Versions Compared

Old Version 7

changes.mady.by.user Adam J Slagell

Saved on

compared with

New Version 8

changes.mady.by.user Adam J Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are always questions of scope and completeness in filling out this evaluation form. While no implementation or documentation is ever exhaustive or covers every corner case, if there are significant holes then filling in the scope that is covered in the form is useful. For example, there may be centrally managed services for an infrastructure, while there are shared infrastructure at the service resource providers that follow different policies. Or there may be different policies for different tiers of infrastructure worth noting.

...

Examples of compliance mechanisms are top-level security policies, service resource provider agreements, and terms of service that allow the organization to enforce policies for entities bypassing the model. For example, a service resource provider setting up a gateway which bypasses authentication and authorization by sharing an account might be cut off from resources for breaking the model.

...

This item differs from the patch management process in that it is about software owned or distributed by the infrastructure to the service providersresource providers. In OS2 we might be talking about an XSS flaw in the user portal or website for the infrastructure, whereas her we might be talking about accounting or job submission software pushed out to all the service operators.

...

Dave, I don't know what to say about "dynamic".

[OS4]

 The The capability to detect possible intrusions and protect the infrastructure against significant and immediate threats on the infrastructure.

...

Dave, I don't know how useful this is without agreeing on a few required threats and actions. Maybe you should be able to block IPs or networks, detect brute-force attacks, lockout accounts and detect compromised accounts. I don't know what others count as significant.

[OS5]

  The capability to regulate the access of authenticated users.

There simply needs to be a way to suspend access and terminate existing sessions and jobs in an emergency.

[OS6]   

 The capability to identify and contact authenticated users, service providers and resource providers.

Identifying users could be as simple as having unique usernames tied to email addresses. Each resource provider should have a contact for security incidents recorded in a central place as well as the admin for each service. This could simply be a spreadsheet in a shared location.

...

Some explanations from Dave Kelsey (my personal views - recalling the history)

...