1. OSG Security Review Mine Altunay March 12, 2008

2. 31 Jan 2008 2 Security Overview Current Initiatives  OSG Security roadmap  Technical and operational needs for long and short term (WBS 2.1.4)  Incident Mitigation Plans (WBS 2.3)  AuthN needs: GSI auth problems, CRLs, proxy clean up and VOMS-GUMS authN (WBS 2.1.1 and 2.1.9 and 2.1.9.1)  AuthZ needs: Banning tool, Uniform FQAN, MyProxy, AC validation (a request doc is written with Privilege project) (WBS 2.1.1 and 2.1.9 and 2.1.9.1)  More fire drills and site education (WBS 2.1)  Policy work  JSPG and OSG policies – incident response policy has priority (WBS 2.1.2 and 2.3.)  Revising old security plan against NIST guidelines (WBS 2.1.4)  Risk assessment (WBS 2.1.4, 2.3) Accomplishments Since Last Report (some in progress)  Web documentation completed (WBS 2.1, 2.1.5 – partial)  Security plan revision started – in early phase (in progress) (WBS 2.1.4)  made an outline, Doug is in charge  Privacy Policy completed, sent for reviews (WBS 2.3)  Met Kelsey at all hands and sent OSG comments on (WBS 2.3, 2.3.2, 2.3.1)  Traceability and Pilot policies

3. 31 Jan 2008 Security Overview  Met or contacted all VO and site contacts (WBS 2.3.1)  Asked them to identify personnel for roles  updated roles and contact info  OSG VO AUPs and registration workflows (WBS 2.3.1)  contacting and sending templates to other VOs (in progress)  OSG EDU, Engage, CMS and ATLAS  They send their AUP and Registration Policy (Ron C in charge)  By April 16 th – already met and started with CMS and EDU  Technical work  Official request for Banning Tool (WBS 2.1, 2.1.2, 2.1.9.1)  Met with SAZ team and preparing an official requirements document (WBS 2.1.9.1)  Talking with GT on their roadmap (WBS 2.1.9.1)  Wrote security requirements for Gratia (WBS 2.1 and 2.1.9.1)  Examining splunk tool with CST, will test this week for our needs (WBS 2.1.9.1) Issues / Concerns  Effort– Jim Basney starting at April. Ron already started – very helpful  Incident sharing and privacy concerns  Lack of security education, and incidents  We need more fire drills and discuss OSG responsibilities  Lack of attendance at security meetings – our facility team 3

4. 31 Jan 2008 4 WBS Security WBS Milestone TaskStartFinishComplete 2.1.1NoMaintain/monitor operational securityPetravick10/1/079/30/08 0%  50% 2.1.2NoExecute incident response process (as needed) Altunay10/1/079/30/0870% 2.1.4YesV2 of Security Management PlanAltunay10/1/0712/3/0750% 2.1.5NoDevelop and Execute Security Training for all key OSG stakeholders Altunay2/18/083/7/0850% 2.1.7NoFirst security audit of OSG Assets - January 2008 Altunay1/2/081/31/080% 2.1.8NoSecond security audit of OSG assets – July 2008 Altunay7/1/087/31/080% 2.1.9NoPlan review of contributions from external projects (Auditing, VO Services, CEDPS, etc.) Petravick10/1/079/30/080%  75% 2.1.9.1NoIdentify and drive operational and functional requirements to external projects Petravick10/1/079/30/080%  50% 2.1.9.2NoReview contributions from external projects Altunay10/1/079/30/080%  25%

5. 31 Jan 2008 WBS Security 2.2NoManage and maintain OSG Registration Authority Olson10/1/079/30/08100% 2.3NoReview and Implement Policy needs of OSG Altunay10/1/079/30/0810%  25% 2.3.1NoDefine common local policies for VOsAltunay10/1/079/30/0815 %  30% 2.3.2NoInteraction with other Grid ProjectsCowles, Altunay 10/1/079/30/085%  75% 2.4 No Quarterly area status, progress, issues into twiki Altunay10/1/079/30/0825%  100% 5