XSEDE Security Working Group Service Provider (SP) Guide & FAQ

Similar documents
RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

Oracle Data Cloud ( ODC ) Inbound Security Policies

Medical Device Vulnerability Management

Standard: Vulnerability Management & Standard

ISAO SO Product Outline

Certified Information Security Manager (CISM) Course Overview

Forensics and Active Protection

Update on the Key Initiatives Recommended by NTT Data regarding the Agency Cyber Security Framework

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

VMware vcloud Air Accelerator Service

How AlienVault ICS SIEM Supports Compliance with CFATS

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Project Management Pre-Implementation Project status reporting Post Implementation Assessment Phase Solidify Project Scope

Position Description IT Auditor

HIPAA RISK ADVISOR SAMPLE REPORT

Cybersecurity and Data Protection Developments

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Appendix 12 Risk Assessment Plan

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

SSR REVIEW IMPLEMENTATION REPORT (Public) *DRAFT*

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Appendix 12 Risk Assessment Plan

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

ITG. Information Security Management System Manual

Threat and Vulnerability Assessment Tool

Information Security Controls Policy

EPRI Research Overview IT/Security Focus. Power Delivery & Energy Utilization Sector From Generator Bus Bar to End Use

ITG. Information Security Management System Manual

Education Network Security

Master Information Security Policy & Procedures [Organization / Project Name]

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

UCSB IT Forum. April 15, 2014

Todd Sander Vice President, Research e.republic Inc.

SECURITY & PRIVACY DOCUMENTATION

NY DFS Cybersecurity Regulations August 8, 2017

Cyber security tips and self-assessment for business

THE AUTOMATED TEST FRAMEWORK

_isms_27001_fnd_en_sample_set01_v2, Group A

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

TEL2813/IS2820 Security Management

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

PECB Change Log Form

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

The Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Enabling Efficient, Consistent Certification and Accreditation Enterprise-Wide

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Framework for Improving Critical Infrastructure Cybersecurity

Information Technology Branch Organization of Cyber Security Technical Standard

NCSF Foundation Certification

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

CompTIA CASP (Advanced Security Practitioner)

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Business Continuity Planning

Business Continuity and Disaster Recovery

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Implementing Cyber-Security Standards

NEN The Education Network

Information Security Program Audit Introduction and Survival Guide

Cyber Hygiene: A Baseline Set of Practices

TDWI Data Governance Fundamentals: Managing Data as an Asset

A company built on security

Synology Security Whitepaper

The Common Controls Framework BY ADOBE

Integrated Cyber Defense Working Group (ICD WG) Introduction

PATHWAYS TO INNOVATION IN DISASTER RISK MANAGEMENT. Paolo Venturoni CEO European Organisation For Security 4 th June 2018

SC27 WG4 Mission. Security controls and services

How to get the Enterprise to Understand the Value of Security

Scope Cyber Attack Task Force (CATF)

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Building Global CSIRT Capabilities

IT Governance Framework at KIT

FDIC InTREx What Documentation Are You Expected to Have?

Service Description of Advanced Services: Focused Technical Support and Network Optimization Support

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

The Office of Infrastructure Protection

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

ASD CERTIFICATION REPORT

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Multi-Factor Authentication (MFA) Interoperability Profile. Karen Herrington, Virginia Tech David Walker, Internet2 September 26, 2016

Critical Infrastructure Protection Version 5

FERC Reliability Technical Conference Panel III: ERO Performance and Initiatives ESCC and the ES-ISAC

Chapter X Security Performance Metrics

Emerging Issues: Cybersecurity. Directors College 2015

DATA BREACH NUTS AND BOLTS

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Security Management Models And Practices Feb 5, 2008

Global Headquarters: 5 Speen Street Framingham, MA USA P F

CYBER SECURITY POLICY REVISION: 12

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

01.0 Policy Responsibilities and Oversight

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

MIS5206-Section Protecting Information Assets-Exam 1

ENTERPRISE ARCHITECTURE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Transcription:

XSEDE Security Working Group Service Provider (SP) Guide & FAQ September 12, 2013 Version 1.0 XSEDE- XSWoG- FAQ Page i

Table of Contents A. Document History... iii B. Document Scope... iv C. Document Body... 1 C.1. The XSEDE Security Working Group (XSWoG) FAQ... 1 C.1.1. What is the XSWoG?... 1 C.1.2. How do I contact XSWoG members?... 1 C.1.3. What do I do in case of a security emergency?... 1 C.1.4. Typical XSWoG Topics & Tasks... 1 C.1.5. Mailing Lists... 2 C.1.6. Email Encryption... 2 C.1.7. Teleconferences... 3 C.2. XSEDE Security Working Group Resources... 3 C.2.1. XSEDE Staff Wiki... 3 C.2.2. XSWoG Secure Wiki... 3 C.2.3. XSWoG Secure IM Service... 3 C.3. XSWoG Expectations... 3 C.4. Important XSEDE- specific Software Systems... 4 C.4.1. AMIE (Account Management Information Exchange)... 4 C.4.2. Inca... 4 C.4.3. Other ZSEDE Software & Services... 5 C.5. References... 5 XSEDE- XSWoG- FAQ Page ii

