Finish SAAR - Githubissues

jvanulde commented 4 years ago

With the move to AWS from Azure GSIP will fall under it's own SAAR. Complete required forms and get sign-off from CIOSB.

denevers commented 4 years ago

In one of the access control, seems that we need

(c) Includes a description of the authorized uses of the system.

Do we need to add this to landing pages (and map application) ?. any boilerplate ?

denevers commented 4 years ago

And how this materialize in a web service / API (where a user bypasses the HTML view altogether)

denevers commented 4 years ago

Some standing issues (in addition to AC-8 above)

AU-3

(A) The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

Are system logs (access log) sufficient ?

SI-4(5)

INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].

We don't really monitor for intrusion, although I supposed AWS handles this ?

jvanulde commented 4 years ago

AU-3 I would say that we will rely on the logs. For SI-4(5) I would say, no unless we have organization-defined compromise indicators. I suppose we can ask for them. If the indicators don't exist then we can't do this.

jvanulde commented 4 years ago

In one of the access control, seems that we need

(c) Includes a description of the authorized uses of the system.

Do we need to add this to landing pages (and map application) ?. any boilerplate ?

I suppose we need to, although I don't know of any system that has done this...

jvanulde commented 4 years ago

And how this materialize in a web service / API (where a user bypasses the HTML view altogether)

It doesn't. We just need to note this in the control comments.

denevers commented 4 years ago

do you annotate directly the XLS file or you keeps the controls documentation elsewhere ?

jvanulde commented 4 years ago

I keep it in a separate doc

denevers commented 4 years ago

for AC-08, would a link on https://www.canada.ca/en/transparency/terms.html do the trick ? (on landing page or create a GSIP welcome page with factual information - we have nothing else than the github page)

jvanulde commented 4 years ago

We could link to that. Perhaps in the footer of every page. This would need to be configurable though.

jvanulde commented 4 years ago

Sent to CIOSB.

denevers / PyHarvest

Finish SAAR #14

(A) The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].