Cybersecurity Requirements for RPs v1

Infrastructure Integration Roadmap Task

Task Type(s): Technology
Start by phase: Integration
Complete by phase: Operations
RP role(s): Cybersecurity and incident response contact(s)

Summary

The cybersecurity requirements for RPs ensures that the ACCESS community’s cybersecurity needs are satisfied when a new service is added to the system. For instance: membership and participation in incident response, vulnerability patching and mitigation, retention of system logs, etc. Requirements are driven by ACCESS community policies.

The purpose of this document is to define the expectations and responsibilities of the ACCESS Resource Providers with respect to security and incident response. These requirements ensure the ability to (i) protect ACCESS assets, (ii) respond to threats to those assets, and (iii) maintain the lines of communication necessary for the former two goals.

Effort

It is difficult to estimate the time and effort required because each RPs cybersecurity program and implementations are different. However, many of these are considered best practices or baseline controls and RPs are likely to be implementing most of these already. Nonetheless, resources must be devoted to ensure that the standards are properly implemented and processes developed to ensure they are maintained.

Prerequisite tasks

None

Support Information

For assistance with this task see the Support Information section in the Integration Roadmap Description.

Detailed Instructions

Description

Requirements for this review are driven by ACCESS community policies, listed below.

  1. ACCESS Core Information Security Policy and Procedures

  2. ACCESS Vulnerability Management Policy

  3. ACCESS Training and Awareness Policy (Under Development)

  4. ACCESS Identity and Access Management Policy (Under Development)

  5. ACCESS Information Classification Policy (Under Development)

  6. ACCESS Disaster Recovery Policy (Under Development)

  7. ACCESS Privacy Policy

  8. ACCESS Incident Response Policy

  9. ACCESS Acceptable Use Policy

  10. ACCESS Security Standards

Responsibilities

  1. Beyond just reporting security incidents, the RPs incident response point of contact is expected to actively participate in investigations as appropriate. This requires the RP to keep appropriate logs for ACCESS relevant systems.

  2. Be able to determine if resources are affected by a particular vulnerability, and work with their staff to patch or mitigate.

  3. Protect sensitive information (phone contacts, PGP keys, wiki accounts, etc) as it relates to ACCESS and the AIRTG

  4. Make any local security and privacy policies available and easy to find for ACCESS users who may be running jobs on their systems. For example Acceptable Use, Incident Response, etc.