►
From YouTube: SLSA Specifications Meeting (May 22, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit#heading=h.yfiy9b23vayj
A
A
So
first
we
could
welcome
any
new
members.
If
you
want
to
briefly
say
hello.
B
C
A
Well,
welcome
first
I
want
to
just
briefly
actually
is
there
anyone
else
new
here,
I,
don't
see
anyone
else
so
welcome.
I
want
to
mention
next
week
is
a
U.S
holiday
Memorial
day.
I
propose
that
we
cancel
because
I
think
a
lot
of
us
are
here
in
the
US.
A
Okay,
all
right,
let's
consider
it
canceled
I'll
put
it
in
the
in.
A
Okay,
and
so
first
up
was
this
issue:
I
think
that
Jay
had
posted
to
Michael
J.
Do
you
want
to
talk
about
it.
A
D
Well,
so
so
we
were
talking
in
the
in
the
positioning
at
the
sci
positioning
meeting,
and
you
know,
after
a
series
of
presentations
that
we've
all
given
on
on
the
different
Frameworks,
that
we're
working
on
inside
of
the
supply
chain,
Integrity
workings,
it's
also
being
one
of
them.
One
of
the
things
that
that
we've
noticed
based
on
the
questions
we
received
with
salsa.
That
makes
it
very
well.
D
You
know
we
we
we
muscled
through
them,
because
of
course
working
on
it.
You
know
we
understand
what
we're
attempting
to
do
or
what
we're
what
we're
trying
to
convey,
and
we
understand
the
usability
and
we're
excited
about
it,
but
when
it
comes
to
the
way
that
the
community
is
consuming
salsa
and
the
way
they
understand
salsa,
one
of
the
things
that
we're
recognizing
is
that
you
know
we.
We
are
saying
security
framework,
then
we're
saying
conforming
or
complying,
then
we're
saying
no,
then
they'll
their
maturity
levels
and
one
of
the
things
I.
D
Don't
think
that
we
do
a
good
enough
job
of
in
the
specification
in
the
text
in
the
documentation
is
discerning
security
framework
from
compliance
requirements
and
then
maturity
model
based
on
the
maturity
of
either
meeting
the
respective
security
controls
or
maturity
in
terms
of
where
we
are
in
in
compliance
and
then
when
is
it
one
or
the
other?
When
can
it
be
both?
D
So
it's
use
its
use
in
what
context
and
then
it'll
help
us
when
we're
discussing
the
and
nature
of
salsa,
meaning
we're
not
trying
to
change
what
you're
currently
doing
we're
trying
to
enhance
what
you're
currently
doing
with
the
use
of
of
salsa,
but
how?
But,
but
how
does
that
work
when
we
are
not
being
specific
in
text
on
what
is
it
when
it
is
what
it
is
and
then
how
do
you
properly
incorporate
it
within
your
organization
based
on
desired
use
and
purposes?
D
So
that
was
the
nature
of
the
issue
that
that
was
written
there,
like
I,
said
up
for
discussion.
D
E
F
Just
for
for
clarification,
where
do
we
use
the
term
maturity
model,
and
where
do
we
use
the
word?
Compliance
I'm
not
aware
of
either
appearing
in
the
specification,
but
I
could
be
wrong
and
it
is.
D
So
so
Chris
when
we
talk
about
level
one
two,
three
and
four
that
suggests
maturity,
all
right
and
and
the
capability
of
maturity
model
any
capability
maturity
model,
any
material
model.
You
see
when
you're
discussing
levels,
that's
maturity
and
that's
the
way,
the
that's
the
way
the
industry
recognizes
maturity
in
levels,
okay,
so
and
then
in
the
beginning,
this
is
way
last
year,
salsa
was
a
compliance.
It
also
was
a
set
of
compliance
requirements
and
then
changed
to
a
security
model
until
later.
D
Okay,
so
what
I'm
saying
is
when
you
take
a
look
at
what
it
used
to
be,
what
it's
morphed
into
and
keep
in
mind
a
lot
of
great
work
has
been
done
to
narrow
it's
to
narrow
its
focus,
narrow,
its
scope,
get
something
that's
usable
and
now
to
the
consumer.
Remember
the
work
that
we're
doing
is
not
seen
by
everyone
else,
so
transparency
and
transparency
out
they
see
what
was
in
the
beginning.
