...
Meeting 8 July 16 - Alf - Good to describe best practices and things that have been found to work. DaveK - main thrust is to gather evidence that an infrastructure has addressed the issue.
Adam - I find this far too broad to be useful. You could monitor syslogs, but have no host-based IDS on endpoints. You could monitor networks, but not host-data. You could monitor border traffic, but not internal. You could monitor central services run by the infrastructures, but the service operators at independent organizations vary. You might be able to detect brute-force SSH attempts, but not other scans. I imagine what is considered IDS by CERN vs. EGI is very different, too. I would consider scoping this to particular threats or changing it to something about maintaining the log reords necessary to investigate an intrusion.
[OS5]
The capability to regulate the access of authenticated users.
There simply needs to be a way technical mechanism to suspend access and terminate existing sessions and jobs in an emergency.
Dave, how does this differ from OS7?
DaveK - This is more about technical controls, OS7 relates to managerial controls
Meeting 8 Jul 16 - Hannah - also overlaps with OS4
[OS6]
The capability to identify and contact authenticated users, service providers and resource providers.
...
Meeting 8 Jul 16 - Warren - LIGO has a hierarchy of contact points
I guess I am still confused. Let's take XSEDE as an example, anyone can create an account, and if a PI adds them to an allocation they are in our user community. If they are at a US university, I suppose we have security contacts through REN-ISAC and expected response times. If they aren't then I think we can only be guaranteed a method to contact the user. I would expect OSG and EGI to be similar w.r.t. end users.
[IR2]
A formal Incident Response procedure. This must address: roles and responsibilities, identification and assessment of an incident, minimizing damage, response & recovery strategies, communication tools and procedures.
...