Strawman Security Policies: Difference between revisions
From OPeNDAP Documentation
⧼opendap2-jumptonavigation⧽
(New page: == Strawman Security Policies == These policies are currently in work by the Security Working Group. === General Policies === # A Chief Security Officer (CSO) and Deputy CSO for OPeNDAP....) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
# A Chief Security Officer (CSO) and Deputy CSO for OPeNDAP.org shall be designated. | # A Chief Security Officer (CSO) and Deputy CSO for OPeNDAP.org shall be designated. | ||
# OPeNDAP.org shall identify the specifications and software products for which it is the party responsible for addressing security vulnerabilities. | |||
=== Incident Response Policies === | === Incident Response Policies === | ||
# All communications regarding security incidents shall be by phone or encrypted email. | # All communications regarding security incidents shall be by phone or encrypted email. | ||
# All communications regarding security vulnerabilities shall be by phone or encrypted email, prior to general-audience announcements on vulnerabilities and their fixes. | # All communications regarding security vulnerabilities shall be by phone or encrypted email, prior to general-audience announcements on vulnerabilities and their fixes. | ||
# The organization or individuals reporting an incident or vulnerability shall not be identified to other parties. | # The organization or individuals reporting an incident or vulnerability shall not be identified to other parties. |
Latest revision as of 17:37, 7 May 2007
Strawman Security Policies
These policies are currently in work by the Security Working Group.
General Policies
- A Chief Security Officer (CSO) and Deputy CSO for OPeNDAP.org shall be designated.
- OPeNDAP.org shall identify the specifications and software products for which it is the party responsible for addressing security vulnerabilities.
Incident Response Policies
- All communications regarding security incidents shall be by phone or encrypted email.
- All communications regarding security vulnerabilities shall be by phone or encrypted email, prior to general-audience announcements on vulnerabilities and their fixes.
- The organization or individuals reporting an incident or vulnerability shall not be identified to other parties.