Minutes PRIA Security Workgroup Face-to-Face Meeting July 24, 2008 9:45 – 11:00 MST Phoenix, AZ Attendees: Nancy Sotomayor Ted Adams Mark Ladd Jack Arrowsmith Karen Snow Kate Teal Karen Anderson-Kinsey Erik Blomquist Leesa McCrary Bill Mori Marcey Toepel This session began with a recap of the July 22nd session when the Threats & Vulnerabilities matrix was presented and discussed. After assessing the comments and questions that arose during the July 22nd session, the workgroup suggested that rather than including the matrix in the whitepaper as a definitive exercise, it would serve better as an educational and self-assessment tool. The next step the workgroup anticipates will be to define mitigation strategies for those areas deemed as high risk – potentially offering a variety of solutions from very simple to more complex. An example would be: Collecting/Rogue Submitter/Poor Authentication – Use of SOAP, firewalls, trusted business partner agreements, digital certificates It was suggested that rather than getting too granular in detail, the document should instead provide a list of resources that can be accessed to guide a detailed self-assessment. Discussion ensued regarding ranking risk based on the cost of mitigation vs. the cost of the impact itself. While this is difficult to quantify for each specific situation some broad assumptions could be made that would still be helpful. Scope of the document needs to be defined better. Focus should be on eRecording transactions rather than broader security issues. Physical security recommendations relate to securing the eRecording process rather than courthouse security per se. The workgroup briefly reviewed the existing whitepaper draft. It was suggested that the document be reorganized to reduce the repetitiveness that appears currently. Define categories of risk that span the entire process and that general mitigation strategies can be developed for. Document format needs to be more informational. Discussion followed regarding scheduling of conference calls. Calls will be scheduled for the 2nd & 4th Tuesdays of each month at 1:00 Eastern. August calls were set for the 12th & 26th. Concern was expressed that the fall-off in attendance between Tuesday’s session and this session may be due to the current documents being too difficult for many to understand. Re-organize and re-format the whitepaper, then send to all attendees, requesting feedback – prior to the August 12th call. Meeting adjourned.