Three months after launching a cross-industry group to develop standards for integrating physical and information technology (IT) security, Computer Associates International is handing off management of that group to the Industry Standards and Technology Organization (ISTO).
The ISTO, which was spun off of the Institute for Electrical and Electronics Engineers Inc. (IEEE) in 1999, will assume administrative control of the Open Security Exchange (OSE), providing staff and resources to manage the finances and logistics of the group, according to Greg Kohn, director of industry programs at ISTO.
IEEE-ISTO management will make the OSE more open and public and advance the development of integrated security management standards, according to CA Senior Vice President Ron Moritz.
IEEE-ISTO handles day to day operations so that group members can focus on developing both the specifications and support for their standards in the community, Kohn said.
Computer Associates will retain its current chairmanship of the organization under CA director of security product management Piers McMahon, Moritz said.
CA unveiled the OSE at the RSA Conference in April. The organization brought leading companies in the physical security industry together with CA to develop security management standards and best practices. [See "Computer Associates works on security standards," April 14.]
In addition to CA, OSE members include HID Corp., a maker of access control cards and readers, smart card provider Gemplus International SA, fire and security alarm giant Tyco International Ltd. and private investigation firm Pinkerton Consulting & Investigations, part of Securitas AB.
But CA faced criticism over the makeup of the OSE.
Detractors complained that the absence of any other software companies in the group made the OSE little more than a CA partnership program rather than an independent industry standards group.
Speaking on Wednesday, Moritz acknowledged those criticisms.
"By moving (OSE) under the IEEE we're getting an acknowledgement that OSE is more broad than OPSEC (Open Platform for Security partner program) from Check Point -- that it's a broad market initiative and not just a CA thing," he said.
Under IEEE-ISTO guidance, software companies with an interest in participating can join the OSE effort, as well as hardware and physical control companies and enterprises with an interest in investing in the technology produced from OSE standards, Moritz said.
IEEE-ISTO will help attract new members by being a central reference point for questions about the group and by helping with outreach, Kohn said.
As part of its administrative duties, IEEE-ISTO will manage computer listservs used by OSE participants and handle billing for OSE members, Kohn said.
CA and OSE members scouted out various standards organizations before deciding to hand over control of the OSE to the IEEE-ISTO, Moritz said.
The Organization for Advancement of Structured Information Standards (OASIS) and World Wide Web Consortium (W3C) were both considered, he said.
IEEE-ISTO emerged as the best fit, Moritz said.
The group's unique mission and legal status makes the IEEE-ISTO attractive to corporations that want to work on developing industry standards, according to Kohn.
Unlike OASIS or the W3C, IEEE-ISTO takes a more hands-off approach to managing its standards groups, allowing them to set their own membership rules, organizational structure and time table for delivering specifications. Other organizations are more likely to impose their own structure on member groups, he said.
"The ISTO offers you freedom within the architecture of the organization. Once in the ISTO, they (OSE members) set the rules for their program and the ISTO helps manage those rules," he said.
Affiliation with the IEEE will also give the OSE and its final standards an air of respectability they wouldn't have as a purely vendor-managed project, according to Mike Rasmussen, director of research and information security at Forrester Research Inc.
"In my mind when a vendor develops something they call a standard but it's more of a marketing ploy and positioning, it doesn't get the same acceptance as a real standard that's open and provides people a way to contribute to it," he said.
The IEEE's reputation as a vendor-independent organization and the birthplace of other successful industry standards will lend credence to the OSE in the user community, he said.
Legal issues were another incentive to move OSE under IEEE-ISTO's umbrella, Moritz said.
With OSE members accounting for a US$4 billion piece of the security industry, CA also found itself confronted with a large amount of legal work to resolve antitrust questions stemming from OSE, he said.
Such concerns are not uncommon from groups that decide to come under the IEEE-ISTO umbrella, Kohn said.
The IEEE-ISTO issues guidelines to the standards groups it manages that address the antitrust question and spell out what kinds of discussions are and aren't permitted under IEEE-ISTO's auspices, he said.
IEEE-ISTO already manages nine other industry groups including the Liberty Alliance Project, the Nexus 5001 Forum, and the Printer Working Group, Kohn said.
IEEE-ISTO representatives will be in the OSE booth at next week's CA World show in Las Vegas.
While it no longer manages the OSE, CA is still bullish about the group's mission, according to Moritz.
There hasn't been any slowdown in the OSE's activities, and CA will do a "test drive" of its eTrust 20/20 product with one OSE partner at CA World and talk about other examples of how corporations can benefit from the convergence of physical and IT security, he said.
Going forward, CA and other OSE members must convince large corporations to get on board with OSE, Rasmussen said.
"You need to get large banks or somebody on board who says 'We support (OSE). Here is our vision, and here's what we're going to do with it," he said.