Future governance of the SATRE Specification#
SATRE funding ending in October but planning to continue work on the specification, the aim is to be community owned but what the governance actually looks like is uncertain. SATRE aims to be between high-level accreditations (CE+, ISO27001) and the low-level detail of a particular implementation and include demonstrations of how TREs are meeting it.
The next steps seems to need to be socialising the specification and building a peer network.
Current funding ends at the end of October
Planning to continue working on the specification
How best to fund this?
How to keep the community involved, using, contributing?
What does the governance look like in this community owned future
A Foundation (e.g. Mozilla)?
Will SATRE create a ‘standard template’
Aiming to be between high-level accreditations (CE+, ISO27001) and the low-level detail of a particular implementation
Example evaluations for two existing TREs
Demonstration of TREs meeting the standard
Does SATRE recommend particular tools
Not specifically, focuses on capabilities that a TRE must provide rather than risking taking divisive positions on particular packages etc.
Future scope for taking modular, design elements from TRE implementations and sharing these. Mapping of these elements to SATRE capabilities.
Does SATRE cover who operates a TRE or what they need to do?
Roles are defined and used to build requirements
Expecting community to cross audit each other? Teams may lack resource to audit themselves
Not a plan at the moment. Auditing could be part of SATRE in the future if there was a need.
Socialising the output seems important
Making people aware of SATRE, building familiarity
Important to do this before the end of SATRE?
Could be the next phase
Identify who is engaging with the specification and what they need. E.g.
Building a peer network of SATRE ‘users’
What would a solution to this problem look like?
What resources would be needed (people, time, funds, infrastructure etc.)?
How can this community support you in getting them?
What working groups/orgs are already working on this, if any? How can we collaborate with them effectively?
Identify the community and what they need.
This becomes the targets of the next phase of SATRE.
Organise networks around the pillars
May help coordinate/focus effort
Identify contribution mechanism, consensus mechanism
What would SATRE require to have confidence?
Part of the HDR UK innovation portal
Endorsement from highly regarded, trusted bodies, for example, HDR UK, UK SeRP, ADR UK, …
Clear mapping, roadmap to ISO27001
Clear guidance on roles including expected time and skills for that role holder. Avoid TRE staff being overloaded or given unreasonable tasks
Too much of an imposition? Too specific?
Guidance on the economics of TREs
Build your own
Buy an off-the-shelf solution
Cloud vs. On-prem
Identify how to fund staff
First ‘round’ was DARE UK
More resources from funders, e.g. HDR UK
What should a dedicated SATRE person do?
Stewardship of the standard
Engagement with other communities, e.g. SDAP
Stability of funding
Research funding is not guaranteed
Ask for money/people donations from SATRE users
Fee for formal accreditation against SATRE