; controls
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

controls

VIEWS: 9 PAGES: 2

  • pg 1
									Keith Chadwick                                                                                                                     20646716-9690-450c-be85-15c33e8f1fdb.xls - Security Tasks                                                                                                           5/1/2011




                                                                                                                                            Quantity of Control
                                                                                                   Control                                  Implementation                               ST&E Default                                             Quantity of ST&E Work to
           Task ID Task Title                                                                      Implementation               Assigned To Work                ST&E Person              Timescale           ST&E Type                Last Date   Implement                             Comments
                                                                                                                                                                                                                                                  (small, medium, large, xtra-large)
                                                                                                   Org chart published and
           2.3.1.1   Roles and Responsibilities                                                    filled out                                Small                OSG Security Officer   6 months            Examination                          small
                                                                                                   Awareness materials
                                                                                                   created, containing all
           2.3.1.2   Awareness for OSG Managers                                                    necessary information                     Large                OSG Security Officer   Yearly              Examination
                                                                                                   Develop interview
           2.3.1.3   Accountability of Sites, Users, and VO's                                       questions
                                                                                                   Awareness materials                       Small                OSG Security Officer   Yearly              Interview
                                                                                                   created with
                                                                                                   accountability
                                                                                                    section                                  Medium               OSG Security Officer   Yearly              Examination

           2.3.2.1   Computer Security Lifecycle Meeting                                           Meeting notes archived
                                                                                                   Executive Board              Petravick    Small                OSG Security Officer   Yearly              Examination                          small - weekly, medium - integrated
                                                                                                   Meeting
           2.3.2.2   Briefing of the Executive Board                                               Minutes archived             Petravick    Small                OSG Security Officer   Yearly              Examination                          small
           2.3.2.3   Risk Assessment                                                               Write Risk Assessment                     Large                OSG Security Officer   Yearly              Examination                          small
                                                                                                   Identify documents and
           2.3.2.4   Policies, Plans, and Procedures                                               archive them                              Medium               OSG Security Officer   Yearly              Examination                          small
                                                                                                   Perform self-assessment,
           2.3.2.5   Self Assessment                                                               archive procedure        Petravick        Large                OSG Security Officer   Yearly              Examination                          small
                                                                                                   Perform peer review,
           2.3.2.6   Peer Review                                                                   archive procedure        Pordes          Large
                                                                                                                                            Quantity of Control OSG Security Officer     Bi-Annually         Examination                          small
                                                                                                   Control                                  Implementation                               ST&E Default                                             Quantity of ST&E Work to
           Task ID Task Title                                                                      Implementation               Assigned To Work                ST&E Person              Timescale           ST&E Type                Last Date   Implement                             Comments
                                                                                                   Create trust relationship
           2.3.3.1   Trust Relationships - Approval                                                document                     Pordes       Large                                       Yearly              Examination                          small
                                                                                                   Document existing trust
           2.3.3.2   Documentation                                                                 relationships                             Small                                       Yearly              Examination                          small
                                                                                                   Document roles and
           2.3.3.3   Clear Roles and Responsibilities                                              responsibilities
                                                                                                   Determine review                          Medium                                      Yearly              Examination                          small
                                                                                                   criteria
           2.3.3.4   Yearly Review                                                                 and document                              Medium                                      Yearly              Examination                          small

                                                                                                   Identify needed training                                                              6 months, new roles,
           2.4.1.1   Formal Role-Based Training                                                    and develop it                            Large                                       new individuals      Examination                         medium
           2.4.1.2   Regular OSG Core Security Phone Conference                                    Archive minutes          Petravick        Small                                       Yearly               Examination                         small - weekly, medium - integrated
                                                                                                   Subscribe to appropriate
           2.4.1.3   OSG Security Mailing Lists                                                    lists, monitor lists                      Large                                       Yearly              Examination                          small
                                                                                                   Archive briefings and
           2.4.1.4   Security Briefing at Consortium Meetings                                      discussion material                      Small
                                                                                                                                            Quantity of Control                                              Examination                          small
                                                                                                   Control                                  Implementation                               ST&E Default                                             Quantity of ST&E Work to
           Task ID Task Title                                                                      Implementation               Assigned To Work                ST&E Person              Timescale           ST&E Type                Last Date   Implement                             Comments
                                                                                                   Write Incident Response
           2.4.2.1   Incident Planning                                                             Plan
                                                                                                   Develop Incident                          Large                OSG Security Officer   Yearly              Examination                          small
                                                                                                   discovery
           2.4.2.2   Incident Discovery                                                            procedure
                                                                                                   Develop Incident                          Medium                                      Yearly              Interview, Test                      small
                                                                                                   Response
           2.4.2.3   Invocation of the Incident Response Plan                                      Infrastructure
                                                                                                   Develop Incident                          Medium               OSG Security Officer   Yearly              Examination, Test                    small
                                                                                                   Handling
           2.4.2.4   Incident Handling                                                             Infrastructure,
                                                                                                   Develop Incident                          Medium               OSG Security Officer   Yearly              Examination                          small
                                                                                                   Analysis
           2.4.2.5   Incident Analysis                                                             Infrastructure,                           Medium               OSG Security Officer   Yearly              Examination                          small

