Tuesday, November 4, 2014

New CTSC Cybersecurity Plan published

About a year ago, CTSC published it's own cybersecurity plan. As part of that plan, the plan itself receives an annual review. That review has been completed and version 2.0 of the plan and supporting documents have been published on CTSC's website. The supporting documents include an analysis via Attack Trees, a System Characterization, and a Threat Assessment.

While all these document receives some updates, the updates in the main version 2.9 Policies and Procedures document were:
  • Minor changes for clarity.
  • Added clause that Google accounts used to access Google drive are used exclusively by a CTSC staff member.
  • Added Section 6 on Revocation of Access
  • Changed “private” information to “engagement-related” information.
  • Labeling of sensitive information only required “whenever feasible.”
  • Removed requirement for encryption of sensitive data at rest due to complexity of implementation in a group setting.
  • Added annual review of Google account and domain in which CTSC documents reside.
We've learned a lot about developing cybersecurity plans for NSF CI projects over the past two years and when we revise the plan again in 2015, we will use our Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects as the basis.