Versions Compared

Old Version 4

changes.mady.by.user Nicole Harris

Saved on

compared with

New Version 5

changes.mady.by.user Nicole Harris

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SourceProposalRequirements
AARC reportAssist federation participants and Federation Security Incident Response Coordinator in performing appropriate investigation, system analysis and forensics, and strive to understand the cause of the security incident, as well as its full extent. Identifying the cause of security incidents is essential to prevent them from reoccurring. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected participants.
  • Unique global identifier for the incident to support communication.
  • Support for incident response classification with edugain-support area of OTRS.
  • Define how far into the analysis and forsenics the eudGAIN team will be required to go.  Is this purely support / coordination or is this managing forsenic analysis on behalf of participants.
  • Secure communication channel (secure IRC channel?  e-mail?).  Challenge will be to not restrict communication through use of non-friendly tools.
  • Would suggest an additional role of ensuring the correct e-mail addresses (Sirtfi contacts) are being used in the communication.
AARC reportIn collaboration with Federation Security Incident Response Coordinators, ensure all affected participants in all federations are notified via their security contact with a “heads-up” within one local working day.
  • Robustly covered support desk with back-up and holiday cover to meet this target.  Even then identifying on this timescale is a challenge.
  • Can only cover orgs with security contacts, or use other contacts?
AARC reportCoordinate the security incident resolution process and communication with affected participants until the security incident is resolved.
  • Identify if / when Federation Operators have signed up to play a role.
  • Clarity on coordination vs management of incident.
AARC reportEnsure suspension of service (if applicable) is announced in accordance with federation and interfederation practices.
  • Just ensure it is announced or that it happens?
  • Requires action by Federation Operator (eduGAIN OT cannot suspend individual services).
  • Requires metadata refresh.
AARC reportShare additional information as often as necessary to keep all affected participants up-to-date with the status of the security incident and enable them to investigate and take action should new information appear.
  • As per typical request ticket.
AARC reportAssist and advise participants in taking corrective action, or restoring access to service (if applicable) and legitimate user access.
  • Define expectations here.  What can eduGAIN actually achieve?
AARC reportProduce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labelled TLP AMBER [3] or higher.
  • We need to define a communication process here.  There will be a need to share 1) at a public level and 2) at affected parties level.  I don't see why a Sirtfi contacts only level would be appropriate, needs clarifying.
  • Define a role for the comms team - training through CLAW workshop?
AARC reportUpdate documentation and procedures as necessary.
  • Ensure responsible owners are actioned in eduGAIN OT, Service Management, support desk etc.
GeneralFreshness of contact data
  • Put in place a response testing process for Sirtfi email addresses.
GeneralGDPR compliance of supporting information sharing and appropriately expiring tickets.