Skip to content

Commit

Permalink
Merge pull request #60 from manics/march-satre
Browse files Browse the repository at this point in the history
Add March 2024 SATRE breakout notes
  • Loading branch information
Davsarper authored Jun 27, 2024
2 parents 8deb82a + 041c4eb commit faf43c3
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 0 deletions.
2 changes: 2 additions & 0 deletions docs/events/wg_workshops/2024-03-14-march-meeting/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ discussion-researcher-verification
workshop-community-governance
workshop-cybersecurity-risk
workshop-glossary
workshop-satre
workshop-sde-tre-definitions
```

Expand Down Expand Up @@ -124,6 +125,7 @@ Summaries of the discussion held as well as the raw notes taken on the day are a
- [](./workshop-glossary.md)
- [](./demo-scotland-ras.md)
- [](./workshop-community-governance.md)
- [](./workshop-satre.md)

#### Session 2

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# SATRE

**Chair**: Simon Li

## Notes

- SATRE and AzureTRE
- SHAIP (Safe Haven AI Platform, Canon R&D) SATRE assessment
- TRE within Scotland safe haven network
- Different scoring system to indicate whether SHAIP:
- enables a requirement as a core part
- supports a requirement as part of the overall TRE
- requires a TRE to support for SHAIP
- doesn't meet, possible gap
- not required for SHAIP solution
- Few missing requirements
- Haven't found anything wrong in SATRE
- Scottish DSH: found possible gaps on specialisms of capability
- 33 N/A for SHAIP as a vendor inside a TRE
- 21 Optional not relevant, 12 mandatories not relevant
- 4 requirements as possible gaps in SHAIP. 3 optional one mandatory (on-prem encryption can be prohibitively expensive for very large datasets)
- 32 requirements that SHAIP expects the TRE to provide (10 optional/recommended, 22 mandatory)
- 12 requirements that SHAIP supports a TRE in implementing
- Some capabilities can be summarised as "follow state of the art risk management", could be worth highlighting TRE specific capabilities?
- Additional private score on how well something is implemented
- Excel pivot table for different views, e.g. capabilities that must be implement, those where SHAIP must support TRE to implement, groups by pillar, etc
- Can we change the SATRE scoring system to this?
- Scoring is kind-of reverse of capability maturity model
- CMRE role: role of someone in inplmenting
- Can scoring system/roles be made public, for consideration as a replacement scoring system in SATRE
- Some areas where it's impossible for a solution provider to implement on it's own
- Can we split capabilities by domain e.g. technology provider, vs people, etc? Then different roles/providers can take care of evaluating different areas.
- Would e.g. allow AzureTRE (product, not a deployment) to be evaluated against relevant part of SATRE. What's a feature, what's an SOP
- ISO mapping, so ISO27001 accredited TREs _automatically_ tick relevant SATRE requirements

- AzureTRE: initial evaluation

- First impressions on using SATRE:
- Getting started, 160 requirements, too many to evaluate before dinner
- Smaller would be more accessible (e.g. best practice could be condensed into a single box)
- SATRE very inclusive
- Different mindsets, e.g. "data must not be shared between projects", but what about multiple related projects where data should be shared amongst limited projects?
- But gap for federated

0 comments on commit faf43c3

Please sign in to comment.