Assurance

["Cantor, Scott" <>]

On 8/10/12 2:29 PM, "Jones, Mark B" 
<>
 wrote:

>This all seems like an exercise in semantics to me.  Google and InCommon
>have been approved by ICAM.  ICAM uses 800-63 as one standard that is
>used to measure compliance.  This suggests that ICAM is of the opinion
>that Google and InCommon are substantially compliant with 800-63 or they
>would not be approved.

I really don't believe that 800-63 was a direct criteria in the approval
of Google. So I don't see how that's semantics, but since I don't have
proof, I'll just say that it's the basis of my opinion.

>I have yet to notice or be presented with a significant difference
>between the IAP and 800-63 yet there is enthusiastic effort to maintain
>that they are not the same.  I feel like I am trying to argue that my car
>is maroon while everyone else insists that it is dark red.  Why is there
>such resistance to being associated with 800-63?

Well, from a personal PoV, I have a lot of issues with it, but as I
already said, the reason they're so close is that unlike the Google case,
there was a very conscious mapping. But the bottom line is, unless Silver
explicitly references 800-63 for a requirement, there is nothing in 800-63
that should be relevant to a decision by an auditor on compliance with
Silver. If there is, I would think it needs to get moved into Silver.

-- Scott