70 likes | 76 Views
Policy, Standards and Guidelines Breakout. Co-Chairs. Victor Hazlewood OCIO Cyber Security, ORNL. Kim Milford ISO, University of Rochester. Summary of discussions. Commend NSF for putting security plan in agreements!! Good step forward
E N D
Policy, Standards and GuidelinesBreakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester
Summary of discussions • Commend NSF for putting security plan in agreements!! Good step forward • It is recognized the wide range of projects that NSF supports – large, medium, small • Protection of data and risk based analysis is the key for the planning • Security planning requires thought of how security is to be implemented and thought about the associated costs follows as well • It is suggested that awardees and NSF program officers will need guidance
Summary of discussions con’t • Recommendations: • Get more guidance from NSF on security plan • Security frameworks and best practices templates(e.g. NIST, educause, ISC2, etc) • Program officer security plan checklistNeed checklist based on risk • Engaging security experts to help awardees and program officers/reviewers • Incident response planning guide, flowcharts, resources(examples from Teragrid, Yale, etc.) • Acceptable Use Policy examples
Summary of discussion so far • Encourage dialogue between awardees and Program Officers • Start discussion about development of protocol for notification about cyber security incidents with program officers (and other events that effects the program)
Security Plan • Language in CA says must have a security plan with, but not limited to, • Policy and procedures • Roles and responsibilities • Risk assessment* • Awareness and training • Incident notification procedures • Technical safeguards • Administrative safegards • Physical safeguards* - ones we discussed in the breakout
Others Policies of Interest Suggested List • Acceptable Use Policy* • Media Protection* • Incident response* • Access Control • Audit and Accountability • Security Assessment • Configuration Mgmt • Contingency Planning • Identification and Authentication
Discussions so far… Policies • System Acquisition Policy and Procedures • System and Communication Protection • System and Information Integrity • Personnel Security • System Maintenance