> For the complete documentation index, see [llms.txt](https://mims.oascities.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mims.oascities.org/securing-data/notes.md).

# Notes

## Definitions

Here we list terms that need to be defined. Often for all MIMs not just for 6.

Data

* Definition: Raw, unprocessed facts and figures without context. Data can be numbers, text, images, or other forms of input.
* Example: A list of temperatures recorded every hour throughout the day.

Information

* Definition: Data that has been processed, organized, or structured in a way that adds context and meaning, making it useful for decision-making. When information is transferred it is data.
* Example: A report analysing the temperature data to determine the hottest and coldest times of the day.

Data processors

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal\* data on behalf of the controller;\
**Reference:** [GDPR Article 4(8)](https://gdpr-info.eu/art-4-gdpr/)

\*We expand the definition to also encompass all kinds of data, not only personal data.

Processing

‘processing’ means any operation or set of operations which is performed on personal\* data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; \
Reference: GDPR Article 4(2)

\*We expand the definition to also encompass all kinds of data, not only personal data.

Identity

A set of attributes that uniquely describe a subject within a given context.\
Reference: NIST Definition (SP 800-63-3 – Digital Identity)<br>

## Meeting Notes

#### Working Group Meeting #18 (25 February 2026)

* Update on the 1st MIM Steering Committee meeting and upcoming joint foundational MIMs Working Group (comprising of MIMs 0, 1, 2, and 6)
* Discussion on the differences between the global MIM6 <> MIM6 Plus
  * Need for identifying the interoperable aspects of NIS2
  * As an overarching layer, Harm recommended to look into the [EUCC Certification Scheme](https://certification.enisa.europa.eu/certification-library/eucc-certification-scheme_en) and that there are interoperability-related security considerations/profiles to look into and guide our work on MIM6 going forward
    * Further mentioned: CAMMS and the (iLabs) FIDES Open [ITB Testbed Suites](https://itb.ilabs.ai/)
  * Alain to give a presentation on the Common Criteria during the next meeting
* Work on FIWARE data space connector ongoing. Following further feedback, an early version for the mechanisms may be ready for the next meeting

#### Working Group Meetings #16-17 (26 November 2025 & 21 January 2026)

* Limited participation; discussion on the next steps (especially mechanisms) as well as the OASC Conference in late January 2026; further thoughts on pre-requisites for MIM6; discussing the option of a joint working group for the foundational MIMs

#### Working Group Meeting #15 (22 October 2025)

* Alain and Elliott from Kereval presented their work on a conformance testing suite for MIMs 1, 2 and 7 (version 6; i.e. the "old" MIM1). This gave us some idea on how future MIM6 testing may be done. See the video recording for more information
* We discussed possible mechanisms for our Requirements (only R1 so far). You can find these in this [sheet](https://docs.google.com/spreadsheets/d/1M_0csjdyXjH5xlsZAHcmr_iavBlFBcCvBkQo7kin1Rk/edit?gid=0#gid=0). Please add your thoughts (in column C or on its right-hand side). We will continue discussing these during the next meetings

#### Working Group Meeting #14 (24 September 2025)

* First meeting after the summer break, kicking off the 2025/26 Securing Data MIM development cycle
* Discussions on the narrow scope of the objective and the wider scope of the Capabilities (especially C1).
  * Open question: do we need to align these?  How? To be dicussed in line with the broader cross-MIM work taking place this year
* Roadmap 25/26
  * Mechanism-level developed and initial tests/precedure (Citcom.ai FIWARE connector)
  * LDT toobox testing - tool 5 (Kereval)
  * Specifications - draft
  * Interoperability guidance - draft
  * Use cases - based on Södertälje use case
  * Pre- and post-requisites - responsibilities assigned and text developed
  * Whitepaper on MIM6, test procedures, initial test results?