They
see
what's
happening
now,
so
we
get
a
lot
of
questions.
G
D
Oh
Absa
absolutely,
and
the
reason
why
that
I'm
bringing
this
up
here
is
because
we're
looking
at
similar
what
could
become
similar
issues
down
the
road,
but
in
s2c12
we're
not
detracting
from
it
being
matured
before
being
a
maturity
model.
We're
not
detracting
from
that.
We
actually
say
that
we
say
it's
a
maturity
model
based
on
meeting
a
set
of
security
controls,
there's
nowhere
in
s2c
to
work
for
we're,
saying
it's
a
complex,
it's
a
compliance
requirements.
D
What
I'm
saying
is
that
in
the
beginning,
salsa
started
off
as
a
set
of
compliance
requirements.
Then
it's
a
set
of
security
controls
and
now
we're
saying
salsa
conformance.
What's
the
difference
between
conformance
and
compliance
right
and
what
I'm
saying
here
is
that
we
have
to
be
very
careful
with
what
salsa
is
when
it
is
in
order
to
properly
say
well.
This
is
how
you
can
incorporate
it.
The
difference
between
Salsa
and
s2c2f
in
this
regards
that
s2c12
was
never
a
set
of
compliance
requirements.
It's
always
been
a
security
framework
and
it's
a
maturity.
D
D
A
You
so
I
feel
like
you're,
saying
words
and
I:
don't
know
what
they
mean
like
I'm,
not
familiar
with
the
term
compliance
requirements
versus
maturity
model.
When
you
say
it
was
compliance
requirements
of
his
now
maturity
model
like
could
you
go
into
more
detail
of
like
when
that
happened,
and
what
like?
What
is
the
difference.
D
D
You
have
a
maturity
levels
based
on
how
you're
meeting,
either
compliance
requirements
or
or
whether
or
not
you're
you're,
implementing
certain
security
controls
and
implementation
of
certain
security
controls
was
depict
at
what
level
of
maturity
you
are
and
the
level
at
which
you're
meeting
certain
compliance
requirements
will
depict
what
level
of
maturity
you
are
based
on,
whether
or
not
you're
saying
I'm
implementing
salsa
as
a
set
of
compliance
requirements
or
as
a
security
framework
where
I'm
implementing
a
set
of
security
security
controls,
then
you
can
say
well.
D
We
have
salsa
levels,
one
two,
three,
four
whatever
and
at
this
level
I'm
meeting
this
set
of
security
requirements,
so
I'm
influenced
so
when
I
implement
this,
and-
and
this
is
good
and
I-
can
attest
to
this
and
then
I'm
meeting
this
level
of
of
salsa
that
makes
salsa
at
that
maturity
at
that
respective
maturity
level.
I'm
meeting
these
sets
of
complexion
requirements,
if,
in
fact,
you
are
saying
in
this
instance
we're
using
salsa
as
a
set
of
com
of
compliance
requirements.
D
Now,
if
you're
saying
I'm,
saying
I'm
using
salsa
as
a
security
framework,
then
I'm
at
level
two
maturity
based
on
meeting
B
sets
of
this
criteria
of
security
controls.
Now
you
can
say,
salsa
in
this
regard
is
a
security
framework.
When
used
this
way,
it's
compliance
requirements
when
used
this
way
help
you
might
even
be
able
to
get
away
with
saying.
If
you
implement
this
set
of
controls
or
requirements,
then
you
are
in
terms
of
security
for
salsa
you're
at
a
level
three,
but
in
terms
of
compliance
based
on.
D
You
know
the
implementation
of
this
against
these
set
of
compliance
requirements
and,
let's
say
you're
using
something
like
I,
don't
know
and
once
again,
I'm
being
a
bit
facetious
here,
let's
say
using
PCI
or
HIPAA
or
something
else,
then
I'm
then
again
send
using
these
compliance
requirements
against
also
this
compliance
requiring
based
on
industry.
We
are
adding
level
two,
so
you
could
say
I'm
a
level
three
for
security
I'm,
a
level
two
for
compliance.
I
know
that
that
is
a
lot
with
them.
D
Just
what
I'm
saying
right
now,
but
what
I
mean
here
is:
if
we're
not
properly
putting
that
in
the
specification
in
the
text
and
giving
those
examples
to
the
consumer,
it
could
become
very
difficult
for
them
to
understand.
