Three months after launching a cross-industry group to develop standards for integrating physical and information technology
(IT) security, Computer Associates International is handing off management of that group to the Industry Standards and Technology
Organization (ISTO).
The ISTO, which was spun off of the Institute for Electrical and Electronics Engineers Inc. (IEEE) in 1999, will assume administrative
control of the Open Security Exchange (OSE), providing staff and resources to manage the finances and logistics of the group,
according to Greg Kohn, director of industry programs at ISTO.
IEEE-ISTO management will make the OSE more open and public and advance the development of integrated security management
standards, according to CA Senior Vice President Ron Moritz.
IEEE-ISTO handles day-to-day operations so that group members can focus on developing both the specifications and support
for their standards in the community, Kohn said.
Computer Associates will retain its current chairmanship of the organization under CA director of security product management
Piers McMahon, Moritz said.
CA unveiled the OSE at the RSA Conference in April. The organization brought leading companies in the physical security industry
together with CA to develop security management standards and best practices.
In addition to CA, OSE members include HID, a maker of access control cards and readers, smart card provider Gemplus International,
fire and security alarm giant Tyco International and private investigation firm Pinkerton Consulting & Investigations, part
of Securitas.
But CA faced criticism over the makeup of the OSE.
Detractors complained that the absence of any other software companies in the group made the OSE little more than a CA partnership
program rather than an independent industry standards group.
Speaking on Wednesday, Moritz acknowledged those criticisms.
"By moving (OSE) under the IEEE we're getting an acknowledgement that OSE is more broad than OPSEC (Open Platform for Security
partner program) from Check Point -- that it's a broad market initiative and not just a CA thing," he said.
Under IEEE-ISTO guidance, software companies with an interest in participating can join the OSE effort, as well as hardware
and physical control companies and enterprises with an interest in investing in the technology produced from OSE standards,
Moritz said.
IEEE-ISTO will help attract new members by being a central reference point for questions about the group and by helping with
outreach, Kohn said.
As part of its administrative duties, IEEE-ISTO will manage computer listservs used by OSE participants and handle billing
for OSE members, Kohn said.
CA and OSE members scouted out various standards organizations before deciding to hand over control of the OSE to the IEEE-ISTO,
Moritz said.
The Organization for Advancement of Structured Information Standards (OASIS) and World Wide Web Consortium (W3C) were both
considered, he said.
IEEE-ISTO emerged as the best fit, Moritz said.
The group's unique mission and legal status makes the IEEE-ISTO attractive to corporations that want to work on developing
industry standards, according to Kohn.
Unlike OASIS or the W3C, IEEE-ISTO takes a more hands-off approach to managing its standards groups, allowing them to set
their own membership rules, organizational structure and time table for delivering specifications. Other organizations are
more likely to impose their own structure on member groups, he said.
"The ISTO offers you freedom within the architecture of the organization. Once in the ISTO, they (OSE members) set the rules
for their program and the ISTO helps manage those rules," he said.
Affiliation with the IEEE will also give the OSE and its final standards an air of respectability they wouldn't have as a
purely vendor-managed project, according to Mike Rasmussen, director of research and information security at Forrester Research.
"In my mind when a vendor develops something they call a standard but it's more of a marketing ploy and positioning, it doesn't
get the same acceptance as a real standard that's open and provides people a way to contribute to it," he said.
The IEEE's reputation as a vendor-independent organization and the birthplace of other successful industry standards will
lend credence to the OSE in the user community, he said.
Legal issues were another incentive to move OSE under IEEE-ISTO's umbrella, Moritz said.
With OSE members accounting for a $4 billion piece of the security industry, CA also found itself confronted with a large
amount of legal work to resolve antitrust questions stemming from OSE, he said.
Such concerns are not uncommon from groups that decide to come under the IEEE-ISTO umbrella, Kohn said.
The IEEE-ISTO issues guidelines to the standards groups it manages that address the antitrust question and spell out what
kinds of discussions are and aren't permitted under IEEE-ISTO's auspices, he said.
IEEE-ISTO already manages nine other industry groups including the Liberty Alliance Project, the Nexus 5001 Forum, and the
Printer Working Group, Kohn said.
IEEE-ISTO representatives will be in the OSE booth at next week's CA World show in Las Vegas.
While it no longer manages the OSE, CA is still bullish about the group's mission, according to Moritz.
There hasn't been any slowdown in the OSE's activities, and CA will do a "test drive" of its eTrust 20/20 product with one
OSE partner at CA World and talk about other examples of how corporations can benefit from the convergence of physical and
IT security, he said.
Going forward, CA and other OSE members must persuade large corporations to get on board with OSE, Rasmussen said.
"You need to get large banks or somebody on board who says 'We support (OSE). Here is our vision, and here's what we're going
to do with it," he said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
