Q. What is the Open Security Exchange?
A. The Open Security Exchange (OSE) is an independent, cross-industry forum that promotes enterprise security management by addressing the lack of integration commonly found in today’s security infrastructure. The OSE drives the creation and adoption of interoperability standards by working closely with existing standards bodies. Using these interoperability standards helps reduce costs and leverages an organization’s existing security infrastructure to maximize investment. An advisor to government and commercial organizations, the OSE also uses its combined expertise to educate security professionals worldwide about best practice security. The OSE was founded by Computer Associates International, Inc. (CA), Gemplus, HID Corporation and Tyco Software House on June 14, 2003.

Q. How did the Open Security Exchange originate?
A. The founding members identified the technological gaps between the diverse physical and information security technologies that support today’s business infrastructure and highlighted the need for integration. To this end, they co-founded a cross-industry open forum to promote and create pragmatic interoperability specifications and educate the industry on best practice security.

Q. What is the vision of the Open Security Exchange?
A. The vision of the OSE is to combine the disparate technologies that form today’s security infrastructures to optimize security investments and increase operational efficiency. Effective security management will result in: accurate detection of threats and attacks; consistent definition and enforcement of security policies; and enhanced organizational collaboration.

Advanced by the Open Security Exchange, the vision of effective security management is to:

  • Supports all of the technologies that comprise an organization’s security infrastructure. For example, the OSE promotes the convergence of physical and IT security.
  • Enables organizations in the private and public sectors to maximize organizational security while optimizing efficiency. The OSE promotes realistic specifications to address all types of security challenges.
  • Allows organizations to adopt best practice security policies and procedures. This helps reduce the occurrence of organizational security incidents, and contributes to consumer confidence with online transactions and eCommerce.

Q. Why should organizations join the OSE?
The OSE provides organizations with the opportunity to show market leadership and innovation by contributing to create new interoperability specifications in the area of security management. OSE members can leverage the marketing efforts of the OSE to gain visibility with customers, professional organizations, and government organizations. Additionally, members can play an active role in influencing and educating the industry on security issues and best practices while benefiting from gaining the position of independent industry advisor.

Members can also take advantage of complementary subject matter expertise from other members and build relationships with other member organizations in order to facilitate interoperability between their respective solutions.

The Open Security Exchange provides a cost-effective forum where information can be shared confidentially while protecting their intellectual property.

Q. Why does the OSE focus on security management?
Security is one of the most important business concerns today. Because there is little technical integration between the various technologies that comprise an organization’s security infrastructure, business and IT systems are often vulnerable and prone to exposing risk. In addition, organizations are unable to consistently implement system-wide security policies due to the disparity between physical and IT security technologies.

Q. Why are the specifications and best practice documents free and publicly available?
The OSE encourages open collaborative relationships between technology providers, system integrators, customers, standard committees and other parties. The OSE is focused on delivering value to end-user organizations from promoting existing specifications to ease technology integration, to designing new specifications where they are currently absent and educating organizations on best practice security to promote effective security management.

Q. What does the new PHYSBITS specification of the OSE achieve?
Initially created by the OSE, the Physical Security Bridge to IT Security specification, or PHYSBITS, promotes organizational and technical integration between physical and IT systems to maximize organizational security while reducing operating costs. These specifications are intended to provide the following capabilities:

  • The Ability to Audit Data Across Systems. The technical specifications of Physbits allows organizations to help ensure consistency when recording security events stored in physical and IT security systems, and consolidate security data into a central repository for auditing purposes.
  • The Ability to Provide Strong Authentication. User authentication is a complex issue where security and end-user convenience meet head-on. The specifications of the OSE enable organizations to adopt strong authentication technology while leveraging their existing physical security infrastructure investments.
  • The Ability to Provision Users. Managing users’ privileges and credentials is one of the biggest challenges faced by organizations today. The technical specifications of the OSE enable centralized management of users, enabling organizations to reduce costs and enforce consistent system-wide role-based administration policies.

Q. Who can join the OSE?
Any organization involved in promoting or implementing security can join the OSE. Members are asked to positively contribute to the creation of interoperability specifications and best practice documents.

Q. When did OSE announce its relationship with IEEE-ISTO?
IEEE-ISTO was officially announced as the new management body for the OSE on 11th June 2003 during a web cast briefing delivered by the founding members for the IT and security industries.