Hence
why
we're
receiving
a
lot
of
the
questions
that
we're
receiving
in
these
presentations.
E
F
I
I.
Thank
you
so
much
for
your
patience
here.
I
I
still
don't
understand
the
difference
between
a
security
or
what
you
say,
security
controls
versus
compliance
requirements.
Could
you
give
an
example
of
each
I
think
that
might
be
helpful
for
me.
D
Okay,
let's
see.
D
Compliance
requirement:
you
need
to
make
sure
that
your
policy
is
updated
once
a
year.
So
when
an
assessor
comes
down
and
looks
at
your
security
policy,
if
they
look
at
the
data
security
policy
and
your
security
policy
has
not
been
updated
in
the
years,
then
you
are
not
in
compliance.
Okay,
security
control.
D
You
need
to
make
sure
that
your
security
policy
is
reviewed
by
two
people.
It
has
to
have
two
people
in
a
review
process,
so
compliance
says
well.
My
policy
is
updated
within
the
year
so
for
compliance
I'm
good,
but
as
a
security
control.
Well,
yeah.
Your
policy
has
been
updated,
but
your
policy
hasn't
been
updated
or
hasn't
been
reviewed
by
two
people,
so
you're
not
meeting
the
right
security
control.
The
control
says
this
needs
to
be
reviewed
by
two
people.
D
In
order
for
it
to
be
considered,
you
know,
in
order
for
it
to
be
considered
right
or
whatever
it
is
so
compliance
says
it's
been
reviewed
in
the
year.
What
I'm
doing
here
is
I'm
taking
it
outage
of
your
car
is
posted,
and
this
is
a
meme
I
love.
Your
car
is
supposed
to
have
a
spare
tire.
It
doesn't
say
what
size
the
spare
tire
needs
to
be.
It
just
needs
to
have
a
spare
tires.
You
can
have
17
inch
wheels
on
your
car.
Your
spare
tire
in
the
back
is
15..
D
Do
you
have
the
spare
tire,
of
course,
but
does
it
mean
that
if
you
get
a
flat
tire
your
car
is
going
to
be
able
to
run
properly
yeah?
No,
all
right
so
that's
I
mean
there's
a
difference
between
compliance
and
I'm,
breaking
it
down
ounces
to
small
boats
here
for
since
they
asked
the
question,
but
that's
the
between
compliance
and
and
security
controls
in
general.
F
D
Wait
wait
what
say
that
last
part.
F
So
let
you
said
that
a
requirement
that
the
policy
must
be
reviewed
annually
is
a
compliance
requirement.
Does
it
become
a
security
control?
If
the
requirement
is
the
policy
must
be
reviewed
regularly
or
repeatedly,
whatever.
D
Does
the
security
control
me
know
that
regularly
and
no
a
security
control
is
is
not
around
the
freak?
The
frequency
of
time
is
the
compliance
requirement.
The
control
in
place
is
is
what
needs
to
happen
in
order
for
it
to
be
considered
challenge,
I
mean
what
God
that
that's
a
that
is
a.
B
D
The
the
required
the
compliance
requirement
is,
is
the
frequency
not
the
control.
The
control
is
what
you
need
to
have
in
place
to
make
sure
that
that
you're
you're
either
you
go
through
the
process
of
protect
prevention,
protection,
detection,
correction,
you
know,
I
mean
God,
you
have
to
be
a
security,
but
I
mean
security.
Folks
will
understand
this
potential
protection,
prevention,
correction,
detection,
there's
a
there's
a
fifth
one.
In
there
you
you,
those
are
controls.
F
I
I'm
not
sure
I
I
mean
I
I.
Think
that
there's
some
background
that
I'm,
missing
and
I
can
look
that
up
on
my
own
time,
but
it
sounds
to
me
like,
and
so
both
freshness
and
two-party
review
are
ways
of
building
confidence
in
the
correctness
of
the
policy.
I
see
those
as
both
being
related
to
security,
so
I
think
that
there's
there's
a
detail
that
I'm
missing
or
there's
a
framework
for
discussing
security
that
I'm
not
familiar
with
so
I
I
believe
we're
at
the
point.
Thank
you
for
your
patience.
E
So
what
one
quick
thing
just
because
I
as
somebody
who's
lived
in
both
worlds
I
can
maybe
provide
a
little
bit
of
color
there.