**Working Group Meeting #13 (25 June 2025)**

* post-publication MIMs v8/2025 and pre-summer meeting, recap of work done

#### Working Group Meeting #12 (22 May 2025)

* <mark style="background-color:yellow;">Our regular Working Group meeting slot will change starting June</mark> (meetings not taking place in July and August 2025). They will take place on the <mark style="background-color:yellow;">fourth Wednesday from 13:30-15:00 CET each month</mark>
* Sharing use cases with other MIMs, in particular MIM3, will be discussed further after the release of MIMs 2025/MIMs Plus v8
* The role of additional MIM6 Plus regulations, such as the role of GDPR for our scope and ISO 18031, will be discussed in the future. This also relates to the ongoing discussion of pre- and post-requisites (see the existing sub-page for the identified ISO 27001 ones).&#x20;
* Standards input as suggested by MM to be scheduled for September if possible - either as part of a normal WG meeting or separately (OASC Knowledge Exchange event?)
* There is the idea of running a MIM-wide testing workshop to gain a better understanding how to test for interoperable security within the scope of MIM6 and the MIMs in general. Possible presenters include Alain/Kereval, RISE/CitCom MVP, Liviu, and possibly Vincent

#### Working Group Meetings #9-11 (February-April 2025)

* Please see the recordings/slides in the Google Workspace folder

#### Working Group Meeting #8 (12 December 2024)

* Capabilities
  * We have agreed on the following three initial Capabilities to be included in MIMs (Plus) v7.5:

    **C1**: Data is only accessible to users that should have access to it

    **C2**: Data accessed by users has not been altered

    **C3**: Data accessed by users has not been altered and originates from a verified source
  * The fourth capability discussed previously ("Data is accessible to the extent intended by the publisher (SLA)") is not included for now; it may be covered by MIM3/is out of scope of this MIM due to it being a pre-requisite. To be revisited in 2025.
* Specifications
  * An initial mapping of the above Capabilities against ISO 27001 by our Swedish colleagues showed its relevance for this MIM. Additional comments also highlighted a role for NIS2 - with high relevance to European cities - and IEC 62443. All three will be mentioned in the MIM6 Specifications. and their relevance, from high-level Capabilities to implementation guidance, be further explored.
  * Previous Specifications from an earlier version of the MIM have been moved here; their relevance will be assessed at a later stage
    * <table><thead><tr><th>Standard</th><th width="265">Aspect</th><th>References</th></tr></thead><tbody><tr><td>ISO27005</td><td>International Standard ISO/IEC 27005:2018 Information technology – Security techniques – Information security risk management</td><td><a href="https://www.iso.org/standard/75281.html">https://www.iso.org/standard/75281.html</a></td></tr><tr><td>NIST SP800-53r5</td><td>NIST Special Publication SP800-53, Security and Privacy Controls for Information Systems and Organizations</td><td><a href="https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final">https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final</a></td></tr><tr><td>GDPR</td><td>REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27vApril 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)</td><td><a href="https://eur-lex.europa.eu/eli/reg/2016/679/oj">https://eur-lex.europa.eu/eli/reg/2016/679/oj</a></td></tr></tbody></table>
* Suggestion to contact the Swedish Standards bodies to learn more about their activities relevant to this MIM
* The next Working Group meeting is going to take place in February 2025. The January meeting has been cancelled and attending participants at the [OASC Conference in Tampere on 22/23 January 2025](https://conference.oascities.org/) will be discussing the roadmap towards MIMs 2025/MIMs Plus version 8.

#### Working Group Meeting #7 (28 November 2024)

* The December Working Group meeting is going to take place on 12 December 2024 from 13-14 CET.
* Further discussion on the initial Capabilities
  * Suggested Capabilities worked on and finalised in the next meeting
    * "Data is only accessible to users that should have access to it"
    * "Data accessed by users has not been altered"
    * "Data accessed by users has not been altered and originates from a verified source"
    * "Data is accessible to the extent intended by the publisher" (SLA) \
      -> might be covered by MIM3 (Data Exchange)
* Scope of this MIM - further considerations
  * Are data classifications and user classifications/mapping (who should have the right to access what data and for what purpose?) covered by other MIMs, in particular MIM3?
  * Resulting of the above, how are we going to treat security-related pre-requisites, such as users having correct access rights?&#x20;
* We are considering to have expert input from standards and city practitioners on interoperable security in March/April 2025. To be discussed further in early 2025.
* The January Working Group meeting is cancelled. Informal chats will take place at the [OASC Conference in Tampere on 22/23 January 2025](https://conference.oascities.org/).