Q. What is the ISTO? And how is it related to the IEEE?
The IEEE Industry Standards and Technology Organization (ISTO) was established in January 1999 as a global, not-for-profit corporation [501(c)(6)] designed to accelerate and extend traditional standards development and adoption activities for technology industry consortia. Incorporated in Delaware, the IEEE was the founding member of the ISTO. The ISTO maintains an affiliation with the IEEE and the IEEE Standards Association through formal agreements. The ISTO provides an innovative legal umbrella for consortia and a flexible array of program management support. The ISTO is governed by its Board of Directors, Bylaws, and Articles of Incorporation. Industry leaders from IBM, Motorola, Nokia, Sun Microsystems, Sony Electronics, and Lexmark International comprise the ISTO’s Board of Directors.

The ISTO is headquartered in Piscataway, NJ, and maintains offices within the IEEE Operations Center. The ISTO leverages various facets of IEEE’s infrastructure, including facilities, human resources, controller’s office and IT.

Q. What does it mean that OSE is a program of the IEEE-ISTO, and how is it incorporated?
The OSE has contracted the ISTO to provide secretariat and administrative support. The ISTO provides an umbrella organization for industry groups, like the OSE, without the need to incorporate as a legal entity. Programs of the ISTO enjoy the legal protection and insurance benefits of operating within an incorporated, fully insured, not-for-profit organization. This flexible structure also enables the ISTO to work with groups who are either already incorporated or who wish to become incorporated.

Q. How will the ISTO assist the OSE? What services does ISTO provide?
Initially, the ISTO will provide the following support areas to the OSE:

  • Legal umbrella and Insurance – ISTO provides the legal umbrella under which OSE is formed, which bypasses the need for incorporation. ISTO has worked with OSE to establish a full suite of governance documents. ISTO also carries an array of insurance policies under which OSE is covered, including general liability, umbrella liability, directors and officers liability and errors and omissions liability.
  • HQ office and identity – OSE will be headquartered in Piscataway, NJ. ISTO will provide dedicated phone and fax services for OSE, as well as staff resources at the office headquarters.
  • Strategic assistance – ISTO has managed many other industry programs, and will provide the stakeholders of OSE with advice and guidance based on past experiences.
  • IT backbone – OSE will utilize ISTO’s IT infrastructure for mail list hosting, public website hosting, intranet area for collaboration and more. ISTO ensures the security, backup and confidentiality of all program-related electronic data.
  • Financial administration – ISTO will handle all aspects of OSE’s finances, including all accounts receivable and accounts payable. ISTO will manage OSE’s accounts through a separate OSE account. ISTO seeks an independent financial audit of each of its programs every year.
  • Membership administration – ISTO will provide front-line support for OSE’s membership, including the processing of membership applications, collection of membership payment, and the provision of membership materials. ISTO staff will also support OSE participants with new member recruiting.
  • Program management – ISTO will ensure, from an independent perspective, that all of the goals and objectives of the OSE are met on time and on budget. ISTO staff will work closely with OSE stakeholders to be certain that all initiatives are adequately resourced.

Q. What other groups does the ISTO manage?
OSE is the ninth industry program that ISTO currently manages. Current ISTO industry programs are: 1355 Association; Broadband Wireless Internet Forum; Customized Learning Experience Online (CLEO) Lab; Liberty Alliance Project; Medical Device Communications Industry Group; Nexus 5001 Forum; Open Security Exchange; Printer Working Group; and VoiceXML Forum. Past ISTO programs include the Wireless Village initiative, the SyncML Initiative Ltd., Mobile Games Interoperability Forum, and MessageML.

Q. Will the ISTO help broaden the representation of software vendors in the OSE?
ISTO supports all of its industry programs by taking a vendor-neutral, industry independent approach to management and administration. ISTO staff relies upon the direction of program stakeholders to drive strategy and decision making. Thus, ISTO will rely upon OSE management to determine a membership strategy with regards to software vendors or any other industry segment. Once a membership strategy is in place, ISTO will provide the resources and infrastructure to drive progress.

Q. Is the ISTO responsible for recruiting new companies into OSE?
The ISTO will not recruit companies directly, but will allocate resources to work with OSE participants to help build the OSE membership base. In its support of industry programs, ISTO does not act independently, but rather as directed by its programs. Thus, ISTO will rely on the OSE to set member recruitment goals and strategies, and ISTO will provide the appropriate resources and infrastructure to help OSE reach its target goals.