cloud security alliance
international standardization council
Policies & Procedures (P&P) /
June 23,2015
Approved: 6July 2015
The permanent and official location for Cloud Security Alliance International Standardization Council is
© 2016 Cloud Security Alliance – All Rights Reserved All rights reserved.
You may download, store, display on your computer, view, print, and link to International Standardization Council Policies & Procedures Security at subject to the following: (a) the Report may be used solely for your personal, informational, non-commercial use; (b) the Report may not be modified or altered in any way; (c) the Report may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Report as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to International Standardization Council Policies & Procedures.

1Introduction

In today’s technological environment, standards play a critical role in product development and market competitiveness. Every input, behavior, and action has both a contributory and a potential legal consequence. These procedures help protect the International Standardization Council (ISC or Council) participants and the CSA by establishing the necessary framework for a sound process.

2International Standardization Council (ISC)

Per the ISC Charter (henceforth the Charter), the ISC has been designated as the CSA entity responsible for coordinating all aspects of standardization efforts within CSA. The Charter also describes the general responsibilities of the ISC. This document is intended to supplement the Charter with additional details as well as to document the ISC policies and procedures.

2.1Scope of ISC Standards Activities

Formal and de facto standards are developed by an assortment of organizations. However, the Council is concerned primarily with the following internationalStandards Developing Organizations (SDOs):

  • International Organization for Standardization (ISO)
  • International Electrotechnical Commission (IEC)
  • International Telecommunication Union (ITU)

The Council will establish and maintain formalrelationships with these organizations such that it can contribute and/or influence specific standards within these organizations.Specific Liaison Officers are appointed to these SDOs (typically committees working on cloud and security topics). Examples are:

  • Sub-committees of the joint ISO and IEC technical committee ISO/IEC JTC 1 (Information technology), such as
  • SC 27 – IT Security;
  • SC 38 – Cloud computing and distributed platforms.
  • Study groups in ITU-T, such as
  • SG 13 – Future networks including cloud computing, mobile and next-generation networks;
  • SG 17 – Security

Other Standards Setting Organizations (SSO) and Industry Associations (IA), as well as government-oriented bodies,may develop cloud-oriented specifications and documents. The Council will exploit existing relationships between the CSA and these organizations when possible, but it may be necessary for the Council to establish a relationship between the CSA and an SSO or IA.

2.2ISC Membership

The ISC Charter outlines the eligibility requirements for the Council as well as the types of ISC memberships (i.e., voting and advisory). In addition, the Charter also briefly mentions membership representation (i.e., primary and alternate). It is important to note that membership is by organization rather than individual, with exceptions as noted.

2.2.1Voting Membership

Voting membership is a category of membership reserved for those CSA Corporate member organizations that desire more direct involvement in CSA standardization activities and are prepared to commit resources to these activities.

With these commitments come the following privileges:

  • Eligible to nominate a representative for Council Officerelection
  • Participation in ISC elections for Council Officers
  • Eligible to vote on ISC matters (e.g., letter ballots, P&P changes, etc.)
  • Eligible to nominate a representative as an SDO liaison officer or forSDO leadership roles such as an ISO WGConvenor (see 2.3.6)
  • All the privileges confirmed upon advisory members

To achieve voting membership, an organization must:

  • Be a CSA Corporate member
  • Appoint a representative to the ISC who has knowledge and/or experience in cloud computing as well as relevant security and privacy techniques and methodologies and methods, and who has experience in SDOs or similar organizations.
  • Petition the Standards Secretariat with a request for voting membership
  • Undergo confirmation (majority vote) by the Council's voting members

To maintain voting membership, organizations must actively participate in the Council's activities (elections, meetings, letter ballots, etc.). Failure to do so can result in the Standards Secretariat bringing the matter before the Council and the Council taking action to change (e.g., advisory) or terminate ISC membership.

2.2.2Advisory Membership

This category of membership is for organizations that have a casual interest in standardization, are unable to commit the resources necessary to achieve/maintain voting membership, and/or do not have an appropriate representative for voting membership. This level of membership affords the following privileges:

  • Eligible to nominate a representative for defined roles in an SDO, such as editorsor rapporteurs (see 2.3.6)
  • Eligible to submit comments and contributions for SDO projects
  • Eligible to have representatives serve as ISC Project Leader (see 2.3.5)
  • Eligible to have representatives serve as ISC point-of-contact to other CSA entities (group, boards, committees, etc.)
  • Eligible to attend SDO meetings as members of the CSA delegation

To achieve advisory membership, an organization must:

  • Appoint a representative to the ISC
  • Petition the Standards Secretariat with a request for advisory membership
  • Undergo confirmation (majority vote) by the Council's voting members

To maintain advisory membership, the organizationneeds toactively participate in the Council's activities. Failure to do so can result in the Standards Secretariat bringing the matter before the Council and the Council taking action to terminate ISC membership.

2.2.3Appointed Members

As noted in the ISC Charter, ISC membership may also include "any at-large CSA members proposed by Council voting membership (with appropriate approval) or appointed by the Standards Secretariat."Notwithstanding rules defined above, the appointment may be for individuals or organizations. These members can be either voting or advisory, but typically advisory, and they may be temporary or permanent members. At the time of appointment, the specific terms and conditions should be fully documented.

