Document Sample
1.7_Security_WBS.xls Powered By Docstoc
					WBS_Number       Work_Item

1.7              Security

1.7.1            Increased Support for Sites (T3-T2-T1) and Vos
                 Direct communication with VO and site contacts.
                 Concrete goal: a phone call with a site and VO          contact per week.
                 Understand security environment of VO and site.
                 (Friendly conversation, not a hostile security
                 questionnaire. VO security contact may not know          the security environment)          Understand what type of support needs are there.

Initially 0.10 per Later, the support needs should be met so will
week half a day. ramp up to 0.3

1.7.2            Incident Response and Monitoring          Focus on proactive monitoring tools
                 Identify high level threats and if needed, find and/or
                 develop monitoring tools for these threats (This is
                 the only software development activity for next        year)
                 Use Gratia records to establish regular usage        patterns in OSG.
                 check if a site has applied announced patches. e.g.
                 check access logs, check vdt version or look rsv        probe results          Conduct Incident Drills        Repeat WLCG drill against Tier-2 and Tier-1s        Drop a VO        Drop a site
                 Conduct a silent drill against OSG services to
                 measure OSG staff’s awareness, e.g. show
                 penetrating into VDT software cache, GOC security        tickets, etc
1.7.3            Audit, Risk Assessment and Mitigation          Mitigate risks found in RA infrastructure
                 Document and Analyse certificate revocation          Issues when an individual leaves a VO          Implement disaster recovery plans
                 Implement or ask VDT and GOC to implement
                 secure software distribution channels and secure          CA distribution channels.

                 Implement or ask VDT to implement a vulnerability          notification process with software providers
                 Understand and review the software components
                 in VDT. This is not a code-level audit. This is a
                 general understanding of which authN,
                 configuration variable and etc are used by a          component.          Transition to SHA-2

software stack
review 0.5FTE    risk mitigation 0.4 FTE

1.7.4            Education & Documentation          Contribute to documentation effort          Prepare How to guides:        How to respond to incidents
                 How to securely configure and install VDT        (including non-security software)

                 How to operate a site securely (for site admins, day-
                 day tasks, how to register with OIM, read security        advisories, check security team’s signatures, etc)

                 How to access OSG for end user (get cert, import        into a browser, renew, register with VOMS, etc)          Training        Security Training for OSG staff (once a year)        Security Training for sites, VO, users

0.5 FTE for a
1.7.5             Continuous Operational Security Tasks           respond to incidents           security tickets
                  read software vulnerability bulletin boards for 3rd           party software           prepare CA package           Run RA

                  Prepare 2 identity workshop with ESNet           ST&E           update risk assessment document.           attend EuGridPMA 3 times a year, Europe           attend TAGPMA 2 times a year, Americas          attend JSPG only remote          CA/CRL outages communicate to IGTF          OSG Review
                  Automated merging of VO packaged (Leftover from          last year)
                  Build interactive comm mechanisms with security          contacts

takes at least
0.5 FTE to just
keep up.

Sfiligoi          Tickets, vulnerability, drills
Anand             Monitoring tools, tickets, incidents
                  Sypport t3, software understanding, sha-2
Basney            transition, EUGridpma
                  RA, implement risk mitigation, documentation,
Olson             education
Cudzewicz         ST&E
Altunay   T3 support, Training, monitoring, ST&E
Start_Date              End_Date               Owners



             9/1/2009              10/1/2010 Basney, Altunay

             9/1/2009              10/1/2010 Basney, Altunay

             9/1/2009              10/1/2010 Basney, Altunay

                                             Anand, Sfiligoi
             9/1/2009              10/1/2010 Anand, Altunay

             9/1/2009              10/1/2010 Anand, Altunay

             9/1/2009              10/1/2010 Anand, Altunay

             9/1/2009              10/1/2010 Anand, Altunay

             9/1/2009              10/1/2010   Sfiligoi
             9/1/2009              10/1/2010   Sfiligoi
             9/1/2009              10/1/2010   Sfiligoi
             9/1/2009              10/1/2010   Sfiligoi

             9/1/2009              10/1/2010 Sfiligoi
                         Altunay, Basney, Olson,
                         Roy, Quick
7/30/2009                Olson

8/20/2009   10/31/2009 Olson
7/30/2009              Olson

7/30/2009                Altunay, Roy, Quick

7/30/2009                Altunay, Roy

 9/1/2009    10/1/2010 Basney
 9/1/2009    10/1/2010 Basney

7/30/2009    10/1/2010   Olson, Altunay
7/30/2009    10/1/2010   Olson
7/30/2009    10/1/2010   Olson, Altunay
7/30/2009    10/1/2010   Olson

7/30/2009    10/1/2010 Altunay

7/30/2009    10/1/2010 Olson

7/30/2009    10/1/2010   Olson
7/30/2009    10/1/2010
7/30/2009    10/1/2010   Altunay
7/30/2009    10/1/2010   Altunay, Olson
7/30/2009    10/1/2010   Altunay, Olson
7/30/2009    10/1/2010 the team
7/30/2009    10/1/2010 Anand, Sfiligoi

7/30/2009    10/1/2010 Team 1 hour per day
                       Basney 2 hours per
7/30/2009    10/1/2010 month

7/30/2009    10/1/2010 Olson, 5 hours per week
                       Olson 2 hour per week
7/31/2009    11/1/2009 until October
                       Cudzewicz, Altunay. 3
                       month FTE. 1 month
                       execution, 1 month
                       evaluation and 1 month
                       implementing new
 8/1/2009   12/31/2009 controls
                       1 month FTE for
 8/1/2009   12/31/2009 execution
7/30/2009    10/1/2010 3 weeks per year FTE
                       Olson, can skip. Intention
                       is one meeting a year.
                       Coule days in north
7/30/2009    10/1/2010 america
7/30/2009    10/1/2010 can skip
7/30/2009    10/1/2010 5 hours per month
12/1/2009   12/31/2009 Altunay

8/20/2009   10/20/2009 Igor

8/20/2009   12/31/2009 Altunay and Quick

Shared By:
xuxianglp xuxianglp http://