Future governance of the SATRE Specification#

Overview#

Summary#

SATRE funding ending in October but planning to continue work on the specification, the aim is to be community owned but what the governance actually looks like is uncertain. SATRE aims to be between high-level accreditations (CE+, ISO27001) and the low-level detail of a particular implementation and include demonstrations of how TREs are meeting it.

Next steps#

  • The next steps seems to need to be socialising the specification and building a peer network.

Raw notes#

  • Current funding ends at the end of October

  • Planning to continue working on the specification

    • How best to fund this?

    • How to keep the community involved, using, contributing?

  • What does the governance look like in this community owned future

    • A Foundation (e.g. Mozilla)?

    • W3C?

  • Will SATRE create a ‘standard template’

    • Aiming to be between high-level accreditations (CE+, ISO27001) and the low-level detail of a particular implementation

    • Example evaluations for two existing TREs

    • Demonstration of TREs meeting the standard

  • Does SATRE recommend particular tools

    • Not specifically, focuses on capabilities that a TRE must provide rather than risking taking divisive positions on particular packages etc.

    • Future scope for taking modular, design elements from TRE implementations and sharing these. Mapping of these elements to SATRE capabilities.

  • Does SATRE cover who operates a TRE or what they need to do?

    • Roles are defined and used to build requirements

  • Expecting community to cross audit each other? Teams may lack resource to audit themselves

    • Not a plan at the moment. Auditing could be part of SATRE in the future if there was a need.

  • Socialising the output seems important

    • Making people aware of SATRE, building familiarity

    • Important to do this before the end of SATRE?

    • Could be the next phase

      • Identify who is engaging with the specification and what they need. E.g.

        • Help evaluation

      • Building a peer network of SATRE ‘users’

Roadmap plan#

Questions#

  • What would a solution to this problem look like?

  • What resources would be needed (people, time, funds, infrastructure etc.)?

  • How can this community support you in getting them?

  • What working groups/orgs are already working on this, if any? How can we collaborate with them effectively?

Notes#

  • Identify the community and what they need.

    • This becomes the targets of the next phase of SATRE.

    • Could be

      • Peer network

      • Auditing/evaluation support

  • Organise networks around the pillars

    • May help coordinate/focus effort

  • Identify contribution mechanism, consensus mechanism

  • What would SATRE require to have confidence?

    • Part of the HDR UK innovation portal

    • Endorsement from highly regarded, trusted bodies, for example, HDR UK, UK SeRP, ADR UK, …

    • Clear mapping, roadmap to ISO27001

    • Clear guidance on roles including expected time and skills for that role holder. Avoid TRE staff being overloaded or given unreasonable tasks

      • Too much of an imposition? Too specific?

    • Guidance on the economics of TREs

      • Build your own

      • Buy an off-the-shelf solution

      • Cloud vs. On-prem

      • People costs

  • Identify how to fund staff

    • First ‘round’ was DARE UK

    • More resources from funders, e.g. HDR UK

  • What should a dedicated SATRE person do?

    • Promotion

    • Stewardship of the standard

    • Community manager

    • User support/outreach

    • Engagement with other communities, e.g. SDAP

  • Stability of funding

    • Research funding is not guaranteed

    • Ask for money/people donations from SATRE users

    • Fee for formal accreditation against SATRE