wiki:SecurityPlanOutline
Last modified 11 years ago Last modified on 08/22/2008 11:06:25 PM

This page is part of the Security topic.

Note: This wiki version of the security plan is out of date - see the attached document, security-plan.doc/pdf, for the current working draft.

Security Plan Outline

  1. Introduction - Bill - Draft started
    1. LSST Security Priorities
    2. Purpose of this document
    3. Partners & sponsoring institutions
  2. Common Policies - Ray & Bill (reviewed by Heather) - Draft started
  3. Security in LSST Systems
    1. Observatory Control System - Ron & Jim (reviewed by Tom) - Draft complete
    2. Archive Operations Systems - Bill & Ray (reviewed by Lee)
    3. Distributed Processing System - Bill & Ray (reviewed by Jim)
    4. Community Service System - Tom - Draft started
    5. Visitor Network - Heather (reviewed by Tom) - Draft complete
    6. Event System - Bill - Draft started
  4. Security in LSST Sites
    1. Summit and Base Facility - reviewed by Ray & Bill
    2. Archive Center
      • Including Science Centers and Software Development Centers
    3. Data Access Centers
    4. Education and Public Outreach Centers
  5. Applications - merge with Common Policies
    1. User Authentication and Authorization
    2. Service Trust
  6. Risks/Threats - Lee (reviewed by Tom & Ray) - Draft started

Diagram of whole of LSST network and facilities

Internal Outline for Systems

The major systems (OCS, AOC, CSS, DPS) have unique security requirements; using the Visitor Network as a model, we can describe them all with a similar structure:

  • Introduction
  1. Responsibilities
  2. Physical Operating Environment
  3. System Descriptions
    • Include a description of each major component
  4. Data Products
    • Data that are consumed, produced, and stored
    • Sources and destinations
    • Confidentiality
    • Integrity
    • Availability
  5. Management, Operational, and Technical Controls Descriptions
    1. Access Control
    2. Awareness and Training
    3. Audit and Accountability
    4. Configuration Management
    5. Contingency Planning
    6. Maintenance
    7. Media Protection
    8. Physical and Environmental Protection
    9. Security Planning
    10. Personnel Security
    11. Risk Assessment
    12. Systems and Services Acquisition
    13. System and Communications Policy
    14. System and Information Integrity

Level of Detail

The goal of this document is to describe LSST's major security issues and how to address them. It is one step in the process of developing a detailed security implementation.

  • Requirements: We need to clearly state them
  • Policies: High-level policies need to be clearly stated; details may still need to be worked out, especially when it comes to internal work flows
  • Architecture: Abstract. Our first priority is to identify the major parts of LSST's security anatomy; some details are clear, and others still need to be worked out.
  • Implementation: Examples. It will be helpful to mention representative technologies and products that would work, but it is not yet time to pin them all down.

Attachments