There's
still
a
lot
to
be
read
about
and
to
kind
of
take
Jay's
analogy
with
the
car
a
little
bit
more
right,
like
compliance
is
stuff
like,
for
example,
in
New
York
right
I
need
to
get
my
car
inspected
every
year.
That
is
compliance.
That
does
not
mean
that
my
car
is,
you
know
safe
from.
E
Like
you
know,
my
engine
is,
is
well
maintained
or
whatever
it's
just
it's
a
set
of
things
to
make
sure
that
I'm
actually
complying
with
the
law,
and
often
compliance
has
a
lot
of
different
factors.
Sometimes
it's
internal
compliance.
Are
you
complying
with
your
own
internal
practices
and
those
sorts
of
things
they're,
not
necessarily
always
focused
on?
Like
actual
you
know,
bike,
you
know
in
certain
cases,
by
complying
with
these
things.
E
Yes,
we
believe
to
be
ourselves
to
be
reasonably
protected,
but
a
lot
of
times
compliance
is,
is
used
more
as
a
an
activity
to
ensure
that
you're
doing
the
right
sorts
of
things
that
indicate
that
you're,
probably
you
know,
safe
and
and
those
sorts
of
things
and
so
another
way
to
say
it
also
is
you
know,
security
controls
help
you
from
getting
compromised
compliance
control
compliance,
keeps
you
out
of
prison
so
and
to
be
clear
that
that
is
very.
E
You
know
that
that
is
a
very
true
sort
of
thing,
especially
among
csos
is
they're
balancing
between
hey,
if
I
sign
off
on
these
things
and
it
turns
out
they're
not
correct,
I
could
go
to
jail
for
that
which
is
separate
from
actual
security
controls,
but
but
and
then
to
kind
of
go
into
the
security
control
space
a
little
bit.
Security
controls
are
just
usually
sort
of
descriptive.
E
What
should
exist
that
indicates
that
you
know
you're
protecting
against
some
sort
of
risk.
It's
usually
associated
with
a
risk.
Something
like
you
know,
the
the
risk
is,
you
know
we're
worried
about.
Third,
you
know
we're
worried
about
external
things:
external,
like
dependencies.
You
know
compromising
our
systems,
so
we
have
a
control
that
you
know
protects
against
ingestion
or
whatever,
so
that's
kind
of
a
very,
very
high
level
and
there's
a
whole
bunch
of
stuff
in
there
about.
E
You
know
you
have
policy,
usually
at
the
top,
and
then
you
have
you
know,
controls
and
you
have
processes,
and
you
have
a
bunch
of
other
things
there
and
it's
kind
of
like
an
Enterprise
e-risk
sort
of
thing
that
doesn't
apply
to
every
different
space,
but
I
think
from
the
salsa
perspective.
There's
concern
about
how
it's
interpreted
and
how
folks
are
looking
at
this
like,
for
example,
nist,
853,
190
Etc
are
controls
and
it's
a
control
catalog
and
that
sort
of
thing
and
is
salsa
a
set
of
controls.
Is
it
a
compliance?
E
Yeah
and
and
for
what
it's
worth
I
think
the
whole
thing
is
kind
of
silly
I
think
that,
but
at
the
same
time
there
are
Folks
at
sort
of
that
executive
level
who
are
going
to
interpret
it
a
very
specific
way.
I
I,
remember.
Let
me
go
find
a
link
that
I
know
that
there's
a
few
good
ones
out
there.
G
F
E
So
I
think
a
little
bit
of
it
is
is
from
my
perspective,
what
I
think
has
happened
is
a
little
bit
folks
who
are
not
aware
of
the
differences
that
are
mostly
a
management
and
executive
sort
of
vocabulary
thing
you
know
when
we
say:
oh,
are
you
compliant
with
salsa?
We
use
it
very
colloquially,
whereas
there
are
certain
folks
who
view?
Oh,
are
you
compliant
with
salsa?
E
That
means
salsa
is
a
compliance
requirement
similar
to
PCI
compliance
requirements,
whereas
they're
very
different
in
sort
of
that,
like
legal
executive,
that
sort
of
branch
of
things,
whereas
I,
think
a
lot
of
us
who
are
who
are
much
more,
you
know
Engineers
Hands-On
keyboard,
we
just
kind
of
use,
compliance
conformance
and
a
lot
of
these
other
terms,
kind
of
interchangeably
here
and
I
think
that's
causing
confusion
on
the
other
end.