A. Document History Relevant Sections Version Date Changes Author Entire Document 1.0 9/12/2013 Baseline A. Slagell XSEDE- XSWoG- FAQ Page iii

B. Document Scope XSEDE is a large, distributed enterprise with complex procedures and policies. This guide is in- tended to assist new security personnel who are joining the XSEDE Security Working Group (XSWoG) to understand the policies and procedures in- place. XSEDE- XSWoG- FAQ Page iv

C. Document Body C.1. The XSEDE Security Working Group (XSWoG) FAQ C.1.1. What is the XSWoG? Created with the XSEDE Security Working Group Charter [1], the following definition for the XSWoG comes from the XSEDE Level 1 Service Provider Baseline Security Standard [2]: This group is responsible for creating security policies and procedures to be approved by the XSEDE Advisory Board, as well as helping to realize the goals set forth for XSEDE security operations. At a minimum, this group has the XSO, funded members of XSEDE security operations, and a representative from each Level 1 Service Provider (SP). Additional representatives and service providers may join up- on approval of the XSO. C.1.2. How do I contact XSWoG members? All members of the XSWoG have access to a shared wiki where individual contact information can be found [3]. To reach all XSWoG members, non- sensitive information can be sent to the ops- security@xsede.org mailing list. The XSWoG chair and XSEDE Security Officer can be reached at se- curity- lead@xsede.org. C.1.3. What do I do in case of a security emergency? Please refer to the XSEDE Security Playbook [4] for specific instructions and a flow chart. Emergen- cy contact information for individuals is available on the incident response wiki at [3]. There is a hotline that can be used 24 hours a day. This number is known to each site's Security Working Group lead. New sites should contact the Security- WG chair or XSEDE Security Officer for this information. C.1.4. Typical XSWoG Topics & Tasks The XSWoG focuses on a broad range of coordination, response, and planning efforts. Ongoing work involves policy and procedure development as well as coordinating emergency incident re- sponse. Typical projects coordinated by the Security- WG include pilot projects (e.g., OTP, science gateway authorization schemes, vulnerability management planning, etc.) as well as general processes such as review of certificate authorities and conducting risk assessments. Documents that have been drafted to date by the XSWoG include the: XSEDE Security Working Group Charter [1] XSEDE Security Playbook [4] XSEDE- XSWoG- FAQ Page 1

XSEDE Level 1 Service Provider Security Agreement (draft) [2] XSEDE Level 1 Service Provider Baseline Security Standard [5] XSEDE Acceptable Use Policy [6] XSEDE Community User Accounts Policy (draft) [7] XSEDE Security Working Group Newbie Guide & FAQ XSEDE Security Risk Assessment Final Report [8] C.1.5. Mailing Lists XSEDE Security Working Group (ops- security@xsede.org) To become a member of the XSWoG, and hence on this list, you must be a security representative from a XSEDE site. To request to be added to the mailing list, send email to the Security- WG lead at security- lead@xsede.org or work through your local site s primary XSWoG representative. Incident Discussion List (incident- discuss@xsede.org) ** Encrypted List ** The primary purpose for this list is to announce Incident Response meeting details and share non- critical Incident Response information with the XSEDE Incident Response team. This is a sub- team for the XSWoG for those actually involved in their institution s incident response. To be added to the incidents announce list and get the relevant encryption keys, send email to the Security- WG lead at security- lead@xsede.org or work through your local site s primary XSWoG representative. Incident Report (incident- report@xsede.org) ** Encrypted List ** This list is used to communicate critical security event information that requires immediate atten- tion of the XSEDE Incident response team. Because mail sent to this list may trigger emergency no- tification and escalation action, it should only be used for security emergencies that directly affect the XSEDE project. Subscription to this list is determined by the Incident Response contact per site as detailed in the XSEDE Security Contact List [3]. Security- WG Chair (security- lead@xsede.org) Email will be sent to the Security- WG Chair and XSEDE Security Officer and Level III Operations manager. C.1.6. Email Encryption Sensitive email sent to the incidents lists must be encrypted using a private, symmetric PGP/GPG key. Details can be obtained from the XSWoG chair or XSEDE Security Officer (XSO). XSEDE- XSWoG- FAQ Page 2