#### Working Group Meeting #6 (24 October 2024)

* Discussed the initial scope of Capabilities
* Mentioned resources to check for secure data transfer capabilities (with an interoperability scope):
  * Data Space Support Centre - [Data Spaces Blueprint](https://dssc.eu/space/bv15e/766061169/)
  * [iShare Trust Framework](https://framework.ishare.eu)&#x20;
  * [Gaia-X Framework](https://gaia-x.eu/gaia-x-framework/)
  * [IDSA Data Space Protocol](https://internationaldataspaces.org/offers/dataspace-protocol/)
* Next steps
  * Focus on Capabilities until the [OASC Conference](https://conference.oascities.org/) in January 2025

#### Working Group Meeting #5 (26 September 2024)

* The (interim; awaiting formal approval) Champion of MIM6 is [Södertälje Municipality](https://en.wikipedia.org/wiki/S%C3%B6dert%C3%A4lje). Welcome!
* Working Group meetings will now be taking place on every fourth Thursday each month, lasting 90 minutes from 13:00-14:30 CE(S)T
* A suggested new MIMs framework was presented. Discussion on it are ongoing. For MIM6, nothing will initially change
* The immediate focus for the Working Group is to outline and establish Capabilities before outlining Requirements
* Additional volunteers are welcome to start working on the MIM's Interoperability Guidance (which can cover a broad range of topics, e.g. infrastructure, implementation, procurement, required skills)

**Working Group Meeting #4 (15 May 2024)**

* Agreement on the the MIM6 objective for MIMs 2024/MIMs Plus v7
* Agreement that "risk assessment is a tool, not an objective" (and thus is not part of this version of the objectives)
* Work started on discussing Capabilities. The following are early suggestions inspired by MIM1. The comments aim to reflect the thoughts of the audience during the meeting.
  * C1: Applications are able to securely access data from different sources (such as cities, communities and vertical solutions).
  * C2: Applications are able to use both current and historical data, use geospatial querying and be automatically updated when the source data changes. (*<mark style="color:orange;">Comment: Not relevant?</mark>*)
  * C3: Applications can discover and retrieve data relevant to their context from a variety of sources Covered by C1? (*<mark style="color:orange;">Comment: Covered by C1?</mark>*)
  * C4: Applications can retrieve a subset of data from a larger data set To detailed for MIM6? (*<mark style="color:orange;">Comment: Too detailed for MIM6?</mark>*)

**Working Group Meeting #3 (11 April 2024)**

* Ongoing work on defining the objective

**Working Group Meeting #2 (15 March 2024)**

Are the following aspects in scope?

* Things and southbound APIs
  * Physical device security
  * The sending to and from data sources (databses, data platforms, devices)
  * Provisioning a data source: control plane interoperability (identity management and authorisation)
* IoT/Data platform
  * Communication between modules
  * Sending of data to northbound APIs
* Northbound APIs and marketplace enablers
  * Sharing of data
  * Connection to data spaces
  * Identification, authorisation, and monetarisation of services
* Focus on the data platform itself or also on central/external security systems?

**Working Group Meeting #1 (15 February 2024)**

* Establishment of the MIM6 Working Group
* Meetings to be held on a monthly basis where possible
* Immediate goal: define an objective by early June 2024 for MIMs 2024/MIMs Plus v7
  * Prior suggestion for objectives:
    * To develop a methodology to help identify security-related risks and choose the right measures to protect systems and data.
    * To provide cities with a framework for governance, risk management and control in the area of cybersecurity, along with a baseline of cybersecurity measures addressing the identified risks and providing a methodology for conducting regular maturity assessments.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://mims.oascities.org/securing-data/notes.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.