E
But
so
so,
just
just
to
be
clear
here,
I
I
did
post
something
that
I
remember
seeing
a
while
back
from
compliance
Forge,
which
is
just
sort
of
some
high
level
words
around.
E
You
know
what
is
compliance
versus
a
standard
versus
a
policy
versus
a
procedure
and
and
all
those
sorts
of
things,
and
there
is
a
lot
of
stuff
from
the
nist
side
of
things
around
what
is
a
what
counts
as
a
framework,
what
counts
as
a
policy
what
counts
as
guidelines
and
yay
I
personally
think
that
there
is
some
benefit
in
us
and
to
be
clear.
E
I
think
Jay
has
a
very,
very
good
point,
but
I
also
think
that
there
we
might
have
the
ability
to
sort
of
push
back
a
little
bit
on
folks
taking
salsa
purely
as
this,
like
you
know,
is
salsa
going
to
be
some
sort
of
iso
standard
or
or
or
or
some
of
these
things
I'm
not
sure,
but
I
think
that
there's
something
there
that
I
think
needs
to
be,
at
least
in
the
very
least,
from
the
the
text
clarified
a
bit
because
I
think
it
is
causing.
E
You
know
folks,
who
do
exist
in
this
world
of
hey
I,
like
I'm,
an
engineering
manager
at
a
large
Bank
they're,
going
to
view
it
very
differently
than
just
let's
say
a
startup,
where
a
startup
doesn't
have
those
same
sets
of
like
internal
requirements
that
force
them
to
view
it
a
certain
way
mark.
A
B
A
I
I
wouldn't
know
what
to
change
to
make
that
so
like
if
we
could
point
out
like
at
a
minimum.
You
know
this
specific
language
that
we
have
on
this
section
says
this:
here's
why
it's
problematic,
because
it
blah
blah
and
ideally
like
just
replace
it
with
something
else,
because.
D
Yeah
I
mean
I
could
take
a
look
at
something
I
work
with
work
with
Mike
to
do
it
we'll
take
a
look
at
some
I'll
bring,
probably
bring
Melba
into
definitely
take
a
look
and
and
see
what
what
kind
of
language
we
can
update
or
what
we
can,
what
we
can
put
in
I
I
think
this
I
mean
just
just
for
the
sake
of
this
discussion
alone.
D
I
think
it's
important
that
we
do
this,
because
if,
if,
if
these
are
the
questions
we
have
at
the
level
where
we're
actively
working
on
this
specification,
then
I
can
only
imagine
what
later
questions,
though,
what
will
later
questions
will
come
up
as
we
begin
to
work
on
subsequent
tracks.
D
So
this
this
is
important,
as
Mike
said,
for
those
of
us
who
who
are
who
are
versed,
who
are
are
well
versed
in
this
I
mean
we're
going
to
look
at
it
and
we're
gonna
within
a
brush
over
it,
but
for
the
individuals
that
are
going
to
pay
for
tools-
or
you
know,
incorporate
this
and
pay
for
the
tools
that
support
it.
D
They
definitely
need
to
understand
what
this
is
why
it
is
where
it's
used,
how
it's
used
and
everything
else
to
justify
cost
or
or
whatever
so
so,
yeah
we'll
we'll
get
to
work
on
some.
C
Okay,
just
to
go
off
what
you're
saying
a
little
bit
as
well
like
how?
How
I'm,
trying
to
to
view
this
or
how
this
is
processing
with
me,
is
that
the
issue
comes
down
to
clear
differentiation
based
on
the
perspective
on
the
reference
perspective.
C
So
most
of
the
folks
here
are
probably
approaching
the
problem
from
the
framework
specification
and
we're
we're
thinking
about
it
from
the
the
mindset
of
how
can
we
create
this
framework
which
can
be
verified
but
we're
taking
we're
taking
it
as
an
assumption,
or
our
our
assumption
in
this
process
is
that
the
artifacts
being
verified
are
trusted
or
are
built
by
some
already
trusted
platform,
and
so,
if
we
change
the
perspective
instead
of
the
coming
from
the
developers
of
the
framework
and,
by
extension,
the
those
involved
in
the
building
out
the
platform
to
instead
mutate
to
the
users
of
the
the
build
platforms,
how
can
that
trust
be
or
the
the
trust
is
verified,
When
It's
associated
with
artifacts?
