Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Respect recognises that people are more important than software and machines. We must listen to the concerns and advice of our customers and stakeholders, following best practices.

Activities related to Information Security are grouped in Jira under https://voluntarily.atlassian.net/browse/VP-923?jql=text%20~%20%22platform%20security%22

Key Resources

Assets and Information Systems Catalogues and Owners of Technical Risk

To consistently apply an information security plan, all assets need to be catalogued. Each asset should have a specific owner who is accountable and responsible for the execution of processes that secure the asset. Asset catalogues should include information assets, technical components and information systems. Voluntarily needs to determine a risk ownership structure, which considers the impact to partners and contributors to the project.

https://voluntarily.atlassian.net/browse/VP-988

Asset Register

Role Register

System Design - Creating a shared understanding among developers and outside contributors.

The Voluntarily platform is developed by a core set of employees as well as a wide range of outside contributors. To ensure the consistent application of security across the various modules, develop a series of engineering and design standards for:

https://voluntarily.atlassian.net/browse/VP-989

  • Access Control

  • Cryptography

  • Operations Security

  • Communications Security

  • System Lifecycle Activities

Security Design Principles

Operational Design - Tools and processes to operate the system securely.

The team should determine an approach to monitor and maintain the security of the platform through its lifecycle. The team should implement a series of tools and processes to address:

https://voluntarily.atlassian.net/browse/VP-990

  • System availability

  • Disaster Recovery

  • Change Management

  • Application and System Logging

  • Management of Technical Vulnerabilities

Disaster recovery and incident management plans.

The team should determine an approach to detecting and managing security incidents. The team should implement tools capable of centrally aggregating event logs and implement a process for reviewing events to determine if a security incident has taken place.

The team should develop the processes and procedures to manage the incident according to its impact and define the responsible parties. The team should define a disaster recovery plan and periodically test the plan to ensure the system can recover from a significant incident.

https://voluntarily.atlassian.net/browse/VP-991

Child pages (Children Display)