...
Respect recognises that people are more important than software and machines. We must listen to the concerns and advice of our customers and stakeholders, following best practices.
Activities related to Information Security are grouped in Jira under https://voluntarily.atlassian.net/browse/VP-923?jql=text%20~%20%22platform%20security%22
Key Resources
Assets and Information Systems Catalogues and Owners of Technical Risk
To consistently apply an information security plan, all assets need to be catalogued. Each asset should have a specific owner who is accountable and responsible for the execution of processes that secure the asset. Asset catalogues should include information assets, technical components and information systems. Voluntarily needs to determine a risk ownership structure, which considers the impact to partners and contributors to the project.
https://voluntarily.atlassian.net/browse/VP-988
System Design - Creating a shared understanding among developers and outside contributors.
The Voluntarily platform is developed by a core set of employees as well as a wide range of outside contributors. To ensure the consistent application of security across the various modules, develop a series of engineering and design standards for:
https://voluntarily.atlassian.net/browse/VP-989
Access Control
Cryptography
Operations Security
Communications Security
System Lifecycle Activities
Operational Design - Tools and processes to operate the system securely.
The team should determine an approach to monitor and maintain the security of the platform through its lifecycle. The team should implement a series of tools and processes to address:
https://voluntarily.atlassian.net/browse/VP-990
System availability
Disaster Recovery
Change Management
Application and System Logging
Management of Technical Vulnerabilities
Disaster recovery and incident management plans.
The team should determine an approach to detecting and managing security incidents. The team should implement tools capable of centrally aggregating event logs and implement a process for reviewing events to determine if a security incident has taken place.
The team should develop the processes and procedures to manage the incident according to its impact and define the responsible parties. The team should define a disaster recovery plan and periodically test the plan to ensure the system can recover from a significant incident.
https://voluntarily.atlassian.net/browse/VP-991
Child pages (Children Display) |
---|