C
We
don't
have
that
assumption
that
this
is
how
to
achieve
and
and
establish
that
base
level
of
trust
and
like
then,
you
have
the
additional
complications
of
the
different
build
tracks
and
and
how
that
trust
can
be
propagated
and
and
mutated
on
the
platform
level,
as
it
relates
to
the
different
build
tracks.
C
I
I,
don't
know
if
that's
way
off
base
or
if
that
helps
anybody.
If,
if
that's
accurate,.
E
You
know,
because,
because
I've
heard
just
to
be
clear,
like
I've,
I've
I'm,
not
as
deep
as
as
Jay
is
in
in
probably
those
like
sorts
of
discussions
that
he's
having
and
and
folks
that
I
believe
who
are
who
are
involved
in
the
salsa
Community
are
having.
But
what
I
will
say
is
I
know
that
there's
going
to
be
groups
of
folks
who
are
at
that
sort
of
at
a
certain
level
in
in
Enterprises
that
are
looking
at
Salsa
and
at
some
level
they're
saying,
hey,
I
have
a
set
of
boxes.
E
I
have
a
set
of
boxes
for
standards
for
guidelines,
for
you
know,
policies
for
compliance
and
so
on
and
they're,
not
sure
which
of
the
boxes.
Salsa
exactly
falls
into
and
part
of
it
is
more
of
a
language
thing,
but
I
think
to
you
know
some
of
the
discussions
that
was
brought
up
is.
It
sounds
like
it's
more
of
just
like,
maybe
even
in
the
FAQ
a
little
bit
to
just
sort
of
have
something
in
there.
That
says,
salsa
is
of
this
and
when
you're
you
know
viewing
it.
E
Please
just
understand
that,
like
we're
not
using
a
lot
of
the
language
that
you
might
imagine
in
some
of
these
ISO
standards
or
or
nist
glossaries
around
like
exactly
what
that
is,
I
think
that's
probably
a
reasonable
place
to
start
off.
E
You
know,
and-
and
also
maybe
we
even
you
know-
I
I
also
would
not
be
opposed
to
necessarily
saying
hey
like
we
should
probably
maybe
get
some
end
user
feedback
from
folks
who
are
legitimately
confused,
like
maybe
get
somebody
from
a
item
just
saying
like
a
large
bank
or
something
like
that
to
sort
of
like
explain
what
the
problem
is.
E
That
might
also
prove
to
be
useful.
There.
A
Yeah
I
think
in
general,
like
not
specific
to
this
particular
issue,
but
in
general
I
think
the
we
could
do
more.
I
would
like
to
see
more
Clarity
around
like
how
you
use
salsa
and
how
it's
expected
to
be
used
of
like
how
particularly
how
you
would
apply
salsa
to
an
organization
like
if
you're
a
company
like
how
you
know.
A
How
would
you
go
about
using
salsa
I,
think
that
would
be
valuable
like
even
if
you're,
not
in
this
compliance
world,
I
think
just
in
general,
just
to
kind
of
give
a
framework
for
like
this
is
how
we
think
about
salsa,
and
this
is
how
we
kind
of
expect
to
be
a
stuff.
I.
I
agree
with
that.
Even
without
having
to
understand
the
intricacies.
E
Yeah
and
and
just
something
actually
forgot
to
bring
up
but
I,
think
that's
along
those
same
lines
is,
you
know,
and
I've
worked
in
sort
of
the
banking
compliance
world
and
from
that
standpoint
really
I,
don't
think
I,
don't
think
salsa
fits
into.
Let's
say
the
the
compliance
side
of
things,
because
I
think
it's
you
know
and
I
don't
mean
to
hate
on
compliance.
E
I
anticipate
salsa
at
a
lot
of
Enterprises,
especially
I'll
talk
about
banking,
because
that's
the
one
that
I'm
most
familiar
with
is
banking
will
have
something
like
a
a
set
of
high-level
policies
and
those
high-level
policies
might
include
something
like
you
know.
You
need
to
be
following
a
set
of
Frameworks
on
securing
against
third
party
risks
or
whatever
or
securing
you
know.
