Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This plan results from the Information Security Management System Gap Analysis report provided by Axenic to TEC/Voluntarily. in 2019.

The report acknowledged that the Voluntarily platform has been based on good fundamental security design practices but the organisation is immature in its documentation and implementation of security processes, practices, standards and toolsets.

The key recommendations are summarised in Information Security and the Jira epic https://voluntarily.atlassian.net/browse/VP-923 Each specific recommendation is listed as a Jira subtask grouped into four key user stories organised as

Tasks are identified as High, Medium or Low priority mapping onto P1, P2, P3 ratings in the report.

High priority tasks should be in place before initial production go-live (June 2020).

Medium priority tasks implemented before the end of 2020.

Output from the tasks will result in

  1. Documentation of policy, processes, guidelines, developer training materials etc. This documentation will be placed into this wiki organised under Information Security How its run - Operations or How we build - Software Engineering pages will be linked to the task tickets to support verification and future auditing.

  2. Changes to source implementation and deployment infrastructure. These will generate specific Jira change requests and will be implemented and deployed per the usual mechanism

  3. Asset, Role, Risk and Business process Registers. These will be implemented as templated pages in the wiki here: e.g. Asset Register Role Register

Overall accountability for ensuring Information Security lies with the Information Security Manager With responsibility residing in the Operations Manager and Development Manager - At this time (Jan 2020) these roles are all held by Andrew Watkins

Work Plan

  • Organise report recommendations into Jira & prioritise
  • Create documentation space in confluence
  • Outline work plan and principles
  • Create initial Asset and Role Registries
  • Document existing policy and processes
  • Identify and schedule high priority system design changes
  • Define operational platform
  • Identify AWS cloud support to review platform design (ask Amazon).
  • Recruit Operations Manager
  •  
  • No labels