Information Security Plan 2020
This plan results from the Information Security Management System Gap Analysis report provided by Axenic to TEC/Voluntarily. in 2019.
The report acknowledged that the Voluntarily platform has been based on good fundamental security design practices but the organisation is immature in its documentation and implementation of security processes, practices, standards and toolsets.
The key recommendations are summarised in Information Security and the Jira epic https://voluntarily.atlassian.net/browse/VP-923 Each specific recommendation is listed as a Jira subtask grouped into four key user stories organised as
Tasks are identified as High, Medium or Low priority mapping onto P1, P2, P3 ratings in the report.
High priority tasks should be in place before initial production go-live (June 2020).
Medium priority tasks implemented before the end of 2020.
Output from the tasks will result in
Documentation of policy, processes, guidelines, developer training materials etc. This documentation will be placed into this wiki organised under Information Security How its run - Operations or How we build - Software Engineering pages will be linked to the task tickets to support verification and future auditing.
Changes to source implementation and deployment infrastructure. These will generate specific Jira change requests and will be implemented and deployed per the usual mechanism
Asset, Role, Risk and Business process Registers. These will be implemented as templated pages in the wiki here: e.g. Asset Register Role Register
Overall accountability for ensuring Information Security lies with the Information Security Manager With responsibility residing in the Operations Manager and Development Manager - At this time (Jan 2020) these roles are all held by @Andrew Watkins