Email to individual XSWoG members may be encrypted using their PGP keys. Keys are regularly exchanged and signed at XSWoG face- to- face meetings and can also be obtained from key reposito- ries with proper verification. The XSWoG chair and XSO should sign all member keys to make verifi- cation simpler. C.1.7. Teleconferences XSEDE Security- WG call Currently, a weekly call is used for coordination and communication, with participation expected from all members Level 1 service providers. Planning activities, policy, current project updates, and security issues are discussed during these calls. Please contact the Security Working Group lead for the phone number and scheduling information (security- lead@xsede.org). Weekly Incident Response call A weekly call for Level 1 SP incident responders is used to review current security incidents and emerging threats. Discussion of tools, vulnerabilities, mitigations and detection methods are typical. C.2. XSEDE Security Working Group Resources C.2.1. XSEDE Staff Wiki Current projects, meeting minutes and draft documents are kept in the Security Operations section of the staff wiki [9]. C.2.2. XSWoG Secure Wiki The XSWoG uses a secure site [10] for incident documentation and other sensitive information. All XSWoG members should have access. If not, they can request it through their local SP s primary se- curity representative. C.2.3. XSWoG Secure IM Service The XSWoG uses a secure jabber service for information sharing and incident response coordina- tion. Configuration information can be found on the XSWoG Wiki [10]. Jabber accounts can be re- quested through your local SP s primary security representative who can contact the security leads at security- lead@xsede.org. C.3. XSWoG Expectations As noted in the XSEDE Level 1 Service Provider Agreement [2], SPs are expected to participate in the XSWoG and to make appropriate security and emergency contact information available for in- clusion in the XSWoG contact lists. Additional responsibilities include those outlined in the follow- ing documents: XSEDE- XSWoG- FAQ Page 3

XSEDE Level 1 Service Provider Security Agreement [2] XSEDE Level 1 Service Provider Baseline Security Standard [5] Security staff should also be aware of: XSEDE Security Working Group Charter [1] XSEDE Security Playbook [4] XSEDE Acceptable Use Policy (draft) [6] XSEDE Security Risk Assessment Final Report [8] In addition to understanding the above responsibilities, new sites are expected to participate in XSWoG activities and incident response coordination by: Attending and participating in XSWoG meetings, projects and tasks; Maintaining site Security/Incident Response points of contact; Participating in weekly incident response calls; Responding to security advisories issued by the XSWoG in a timely manner; and Participating in the XSEDE risk assessment process. C.4. Important XSEDE- specific Software Systems C.4.1. AMIE (Account Management Information Exchange) AMIE is an identity and accounting data management and transfer system used by XSEDE to repli- cate, update, and propagate accounts and accounting data. A security analysis of the AMIE protocol has been done and can be found in [11]. AMIE is typically implemented using a restricted, unprivileged account, which communicates over SSH. The AMIE software itself has not been reviewed for security by XSEDE staff. C.4.2. Inca Inca is a flexible framework for the automated testing, benchmarking and monitoring of Grid sys- tems. It includes mechanisms to schedule the execution of information gathering scripts, and to col- lect, archive, publish, and display data. The INCA software itself has not been reviewed for security by XSEDE staff. XSEDE- XSWoG- FAQ Page 4

C.4.3. Other ZSEDE Software & Services A system characterization of all XSEDE systems, software and other assets was compiled as part of the original XSEDE risk assessment. This can be found on the staff wiki at [12]. C.5. References [1] XSEDE Security Working Group Charter https://www.xsede.org/documents/10157/247425/xsede+security+working+group+charter.do cx [2] Draft XSEDE Level 1 Service Provider Security Agreement, https://www.xsede.org/web/staff/staff- wiki/- /wiki/main/xsede+security+policies [3] XSWoG Secure Wiki: Member Contact Info https://ops- security.xsede.org/wiki/xsede_security_contact_list [4] XSEDE Security Playbook http://hdl.handle.net/2142/45238 [5] XSEDE Level1 Service Provider Baseline Security Standard, http://hdl.handle.net/2142/45239 [6] Draft XSEDE Acceptable Use Policy, https://www.xsede.org/web/staff/staff- wiki/- /wiki/main/xsede+security+policies [7] Draft XSEDE Community User Accounts Policy, https://www.xsede.org/web/staff/staff- wiki/- /wiki/main/xsede+security+policies [8] XSEDE Security Risk Assessment Final Report, https://www.ideals.illinois.edu/handle/2142/44892 [9] XSEDE Staff Wiki: Security Operations, https://www.xsede.org/web/staff/staff- wiki/- /wiki/main/security+operations [10] XSWoG Secure Wiki, https://ops- security.xsede.org/wiki/main_page [11] AMIE Account Security Evaluation, J. Basney, February 2004. https://repo.xsede.org/head/account- management/doc/amie/ [12] XSEDE Staff Wiki: System Characterization, https://www.xsede.org/web/staff/staff- wiki/- /wiki/main/xsede+system+characterization XSEDE- XSWoG- FAQ Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback