Computer Associates to hand off Open Security Exchange to IEEE

Unlike OASIS or the W3C, IEEE-ISTO takes a more hands-off approach to managing its standards groups, allowing them to set their own membership rules, organizational structure and time table for delivering specifications. Other organizations are more likely to impose their own structure on member groups, he said.

"The ISTO offers you freedom within the architecture of the organization. Once in the ISTO, they (OSE members) set the rules for their program and the ISTO helps manage those rules," he said.

Affiliation with the IEEE will also give the OSE and its final standards an air of respectability they wouldn't have as a purely vendor-managed project, according to Mike Rasmussen, director of research and information security at Forrester Research.

"In my mind when a vendor develops something they call a standard but it's more of a marketing ploy and positioning, it doesn't get the same acceptance as a real standard that's open and provides people a way to contribute to it," he said.

The IEEE's reputation as a vendor-independent organization and the birthplace of other successful industry standards will lend credence to the OSE in the user community, he said.

Legal issues were another incentive to move OSE under IEEE-ISTO's umbrella, Moritz said.

With OSE members accounting for a $4 billion piece of the security industry, CA also found itself confronted with a large amount of legal work to resolve antitrust questions stemming from OSE, he said.

Such concerns are not uncommon from groups that decide to come under the IEEE-ISTO umbrella, Kohn said.

The IEEE-ISTO issues guidelines to the standards groups it manages that address the antitrust question and spell out what kinds of discussions are and aren't permitted under IEEE-ISTO's auspices, he said.

IEEE-ISTO already manages nine other industry groups including the Liberty Alliance Project, the Nexus 5001 Forum, and the Printer Working Group, Kohn said.

IEEE-ISTO representatives will be in the OSE booth at next week's CA World show in Las Vegas.

While it no longer manages the OSE, CA is still bullish about the group's mission, according to Moritz.

There hasn't been any slowdown in the OSE's activities, and CA will do a "test drive" of its eTrust 20/20 product with one OSE partner at CA World and talk about other examples of how corporations can benefit from the convergence of physical and IT security, he said.

Going forward, CA and other OSE members must persuade large corporations to get on board with OSE, Rasmussen said.

"You need to get large banks or somebody on board who says 'We support (OSE). Here is our vision, and here's what we're going to do with it," he said.