You
know
securing
the
software
delivery
life
cycle.
Great!
E
That's
sort
of
a
high
level
policy
and
then,
when
you
get
down
to
the
actual
standards
or
or
in
in
some
cases
procedures,
you
might
say
we
are
adopting
salsa
as
the
framework
that
helps
us
hit
this
internal
requirement.
We
have,
and
so
that's
kind
of
where
a
lot
of
that
would
go
through
and
so
like
from
a
high
level
policy
standpoint.
E
There's
just
something
like
you
need
to
be
securing
against
this
and
you
need
to
pick
like
you
know,
an
industry
standard
or
whatever
and
oh
great,
we'll
we
picked
salsa
because
that's
the
one
you
know
and
and
so
it
sort
of
fits
into
this
box
of
a
hierarchy
in
there
and
so
yeah
in
fact,
actually
Andrew
posted
something
about
salsa
as
a
subset
of
ssdf,
and
so
in
fact
like.
E
If
you
look
at
ssdf,
it
has
a
lot
of
these
high
level
controls
and
in
fact,
I
believe
ssdf
does
cite
salsa
as
something
to
look
at
as,
like
you
know
the
the
guidelines
for
yeah.
So
yes,
there's
a
mapping
from
salsa
ssdf,
but
there's
also
the
opposite,
I
believe
as
well.
If
I
do,
there
is
somewhere
in
the
ssdf.
E
E
Oh,
this
is
the
one
yeah,
so
one
of
them,
sorry,
it's
not
ssdf.
That
has
that
it's
one
of
the
ones
that
has
there's
there
is
some
nist
guidance
around
looking
at
Salsa
to
help
out
with
ssdf
I.
Don't
remember
exactly
which
document
that
is.
E
And,
and
also
to
what
Andrew
said
yeah
so,
there's
also
a
lot
of
in
this
sort
of
space,
the
difference
between
sort
of
prescriptive
and
descriptive
right.
So
a
lot
of
cases,
you
know
compliance
and
a
lot
of
stuff
like
controls,
are
more
descriptive,
like
you
are
providing
evidence
of
a
thing,
as
opposed
to
prescriptive,
of
like
you're,
actually
doing
a
specific
thing.
C
And
one
of
the
things
that
that
Jay
said
earlier
was
or
it
what.
What
stuck
out
is
that
it's
the
difference
between
having
a
descriptive
process
but
like
what
is
actually
included
in
that
is,
like
you,
have
annual
reviews,
but
are
those
reviews,
two-person
reviewed
and
so
I?
C
Think
that
that
some
of
the
concerns
in
this
area
might
be
able
to
be
deferred
to
the
Auditors
in
the
conformance
program
who
are
are
like
you
can
have
Auditors,
and
then
you
can
have
Auditors
who
are
trusted
by
some
other
entity
which
actually,
like
you,
can
audit
the
Auditors
to
make
sure
that
what
they're
checking
is
actually
sensible
for
your
own
organization.
Your
own
internal
processes
like
how
thorough
are
the
Auditors?
C
What
are
the
the
auditor's
actual
requirements
so
like
again,
I
I
feel
like
a
lot
of
these
are
important
questions
and
I
think
that
it
really
depends
on
what
the
perspective
is
that
you're
coming
from,
and
how
you're
approaching
the
the
secure
supply
chain
process
and
what
it
is
that
you're
concerned
about
and
and
where
you
you
place.
Your
trust.
E
So,
just
to
I
guess
finalize
this,
it
sounds
like
we
should
probably
sit
down
a
few
of
us
who
are
familiar
with
this
sort
of
thing
kind
of
list
out
some
of
the
issues
we're
seeing
I
think
it's
probably
also
worthwhile
for
the
same
group
to
maybe
pull
in
a
couple
of
end
users
who
are
looking
at
salsa
and
trying
to
understand
like
where
does
this
fit
into
my
box
of
of
you
know,
Enterprise
Tech
and
then
go
from
there
is
that
sort
of
an
answer
that
we
can
kind
of
come
back
with
like
here
are
some
of
the
literally
action.
A
A
All
right,
thanks
for
the
chat,
everyone
and
again
reminder
that
we'll
cancel
next
week,
because
the
U.S
holiday
and
we'll
see
you
again
in
two
weeks,
bye.
Everyone
thanks.