1 / 10

OSG Security Framework

Presented at MWSG 10.15 November 2006, this framework is based on FIPS and NIST 800 Series standards, covering security categorization, controls tasks, threat analysis, risk assessment, roles and relationships, and areas of concern. It emphasizes technical controls, training, and managing security.

stephenwilliams
Download Presentation

OSG Security Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSG Security Framework Bob Cowles – SLAC / OSG Presented at MWSG10 15 November 2006

  2. Based on FIPS and NIST 800 Series • FIPS 199 – Security categorization • NIST 800-53A – Security Controls

  3. Tasks • Roles and relationships • Threat analysis • Risk Analysis • Areas of Concern

  4. Roles and Relationships • Users • VOs • Service providers • Software providers / packagers • Resource providers • Grid Facility • Identity providers • Other Grid organizations

  5. Threat Analysis • Flows into Risk analysis • Covers all perils unique to grids • Assume some level of due diligence (verify)

  6. Risk Analysis • Based on Confidentiality / Integrity / Availability requirements • Organizations have three dimensions • Users • Services/Resources • Software • Levels of risk • Affect the whole grid • Affect multiple sites or organization • Affect single sites / users/ organization • Objective is to reach LOW risk

  7. Areas of Concern • Technical Controls • Over People (administrators / users) - authN, authZ • Scanning (logs, intrusion detection, etc.) • Physical Security Controls • Operational Controls • Vulnerability Management • Configuration Management. • Data Integrity • Incident Response • Security Training and Awareness. • Management Controls • Integrated Security Management (roles & responsibilities) • Trust Relationships • Security Process Lifecycle

  8. OSG Security Activities • Security Plan for OSG Facility in Dec 06 • Work needed (multi-year plan) • Construction of plan & process for core • Construction of plans & policies regarding OSG’s relationship with other entities • Implementation • Operation

  9. Guiding Principles • Think globally, Act globally • Try to be complete in thinking about problems and solutions • As we formulate policies, realize they are interim until coordinated with other bodies • Maximize Interoperability!

  10. Sample Considerations for MWSG • Maintain contact information • Vulnerability reporting • Respond to vulnerability reports • Logging • Secure distribution • Complete AuthN/AuthZ verification

More Related