Risk Management and Security Controls in Research Computing

The European Grid Infrastructure (EGI) Foundation conducts risk assessments and implements security controls in collaboration with the EOSC-hub project. The risk assessments involve evaluating threats, determining likelihood and impact, and recommending treatment for high-risk threats. Results from audits highlight areas for improvement in risk treatment procedures. Security controls encompass policies, incident handling, and vulnerability management identified through risk assessments. Procedures for controls and tracking have been defined, ensuring a structured approach to risk management and security within the research computing environment.

• Risk Management
• Security Controls
• Research Computing
• European Grid Infrastructure
• EOSC-hub

aima_39 Follow

Uploaded on Sep 20, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. EGI: Advanced Computing for Research www.egi.eu @EGI_eInfra ISM Controls And Risk Assessments Linda Cornwall RAL/STFC/UKRI The work of the EGI Foundation is partly funded by the European Commission under H2020 Framework Programme

2. Risk Assessments - Method EOSC-hub project Based on WISE Risk Management https://wise-community.org/risk-assessment/ templates. Likelihood (1,2,3,4) and Impact (1,2,3,4)of each security threat. Multiply together to get the risk value. Risk of threat estimated with controls ALREADY in place, at time of assessment. Recommend treatment of threats with high risk value => Security Control www.egi.eu @EGI_eInfra 2 20/09/2024

3. Risk Assessments carried out In context of EOSC-hub B2ACCESS (EUDAT access) EGI Check-in EOSC Marketplace Risk Assessment general risks associated with this catalogue and having a low barrier associated with entry to this catalogue. Some info is effectively [TLP:RED] www.egi.eu @EGI_eInfra 3 20/09/2024

4. Result of EOSC-hub SMS audit The 2nd internal audit of the EOSC-hub SMS (in July 2020) gave ISM a non- conformity - a sub-process for risk treatment is not in place including the definition and treatment of risk treatment measures, tracking of their implementation and review of their success/effectiveness . So we did a procedure and first go at tracking controls in time for the audit in December 2020. www.egi.eu @EGI_eInfra 4 20/09/2024

5. What are Security Controls? EOSC-hub ISM security controls ISM security controls in EOSC-hub - https://confluence.egi.eu/display/EOSC/ISM+Security+Controls+and+Risk o Probably needs some work/improvement The EOSC-hub project has ended. This space is READ ONLY o As is all the info in EOSC-hub confluence o So information will need moving elsewhere as well as revising Most of what we do is security controls Security Policies Incident handling Vulnerability handling Some are identified as a result of Risk Assessments for treatment of threats www.egi.eu @EGI_eInfra 5 20/09/2024

6. ISM Controls procedure Defined a procedure last year https://confluence.egi.eu/display/EOSC/ISM6+Controls Again The EOSC-hub project has ended. This space is READ ONLY Then we had a go at tracking controls www.egi.eu @EGI_eInfra 6 20/09/2024

7. RT queue ISM Controls Setup mainly as proof of concept Fields include:-- Subject ISM Control ID Service(s) affected ISM Status o Defined o In Progress o Ready for review o Implemented o Retired o Closing for other reasons www.egi.eu @EGI_eInfra 7 20/09/2024

8. RT queue ISM controls - 2 Proof of concept Fields contd. Control Implementer(s) Control Owner Threat Description Result of Risk Assessment (Y/N) o I.e. is the control the result of a risk assessment Risk ISM Control review date ISM Control definer Risk Assessment name www.egi.eu @EGI_eInfra 8 20/09/2024

9. ISM Controls in RT examples We entered 13 as examples 2 from EOSC marketplace Risk assessment 6 from B2ACCESS Risk Assessment 1 From EGI Check-in risk assessment 4 general ones www.egi.eu @EGI_eInfra 9 20/09/2024

10. ISM Control Example - Policies Fields include:-- Subject Regular review of Security Policies ISM Control ID ISM-Control-010 Service(s) affected [General] ISM Status o Defined o In Progress o Ready for review o Implemented o Retired o Closing for other reasons www.egi.eu @EGI_eInfra 10 20/09/2024

11. ISM control -2 Example - Policies Fields contd Control Implementer(s) The Security Policy Group /WISE SCI-WG Control Owner David Kelsey Threat Description Policies defining how various parties need to behave become insufficient and outdated Result of Risk Assessment (Y/N) No o I.e. is the control the result of a risk assessment Risk ISM Control review date Mon Feb 01 2021 ISM Control definer David Kelsey - this has been carried out for many years. Risk Assessment name N/A www.egi.eu @EGI_eInfra 11 20/09/2024

12. Plans ISM controls and Risk Assessments Review Controls procedure currently in EOSC-hub Migrate to wherever we need to put it. Confluence? And where do all the ISM processes go? Do we go for an EGI SMS? Migrate ISM controls from RT to Jira. Consider whether we document all controls, and use the tool to remind us to review Look again at Risk Assessments already carried out And controls coming from them Consider more risk assessments www.egi.eu @EGI_eInfra 12 20/09/2024

13. Summary ISM Controls much of what we do Risk Assessments may identify new controls needed Or inadequate controls which need revision Controls may be to a specific piece of software, to a specific infrastructure, or more general Best we track and review controls www.egi.eu @EGI_eInfra 13 20/09/2024