Get documents about "OSGS ecurity Tasks
Document Sample
Keith Chadwick ccf175b9-a87c-4a6b-89ee-22855f13d2d3.xls - Security Tasks 9/16/2012
Quantity of Control
Control Implementation ST&E Default Quantity of ST&E Work to
Task ID Task Title Implementation Assigned To Work ST&E Person Timescale ST&E Type Last Date Implement Comments
(small, medium, large, xtra-large)
Org chart published and
2.3.1.1 Roles and Responsibilities filled out Small OSG Security Officer 6 months Examination small
Awareness materials
created, containing all
2.3.1.2 Awareness for OSG Managers necessary information Large OSG Security Officer Yearly Examination
Develop interview
2.3.1.3 Accountability of Sites, Users, and VO's questions Small OSG Security Officer Yearly Interview
Awareness materials
created with
accountability
section Medium OSG Security Officer Yearly Examination
2.3.2.1 Computer Security Lifecycle Meeting Meeting notes archived Petravick Small OSG Security Officer Yearly Examination small - weekly, medium -
Executive Board
2.3.2.2 Briefing of the Executive Board Meeting Petravick Small OSG Security Officer Yearly Examination small
2.3.2.3 Risk Assessment Write Risk Assessment Large OSG Security Officer Yearly Examination small
Identify documents and
2.3.2.4 Policies, Plans, and Procedures archive them Medium OSG Security Officer Yearly Examination small
Perform self-assessment,
2.3.2.5 Self Assessment archive procedure Petravick Large OSG Security Officer Yearly Examination small
Perform peer review,
2.3.2.6 Peer Review archive procedure Pordes Large OSG Security Officer Bi-Annually Examination small
Create trust relationship
2.3.3.1 Trust Relationships - Approval document Pordes Large Yearly Examination small
Document existing trust
2.3.3.2 Documentation relationships Small Yearly Examination small
Document roles and
2.3.3.3 Clear Roles and Responsibilities responsibilities Medium Yearly Examination small
Determine review
2.3.3.4 Yearly Review criteria Medium Yearly Examination small
Identify needed training 6 months, new
2.4.1.1 Formal Role-Based Training and develop it Large roles, Examination medium
2.4.1.2 Regular OSG Core Security Phone Conference Archive minutes Petravick Small Yearly Examination small - weekly, medium -
Subscribe to appropriate
2.4.1.3 OSG Security Mailing Lists lists, monitor lists Large Yearly Examination small
Archive briefings and
2.4.1.4 Security Briefing at Consortium Meetings discussion material Small Examination small
Write Incident Response
2.4.2.1 Incident Planning Plan Large OSG Security Officer Yearly Examination small
Develop Incident
discovery
2.4.2.2 Incident Discovery procedure Medium Yearly Interview, Test small
Develop Incident
Response
2.4.2.3 Invocation of the Incident Response Plan Infrastructure Medium OSG Security Officer Yearly Examination, Test small
Develop Incident
Handling
2.4.2.4 Incident Handling Infrastructure, Medium OSG Security Officer Yearly Examination small
Develop Incident
2.4.2.5 Incident Analysis Analysis Medium OSG Security Officer Yearly Examination small
2.4.3.1 Integrity and Availability Create service plans Medium Yearly Examination small
Create list of forbidden Examination,
2.4.3.2 Identification and Handling of Sensitive Personnel Data business data, create Medium Yearly Interview small
2.4.3.3 Identification and Handling of Restricted Data Create plan Medium Yearly Examination, small
2.4.3.4 Identification and Handling of Limited Distribution Data Create plan Yearly Examination, small
Keith Chadwick ccf175b9-a87c-4a6b-89ee-22855f13d2d3.xls - Security Tasks 9/16/2012
2.4.3.5 Classification by the OSG Security Officer In awareness materials Small Yearly Examination small
Develop monitoring of
2.4.4.1 Monitoring configuration data Large Examination, Test small
Configuration data in
2.4.4.2 Version Control version control system Medium Examination medium
Develop procedure and
2.4.4.3 Security Review of Proposed Changes guidelines for review Large Examination medium
Develop reporting
2.4.5.1 General Vulnerability Reporting mechanisms Small Yearly Interview small
Develop reporting
mechanisms, archive
2.4.5.2 Primary Vulnerability Reporting vulnerability logs Small Yearly Examination small
Develop reporting
mechanisms, archive
2.4.5.3 Secondary Vulnerability Awareness vulnerability logs Small Yearly Examination small
Archive vulnerability
reports, develop
vulnerability mitigation
2.4.5.4 Primary Vulnerability Mitigation procedures Medium Yearly Examination medium
2.4.5.5 Special Roles of the OSG Security Officer Document these roles Small Examination small
Vulnerabilities, Vulnerability Communications and the OSG Security Document in lifecycle
2.4.5.6 Lifecycle process Small Examination medium
Document in awareness
2.4.5.7 Vulnerability Awareness materials Medium Yearly Examination medium
Develop physical access
2.4.6.1 Physical Access criteria and publish Medium Interview small
Develop console access
2.4.6.2 Console Access procedures Small Examination small
Develop network access
2.4.6.3 Network Access criteria Medium Interview small
Identify minimum set of
network services and
2.4.6.4 Network Service Restrictions document Medium Interview small
2.4.6.5 Redundancy Write redundancy plans Medium Examination small
Creat tools for log
2.4.6.6 Data Retention retention Medium Interview small
Develop plan for
archiving
of accounting records &
2.5.1.1 Recording of Resource Usage Using Accounting develop tools for Large Examination medium
Document allowed
2.5.2.1 Authentication for Privileged Access access Medium Yearly Test small
Document privileged
2.5.2.2 Authorization for Privileged Access users Small Yearly Examination small
Develop procedures for
2.5.2.3 Non-privileged User Access non-privileged users Medium Interview small
Develop web scanning
2.5.3.1 Web Service Vulnerability Scanning tool Large After each scan Examination medium
6 months, upon
Develop web intrusion detection of an
2.5.3.2 Web Intrusion Detection Scanning detection tool Large intrusion Examination medium
Develop vulnerability
scanning tool, keep
2.5.3.3 Vulnerability Scanning up-to-date with Large Examination medium
Task Duration Time Interval
small <= 1 day
medium <= 1 week
large <= 1 month
x-large > 1 month
