...
I propose a mean of no combined score (Adam Slagell).
DaveK - I agree.
Hannah (meeting 8 July 16) - but what if is something essential marked zero? We could have mandatory and optional sub-requirements.
Standardize Language
The spreadsheet and SCIv1 document have ambiguities. For example, one refers to service providers and another to service operators.
...
Minutes of meeting on 13 May 2016 - Alf also notes that the Refeds Sirtfi activity has changed some of the wording in Incident Response. We should consider merging their changes back into SCI V2.
Meeting on 8 July 16 - Hannah - still try to avoid forking wherever possible, even if we do the full merging later. Was also noted that the scopes of SCIV2 and Sirtfi are different.
Base-level Examples
There are always questions of scope and completeness in filling out this evaluation form. While no implementation or documentation is ever exhaustive or covers every corner case, if there are significant holes then noting the scope that is covered is useful. For example, there may be centrally managed services for an infrastructure, while there are shared infrastructure at the resource providers that follow different policies. Or there may be different policies for different tiers of infrastructure worth noting.
...
DaveK - Me neither! I guess that we meant that because of changing threats it may be necessary to modify the process and this should be possible
Meeting 8 July 16 - what about using the words "flexible and adaptive".
[OS4]
The capability to detect possible intrusions and protect the infrastructure against significant and immediate threats on the infrastructure.
...
What about IDS? Do we mean host-based or network-based? Best practice would be to implement at least something in this area.
Eli: Can also be done after the event by analysing log files.
Questions like "can you detect brute-force SSH attacks? Do you have centralised logging? Can you correlate these logs?
We can put details in the guidance document. It doesn't all have to be done - the main document needs to stay light-weight.
Meeting 8 July 16 - Alf - Good to describe best practices and things that have been found to work. DaveK - main thrust is to gather evidence that an infrastructure has addressed the issue.
[OS5]
The capability to regulate the access of authenticated users.
...
DaveK - This is more about technical controls, OS7 relates to managerial controls
Meeting 8 Jul 16 - Hannah - also overlaps with OS4
[OS6]
The capability to identify and contact authenticated users, service providers and resource providers.
...
DaveK - A community is a grouping of end-users. Could be a Research Infrastructure, a Virtual Organisation or an application community, often this is the entity to which resources are allocated and access is granted. There is probably a definition in the SCI V1 document glossary - need to check
Expected incident response times for an infrastructure must be documented and shared, and do not necessarily need formal SLAs, MOUs, charters, etc.
Meeting 8 Jul 16 - Warren - LIGO has a hierarchy of contact points
[IR2]
A formal Incident Response procedure. This must address: roles and responsibilities, identification and assessment of an incident, minimizing damage, response & recovery strategies, communication tools and procedures.
...