Policy Standards and Guidelines Breakout CoChairs Victor Hazlewood
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood Kim Milford OCIO Cyber Security, ORNL ISO, University of Rochester
Summary of discussions · Commend NSF for putting security plan in agreements!! Good step forward · It is recognized the wide range of projects that NSF supports – large, medium, small · Protection of data and risk based analysis is the key for the planning · Security planning requires thought of how security is to be implemented and thought about the associated costs follows as well · It is suggested that awardees and NSF program officers will need guidance
Summary of discussions con’t · Recommendations: - Get more guidance from NSF on security plan - Security frameworks and best practices templates (e. g. NIST, educause, ISC 2, etc) - Program officer security plan checklist Need checklist based on risk - Engaging security experts to help awardees and program officers/reviewers - Incident response planning guide, flowcharts, resources (examples from Teragrid, Yale, etc. ) - Acceptable Use Policy examples
Summary of discussion so far · Encourage dialogue between awardees and Program Officers · Start discussion about development of protocol for notification about cyber security incidents with program officers (and other events that effects the program)
Security Plan · Language in CA says must have a security plan with, but not limited to, - Policy and procedures - Roles and responsibilities - Risk assessment* - Awareness and training - Incident notification procedures - Technical safeguards - Administrative safegards - Physical safeguards * - ones we discussed in the breakout
Others Policies of Interest Suggested List · Acceptable Use Policy* · Media Protection* · Incident response* · Access Control · Audit and Accountability · Security Assessment · Configuration Mgmt · Contingency Planning · Identification and Authentication
Discussions so far… Policies · · · System Acquisition Policy and Procedures System and Communication Protection System and Information Integrity Personnel Security System Maintenance
- Slides: 7