           2.4.3.1   Integrity and Availability                                                    Create service plans                      Medium                                      Yearly              Examination                          small
                                                                                                   Create list of forbidden
           2.4.3.2   Identification and Handling of Sensitive Personnel Data                       business data, create plan                Medium                                      Yearly              Examination, Interview               small
           2.4.3.3   Identification and Handling of Restricted Data                                Create plan                               Medium                                      Yearly              Examination, Interview               small
           2.4.3.4   Identification and Handling of Limited Distribution Data                      Create plan                                                                           Yearly              Examination, Interview               small
           2.4.3.5   Classification by the OSG Security Officer                                    In awareness materials                   Small
                                                                                                                                            Quantity of Control                          Yearly              Examination                          small
                                                                                                   Control                                  Implementation                               ST&E Default                                             Quantity of ST&E Work to
           Task ID Task Title                                                                      Implementation               Assigned To Work                ST&E Person              Timescale           ST&E Type                Last Date   Implement                             Comments
                                                                                                   Develop monitoring of
           2.4.4.1   Monitoring                                                                    configuration data                        Large                                                           Examination, Test                    small
                                                                                                   Configuration data in
           2.4.4.2   Version Control                                                               version control system                    Medium                                                          Examination                          medium
                                                                                                   Develop procedure and
           2.4.4.3   Security Review of Proposed Changes                                           guidelines for review                     Large                                                           Examination                          medium

                                                                                                   Develop reporting
           2.4.5.1   General Vulnerability Reporting                                               mechanisms                                Small                                       Yearly              Interview                            small
                                                                                                   Develop reporting
                                                                                                   mechanisms, archive
           2.4.5.2   Primary Vulnerability Reporting                                               vulnerability logs                        Small                                       Yearly              Examination                          small
                                                                                                   Develop reporting
                                                                                                   mechanisms, archive
           2.4.5.3   Secondary Vulnerability Awareness                                             vulnerability logs                        Small                                       Yearly              Examination                          small
                                                                                                  Archive vulnerability
                                                                                                  reports, develop
                                                                                                  vulnerability mitigation
           2.4.5.4   Primary Vulnerability Mitigation                                             procedures                                 Medium                                      Yearly              Examination                          medium
           2.4.5.5   Special Roles of the OSG Security Officer                                    Document these roles                       Small                                                           Examination                          small
                                                                                                  Document in lifecycle
           2.4.5.6   Vulnerabilities, Vulnerability Communications and the OSG Security Lifecycle process                                    Small                                                           Examination                          medium
                                                                                                  Document in awareness
           2.4.5.7   Vulnerability Awareness                                                      materials                                 Medium of Control
                                                                                                                                            Quantity                                     Yearly              Examination                          medium
                                                                                                   Control                                  Implementation                               ST&E Default                                             Quantity of ST&E Work to
           Task ID Task Title                                                                      Implementation               Assigned To Work              ST&E Person                Timescale           ST&E Type                Last Date   Implement                             Comments
                                                                                                   Develop physical access
           2.4.6.1   Physical Access                                                               criteria and publish                      Medium                                                          Interview                            small
                                                                                                   Develop console access
           2.4.6.2   Console Access                                                                procedures                                Small                                                           Examination                          small
                                                                                                   Develop network access
           2.4.6.3   Network Access                                                                criteria                                  Medium                                                          Interview                            small
                                                                                                   Identify minimum set of
                                                                                                   network services and
           2.4.6.4   Network Service Restrictions                                                  document                                  Medium                                                          Interview                            small
           2.4.6.5   Redundancy                                                                    Write redundancy plans                    Medium                                                          Examination                          small
                                                                                                   Creat tools for log
           2.4.6.6   Data Retention                                                                retention                            Medium of Control
                                                                                                                                        Quantity                                                             Interview                            small
                                                                                                   Control                              Implementation                                   ST&E Default                                             Quantity of ST&E Work to
           Task ID Task Title                                                                      Implementation
                                                                                                   Develop plan for         Assigned To Work                      ST&E Person            Timescale           ST&E Type                Last Date   Implement                             Comments
                                                                                                   archiving
                                                                                                   of accounting records &
                                                                                                   develop tools for
           2.5.1.1   Recording of Resource Usage Using Accounting                                  inspection                           Large                     OSG Security Office    Yearly              Examination                          medium
                                                                                                   Document allowed
                                                                                                   access
           2.5.2.1   Authentication for Privileged Access                                          and log retention policy             Medium                    OSG Security Office    Yearly              Test                                 small
                                                                                                   Document privileged
           2.5.2.2   Authorization for Privileged Access                                           users                                Small                     OSG Security Office    Yearly              Examination                          small
                                                                                                   Develop procedures for
           2.5.2.3   Non-privileged User Access                                                    non-privileged users                 Medium                    OSG Security Office    Yearly              Interview                            small

           2.5.3.1   Web Service Vulnerability Scanning                                            Develop web scanning tool                 Large                OSG Security Office    Yearly              Examination                          medium
                                                                                                                                                                                         6 months or upon                                                                               What if find
                                                                                                   Develop web intrusion                                                                 detection of an                                                                                 lg #'s of
           2.5.3.2   Web Intrusion Detection Scanning                                              detection tool
                                                                                                   Develop vulnerability                     Large                OSG Security Office    intrusion           Examination                          medium                                intrusions
                                                                                                   scanning tool, keep
                                                                                                   up-to-date with
           2.5.3.3   Vulnerability Scanning                                                        detectors.                                Large                OSG Security Office    Yearly              Examination                          medium
Task Duration   Time Interval
small           <= 1 day
medium          <= 1 week
large           <= 1 month
x-large         > 1 month

								
To top