Docstoc

1.7_Security_WBS.xls

Document Sample
1.7_Security_WBS.xls Powered By Docstoc
					WBS_Number       Work_Item



1.7              Security




1.7.1            Increased Support for Sites (T3-T2-T1) and Vos
                 Direct communication with VO and site contacts.
                 Concrete goal: a phone call with a site and VO
1.7.1.1          contact per week.
                 Understand security environment of VO and site.
                 (Friendly conversation, not a hostile security
                 questionnaire. VO security contact may not know
1.7.1.2          the security environment)

1.7.1.3          Understand what type of support needs are there.


Initially 0.10 per Later, the support needs should be met so will
week half a day. ramp up to 0.3


1.7.2            Incident Response and Monitoring
1.7.2.1          Focus on proactive monitoring tools
                 Identify high level threats and if needed, find and/or
                 develop monitoring tools for these threats (This is
                 the only software development activity for next
1.7.2.1.1        year)
                 Use Gratia records to establish regular usage
1.7.2.1.2        patterns in OSG.
                 check if a site has applied announced patches. e.g.
                 check access logs, check vdt version or look rsv
1.7.2.1.3        probe results


1.7.2.2          Conduct Incident Drills
1.7.2.2.1        Repeat WLCG drill against Tier-2 and Tier-1s
1.7.2.2.2        Drop a VO
1.7.2.2.3        Drop a site
                 Conduct a silent drill against OSG services to
                 measure OSG staff’s awareness, e.g. show
                 penetrating into VDT software cache, GOC security
1.7.2.2.4        tickets, etc
1.7.3            Audit, Risk Assessment and Mitigation
1.7.3.1          Mitigate risks found in RA infrastructure
                 Document and Analyse certificate revocation
1.7.3.2          Issues when an individual leaves a VO
1.7.3.3          Implement disaster recovery plans
                 Implement or ask VDT and GOC to implement
                 secure software distribution channels and secure
1.7.3.4          CA distribution channels.

                 Implement or ask VDT to implement a vulnerability
1.7.3.5          notification process with software providers
                 Understand and review the software components
                 in VDT. This is not a code-level audit. This is a
                 general understanding of which authN,
                 configuration variable and etc are used by a
1.7.3.6          component.
1.7.3.7          Transition to SHA-2


software stack
review 0.5FTE    risk mitigation 0.4 FTE


1.7.4            Education & Documentation
1.7.4.1          Contribute to documentation effort
1.7.4.2          Prepare How to guides:
1.7.4.2.1        How to respond to incidents
                 How to securely configure and install VDT
1.7.4.2.2        (including non-security software)

                 How to operate a site securely (for site admins, day-
                 day tasks, how to register with OIM, read security
1.7.4.2.3        advisories, check security team’s signatures, etc)

                 How to access OSG for end user (get cert, import
1.7.4.2.4        into a browser, renew, register with VOMS, etc)

1.7.4.2          Training
1.4.2.2.1        Security Training for OSG staff (once a year)
1.4.2.2.2        Security Training for sites, VO, users

0.5 FTE for a
year
1.7.5             Continuous Operational Security Tasks
1.7.5.1           respond to incidents
1.7.5.2           security tickets
                  read software vulnerability bulletin boards for 3rd
1.7.5.3           party software

1.7.5.4           prepare CA package

1.7.5.5           Run RA

                  Prepare 2 identity workshop with ESNet




1.7.5.6           ST&E

1.7.5.7           update risk assessment document.
1.7.5.8           attend EuGridPMA 3 times a year, Europe



1.7.5.9           attend TAGPMA 2 times a year, Americas
1.7.5.10          attend JSPG only remote
1.7.5.11          CA/CRL outages communicate to IGTF
1.7.5.12          OSG Review
                  Automated merging of VO packaged (Leftover from
1.7.5.13          last year)
                  Build interactive comm mechanisms with security
1.7.5.14          contacts


takes at least
0.5 FTE to just
keep up.


Sfiligoi          Tickets, vulnerability, drills
Anand             Monitoring tools, tickets, incidents
                  Sypport t3, software understanding, sha-2
Basney            transition, EUGridpma
                  RA, implement risk mitigation, documentation,
Olson             education
Cudzewicz         ST&E
Altunay   T3 support, Training, monitoring, ST&E
Start_Date              End_Date               Owners



                                               Altunay




                                               Basney


             9/1/2009              10/1/2010 Basney, Altunay



             9/1/2009              10/1/2010 Basney, Altunay

             9/1/2009              10/1/2010 Basney, Altunay




                                             Anand, Sfiligoi
             9/1/2009              10/1/2010 Anand, Altunay



             9/1/2009              10/1/2010 Anand, Altunay

             9/1/2009              10/1/2010 Anand, Altunay


             9/1/2009              10/1/2010 Anand, Altunay


             9/1/2009              10/1/2010   Sfiligoi
             9/1/2009              10/1/2010   Sfiligoi
             9/1/2009              10/1/2010   Sfiligoi
             9/1/2009              10/1/2010   Sfiligoi



             9/1/2009              10/1/2010 Sfiligoi
                         Altunay, Basney, Olson,
                         Roy, Quick
7/30/2009                Olson

8/20/2009   10/31/2009 Olson
7/30/2009              Olson


7/30/2009                Altunay, Roy, Quick


7/30/2009                Altunay, Roy




 9/1/2009    10/1/2010 Basney
 9/1/2009    10/1/2010 Basney




7/30/2009    10/1/2010   Olson, Altunay
7/30/2009    10/1/2010   Olson
7/30/2009    10/1/2010   Olson, Altunay
7/30/2009    10/1/2010   Olson

7/30/2009    10/1/2010 Altunay



7/30/2009    10/1/2010 Olson


7/30/2009    10/1/2010   Olson
7/30/2009    10/1/2010
7/30/2009    10/1/2010   Altunay
7/30/2009    10/1/2010   Altunay, Olson
7/30/2009    10/1/2010   Altunay, Olson
7/30/2009    10/1/2010 the team
7/30/2009    10/1/2010 Anand, Sfiligoi

7/30/2009    10/1/2010 Team 1 hour per day
                       Basney 2 hours per
7/30/2009    10/1/2010 month

7/30/2009    10/1/2010 Olson, 5 hours per week
                       Olson 2 hour per week
7/31/2009    11/1/2009 until October
                       Cudzewicz, Altunay. 3
                       month FTE. 1 month
                       execution, 1 month
                       evaluation and 1 month
                       implementing new
 8/1/2009   12/31/2009 controls
                       1 month FTE for
 8/1/2009   12/31/2009 execution
7/30/2009    10/1/2010 3 weeks per year FTE
                       Olson, can skip. Intention
                       is one meeting a year.
                       Coule days in north
7/30/2009    10/1/2010 america
7/30/2009    10/1/2010 can skip
7/30/2009    10/1/2010 5 hours per month
12/1/2009   12/31/2009 Altunay

8/20/2009   10/20/2009 Igor

8/20/2009   12/31/2009 Altunay and Quick

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:38
posted:2/1/2013
language:English
pages:7
xuxianglp xuxianglp http://
About