2.2.4Member Representatives

As a requirement to join the ISC, an organization is required to identify its primary representative and optionally, it may identify one or more alternate representatives. These representatives and their contact details are recorded in the Council Roster, which is maintained by the Standards Secretariat. Failure to maintain at least one representative to the ISC can result in the organization's loss of membership in the Council.

It is important to note that alternate representative can act on behalf of the organization, but they cannot override the decisions of the primary representative; the primary representative can override the alternate representatives.

2.3ISC Roles & Responsibilities

2.3.1Council Officers

The governance and oversight of the Council is the responsibility of the Council Officers. The preferred scenario is to have Co-Chairs, which facilitates continuity and minimizes single points of failure. The responsibilities of the Council Officers include, but are not limited to:

  1. Approve CSA nominations for SDO leadership positions (e.g., Convenors, Editors, etc.)
  2. Appoint and monitor CSA Liaison Officers to the SDOs (see 2.3.3)
  3. Appoint and monitor ISC Project Leaders (see 2.3.5)
  4. Designate (and remove) CSA experts authorized to operate within SDO organizations (see 2.3.7)
  5. Review and approve/disapprove comments and contributions destined for SDOs (see 3.2)
  6. Submit approved Council materials for SDOs to the Standards Secretariat for processing
  7. Prepare and approve liaison statements destined for the SDOs (see 3.1)
  8. Prepare and approve the delegation lists for SDO meetings.
  9. Review and process in-coming materials from the SDOs
  10. Lead the ISC activities according to all of the relevant Policies and Procedures
  11. Delegate necessary functions (e.g., liaisons, setting up meetings, taking minutes, etc.)
  12. Ensure that all parties have the opportunity to express their views
  13. Set goals and deadlines and adhere to them
  14. Seek consensus as a means of resolving issues
  15. Prioritize work to best serve the Council and its goals
  16. Participate as needed in CSA meetings to represent the Council

Council Officers are expected to be objective and not bias discussions, but this shall not prevent them from contributing as a voting member.

The normal term of office for Council Officers is a period of two years. For Co-Chairs, their terms of office should be offset (i.e., staggered such that only one is elected at any given time). If a replacement Council Officer is elected or appointed, s/he shall serve out the original term of office. There are no limits on the number of terms a Council Officer may serve.

The election of a Council Officers shall be conducted as follows:

  1. An unbiased election officer (CSA employee) shall be selected to oversee the process
  2. A call for nominations shall be sent out to all of the representatives of the voting members. This call shall outline the position requirements (e.g., organizations indication of support, qualifications, etc.), the duties involved, and due date (at least 30 days) by which nominations must be received.
  3. The election officer shall notify the voting members of the nominated candidates and explain the voting process (each balloter may cast one approval vote for each of any number of nominees; the nominee with the greatest number of approval votes shall win the election, provided ballots are returned by a majority of the eligible voters for that election)
  4. The vote shall be conducted by letter ballot or electronic ballot and the voting period shall not be less than 14 calendar days.
  5. The election officer shall announce the results of the election. If a majority of votes has not been received, the ballot can be extended, or a new ballot will take place, at the discretion of the election officer. Any tie votes will be broken by a runoff ballot, where eligible voters may cast only one vote in the election.

Unless the election is for a replacement officer, the election process should be executed such that it concludes before the current term of office expires.

2.3.2 Removal of Officers

A Council Officer may be removed by approval of majority of the ISC voting members. Removal of the Council Officer requires affirmation by the Standards Secretariat. Grounds for removal shall be included in any motion to remove an officer. The officer suggested for removal shall be given an opportunity to make a rebuttal prior to the vote on the motion for removal.

In addition, it is possible that aCouncil Officer becomes ineligible to serve due to a change in voting status of the officer's organization (voting changed to advisory), the officer's organization changes or discontinues membership in CSA, or a voting membership appointment by the Council or the Secretariat is downgraded to advisory, it expires, or it is terminated.

2.3.3Liaison Officers to SDOs

A liaison officer is a person that liaises between two organizations to communicate and coordinate their activities by serving as an official go-between for both organizations. The appointment of an ISC liaison officer to any externalorganization (henceforth referred to as “the liaison organization”) requires the approval of the Council Officers. The appointment will only be made official after the resolution is accepted by the Standards Secretariat. Unless specified otherwise, liaison officers continue serve in their appointed role until they either resign, they are replaced, or the relationship with the liaison organization is terminated.

KeyResponsibilities:

  • The liaison officer shall act under the authority of the Council to coordinate and represent the CSA interests within appropriate standards activities.
  • The liaison officer shall facilitate communication between CSA and the liaison organization. In so doing, the liaison officer shall provide advice to the liaison organization on CSA’s purposes, principles and projects.Thus, the liaison officer is expected to have an up-to-date knowledge of CSA and CSA research projects including project leadership and the stages of these projects.
  • The liaison officer is also expected to be active in the liaison organization and attendelectronic and face-to-face meetings of the liaison organization.
  • The liaison officer is responsible for a coherent CSA response on relevant program and projects (especially cloud security standardization efforts) in the liaison organization.
  • The liaison officer will support strategic partnerships by providing quality advice, facilitate knowledge management and provide technical assistance to project planning, coordination, monitoring and reporting in any collaboration.

