In a decentralized world, you need a label that you can trust. It is important for companies and service providers.
The idea is to create a self-audit based on TISAX and ISO2700. The SPOs can log into a website and complete the self-audit.
This is the total amount allocated to ADA SPO ITsec Label.
The Itsec aspect of running a stake pool is more than just your hardware and software. For example, what happens if the stake pool operator has an accident. You also need organizational and physical security measures. Have you a kind of Emergency manua, contact adresses, ...?
The first step in making the community aware is to do a self-audit. Every Stakepool owner can reflect on his own system and learn from it and improve. The community get a frameworks and important numbers and informations.
Milestone:
1. Create website (landing page)
2. Create a questionnaire and adapt it to the feedback from the community
3. Add the survey tool to the website
4. Motivate the stakepool owner
5. Communicate the results
Time schedule:
Start: 10/2021
Milestone 1-3 -> end of 2020
Milestone 4 -> Jan 2021
Milestone 5 -> Q2 2021
I believe that the big stake pools will need some kind of Itsec certification in the future. In a decentralized system, we have to push the small stakepool owners and improve their ITsec level. It is a process. The self audit will help to reflect and to get a feedback of the own status quo.
For Example:
The stakepools get a label Itsec Level 4 out of 5. The Label is valid just for one year.
The Weak Point - How can you trust a label based on a self audit?
That's 100% true. You need to see it as a first step in a journey that will take place over the next few years. The next step of itsec standards and audits should be integrated into the cardano Foundation. (my opinion)
The budget is used for:
Website, Marketing, Communication 4000 $
Work hours 8000 $ (100-150h)
Security Officer of a ISO 27001 and Tisax certified automobile service provider.