06/22/2022 SAR Security Review

Date	15 Jun 2022
Time	10.00 am
Duration	60 mts
Location	Zoom
Zoom
Attendees	Ashish Pandit Unknown User (mkgill) Achraf Adenane Nathalie Gholmieh
Project/Program	Security Assessment remediation - SAR
Project Board	ITS PMO
Log Time
OTL
Objective(s)	Implement SAR Remediations. There are following items for the agenda Review feedback on decision log - SAR-12 - Data Flow and dataflow classification -SAR-21- Mitigaterisk - Developers can connect directly to the iPaaS system without utilizing a jump box. SAR-85 Splunking the access logs -SAR-18-Design processes to ensure that production data doesn't flow in non-prod environments - SAR 29 - Review third-party remote access to ensure access is still required - SAR-15 Setup Periodic reviews of user account groups and roles Review Standard OTL for security remediation https://collab.ucsd.edu/display/SAR/SaR+OTL

Notes:

Speaker	Description	Notes
SAR	Review the remediations that are ready for Security review	Ashish Pandit did send the items under security review to Achraf Adenane and Daniel Quach at least 1 day before the meeting, Thanks! Below remediations are under review: https://collab.ucsd.edu/display/SAR/RA-21+-+Ensure+developers+can+not+connect+to+iPaaS+System Currently, there are different ways for administrators, developers to connect to the ipaas system (UI, api, dev console etc). We need to decide which one is applicable for this risk. Current assumption is that admin and developer UI is in scope but machine to machine to interaction is excluded Decide possible changes actions based on the scope RA-104, 4 and 5 https://collab.ucsd.edu/display/SAR/SAR+29+-+Review+third-party+remote+access+to+ensure+access+is+still+required https://collab.ucsd.edu/display/SAR/Data+and+Data+flow+Classification https://collab.ucsd.edu/display/SAR/RA-5+Production+data+usage
	Next Steps	These remediations status will be updated as "Complete" by Achraf Adenane Unknown User (mkgill) to add the status "Out Of Scope" to list : Not Started Analysis - In Progress Analysis - Reviewed Solution - In Process Solution - Reviewed Out of Scope