
|
|
Education Work Group Meeting 2021-10-29
We discussed the final steps necessary to turn this document into an online course. Balakrishna (our chair) has finalized details with the LF Training Team. They can release a version of the course for December 16th if we (a) close open comments on Chapters 1~5 and provide the final deliverable by end of November. Most of the work is done on Chapters 1~3, so our focus will be on filling out Chapters 4~5 in the short term, and then reverting to the early chapters for final review. Join the Education Work Group at this mailing list:
|
|
|
|
Case Study: Open Source Compliance Automation and Interoperability #4 - How TERN (a container scanner) works both with the graphical tool and when used on its own.
The OpenChain automation case study about using open source tools for open source compliance runs between September and December 2021. It is the largest case study ever undertaken in this space. The outcome of attending will include better knowledge of options for automation around open source compliance, a better understanding of interoperability in the space, and an awareness of how to engage with the field in a turn-key manner.
Part #4 explores how TERN (a container scanner) works both with the graphical tool and when used on its own. https://www.openchainproject.org/featured/2021/10/29/automation-case-study-4
|
|
|
|
CAICT Becomes OpenChain Partner, Launches Third Party Certification
One of the biggest announcements this year for the OpenChain Project: CAICT - a research institute under the Chinese Ministry of Industry and Information Technology - has become a partner and will offer third party certification support for OpenChain ISO/IEC 5230 in the Chinese market.
|
|
|
|
Re: Update on web-based training and Open Chain ref-Playbook
Balakrishna Mukundaraj
Hello All,
We have education board update call in 15 mins. Interested participants please join. Mit freundlichen Grüßen / Best regards Mukundaraj Balakrishna Information co-ordination (RBEI/ECA5) Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com Tel. +91 80 6657-5938 | Mobile +91-96207-91838 | Fax +91 80 6617-0711 | Balakrishna.Mukundraj@... Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000; Chairman of the Supervisory Board: Franz Fehrenbach; Managing Directors: Dr. Volkmar Denner, Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Christian Fischer, Dr. Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Rolf Najork -----Original Appointment----- From: education@... Group <education@...> Sent: Tuesday, October 26, 2021 10:38 AM To: education@... Group Subject: Update on web-based training and Open Chain ref-Playbook When: Friday, October 29, 2021 11:00 AM-12:00 PM (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi. Where: Zoom call Hello all, We would like to give you an update on the status of our pending web based training. And with this call we would like to kick-off the reference playbook mentioned during our previous calls. Please join us: https://zoom.us/j/4377592799 ( https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fzoom.us%2Fj%2F4377592799&data=04%7C01%7Cbalakrishna.mukundraj%40in.bosch.com%7C39f12a61010c43123ad408d98d49eeea%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637696170947556461%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fyPp0%2FTR4WPu63gD5qJjSxn%2FHBBkCoMadIrk7pi%2F8h0%3D&reserved=0 ) https://zoom.us/j/4377592799 ( https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fzoom.us%2Fj%2F4377592799&data=04%7C01%7Cbalakrishna.mukundraj%40in.bosch.com%7C39f12a61010c43123ad408d98d49eeea%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637696170947556461%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fyPp0%2FTR4WPu63gD5qJjSxn%2FHBBkCoMadIrk7pi%2F8h0%3D&reserved=0 )
|
|
|
|
REMINDER: Automation Case Study: TERN and Containers today (27th) at 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST
A reminder that we go live in one hour. The event will be recorded but attending the live session is recommended.
toggle quoted messageShow quoted text
On Oct 27, 2021, at 12:21, Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
Automation Case Study: TERN and Containers today (27th) at 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST
OpenChain Automation Case Study: TERN and Containers today (27th) at 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST.
This is part of our on-going global case study regarding automation ease-of-use and effectiveness demonstrated via a new global GUI and deep-dives on specific tools used. No registration required.
|
|
|
|
Re: [education] Community call to action: website review
Great stuff! 👍
toggle quoted messageShow quoted text
Thank you 😊 Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
On Oct 27, 2021, at 2:14, Trent Allgood <trentallgood@...> wrote:
|
|
|
|
Re: [education] Community call to action: website review
Trent Allgood
Only positive feedback from me, I had a hard time finding the standard and some of the resources in the old website, now it's easy to find. Great work! On Mon, Oct 25, 2021 at 10:25 PM Balakrishna Mukundraj via lists.openchainproject.org <balakrishna.mukundraj=in.bosch.com@...> wrote:
|
|
|
|
OpenChain Global Work Group Meeting 2021-10-25
We talk Security Assurance Reference Guide. Updated version coming soon? Looks like it. Learn more:
https://www.openchainproject.org/news/2021/10/25/global-wg-2021-10-25
|
|
|
|
Re: [education] Community call to action: website review
Balakrishna Mukundaraj
The update looks cool 😊
Mit freundlichen Grüßen / Best regards From: education@... <education@...>
On Behalf Of Shane Coughlan via lists.openchainproject.org
Hey everyone
The website has been updated to improve discoverability. However, is it easier for *you* to discover what you need? Feedback super welcome:
Regards
Shane Shane Coughlan OpenChain General Manager +818040358083 Book a meeting:
|
|
|
|
OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:
Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome. Regards Shane Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
|
|
|
|
Community call to action: website review
Hey everyone
The website has been updated to improve discoverability. However, is it easier for *you* to discover what you need? Feedback super welcome: Regards Shane Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
|
|
|