DelegatedAuthority:

  • The liaison officer shall act under the authority of the Council Officers.
  • By accepting the role of liaison officer with ISC, the incumbent agrees to abide by CSA policies, process and procedures, especially with regard to Intellectual Property Rights (“IPR”) and is expected to act in a professional and ethical manner in CSA’s interest (see CSA IPR policy).
  • Under no circumstances is a liaison officer permitted to transfer any CSA Intellectual Property (“IP”) as well as sign any licensing agreement or agreement in general. The liaison officer is also not authorized to make any kind of commitment for collaboration unless as directed by the Council Officers pending approval of authority from the Standard Secretariat.
  • The liaison officer, however, is delegated with the authority to provide regular updates to the liaison organization regarding CSA’s purposes, principles and projects including CSA’s strategy, individual project status for projects of concern to the liaison organization, as well as any new CSA initiatives and projects in the form of a liaison statement that has been issued through the Standards Secretariat with the approval of the Council Officers.
  • In addition, the liaison officer is authorized to represent CSA in any formal meetings of the liaison organization with the main objective of providing a clear and coherent CSA message to the liaison organization. The liaison officer is the official spokesperson for the CSA and the only authorized CSA representative in such meetings[1]; any other CSA volunteers who are attending the same meeting shallbe recognized as members of the CSA delegation, but may not state official views from CSAwithout prior coordination with the liaison officer.

2.3.4ISC to SME Council

The activities of the Council can have a profound impact on the activities within the CSA. As such, the Council should maintain a close working relationship with the Subject Matter Expert (SME) Council[2]. To accomplish this, an active member of the Council shall be appointed as the primary point of contact (liaison) to the SME Council.

The ISC liaison to the SME Council is an important role that requires the person to be aware of both the SDO activities as well as major endeavors within the CSA. This person serves as the conduit for making specific SDO materials available to the SME Council and Work Groups (SDO materials are not generally distributed to the CSA membership because of IP issues). This person is also a key player in identifying CSA activities that might be relevant to SDO activities (e.g., described in liaison reports to the SDO).

2.3.5SDO Project Leads

Some SDO activities are of particular interest to the CSA and require a sustained level of effort (e.g., cloud standards). For these SDO activities, the Council will assign a project lead to oversee and coordinate the CSA's efforts associated with these SDO activities.

Each SDO Project Lead will perform tasks, including but not limited to:

  • Manage the development of CSA comments/contributions
  • Coordinate materials with the appropriate CSA elements (SME Council, WGs, etc.)
  • Ensure the comments/contributions are in the appropriate format/templates
  • Submit the final drafts for Council and Co-Chair reviews and approval

2.3.6SDO Leadership

CSA ISC representatives that serve in SDO roles (e.g., Convenors, Editors, etc.) are required to remain neutral and they are under no pressure to communicate, support, or pursue a CSA agenda or position that comes before them in their SDO role. In addition, these positions may have access to SDO privileged information and areunder no pressure or obligation to divulge this information.

2.3.7CSA Experts

As described in 2.3.1, CSA experts to certain SDOs (e.g., WGs in ISO/IEC JTC 1 subcommittees) are designated by the Council Officers.

ISO working groups consists of experts (rather than National Bodies or liaison organizations) that are identified and approved by their parent organizations. While these experts are able to submit comments and contributions directly against working drafts, study periods, etc., CSA experts shall refrain from submitting comments that have not been coordinated with the ISC or that contradict existing CSA positions. Also note that approved CSA experts must have a CSA email address, which is what will be registered with the ISO Livelink portal.

2.4Meetings

ISC meetings shall be held, as decided by the Council Officers, or by petition of 3 or more voting members, to conduct business. Meetings are called by the Council Officers, or the Standards Secretariat, if circumstances dictate. Unless meetings are scheduled on a reoccurring basis, a 14-calendar day meeting notice and 7-day agenda shall be distributed to all voting and advisory member representatives. Notification of the potential for action/voting shall be included on any distributed agendas for meetings.

ISC meetings are typically chaired by a Council Officer. However, circumstances may prevent their participation, so it is permissible to have the Standards Secretariat or another person chair the meeting.

CSA ISC meetings are open to ISC representatives, CSA personnel, liaisons from other CSA entities (e.g., SME Council, WGs, etc.), and invited guests who have a material interest and wish to attend.

2.4.1Quorum

When the ISC voting members intend to take an action at a meeting that requires a vote, a quorum must be identified before the initiation of business at the meeting.If a quorum is not present, actions may be taken subject to confirmation by letter or electronic ballot, as detailed in 2.5.3. A quorum shall be defined as a majority of the current total voting membership. Voting members who abstain shall not be counted in the equation to determine whether a quorum exists.