This repository has been archived by the owner on Aug 11, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 12
Security Control Traceability Matrix
Gray O'Byrne edited this page Sep 17, 2018
·
7 revisions
This page is used to track security control implementation and documentation for Talent Cloud.
Many security controls are inherited either from TBS cloud environment or GCaccount.
| Control | Name | Status | Tracking |
|---|---|---|---|
| AC-2 | Account Management | To implement | |
| AC-2(1) | Account Management | Automated System Account Management | To implement | |
| AC-3 | Access Enforcement | Needs automated test | https://github.com/GCTC-NTGC/TalentCloud/issues/254 |
| AC-4 | Information Flow Enforcement | Inherited | |
| AC-5 | Separation of Duties | Needs documentation | https://github.com/GCTC-NTGC/TalentCloud/issues/255 |
| AC-6 | Least Privilege | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/256 |
| AC-6(10) | Least Privilege | Prohibit Non-Privileged Users from Executing Privileged Functions | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/257 |
| AC-7 | Unsuccessful Logon Attempts | Inherited | |
| AC-9 | Previous Logon (Access) Notification | To implement |
| Control | Name | Status | Tracking |
|---|---|---|---|
| AU-2 | Auditable Events | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/258 |
| AU-3 | Content of Audit Records | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/259 |
| AU-6 | Audit Review, Analysis, and Reporting | To implement | |
| AU-8 | Time Stamps | To implement | |
| AU-12 | Audit Generation | To implement |
| Control | Name | Status | Tracking |
|---|---|---|---|
| CA-8 | Penetration Testing | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/260 |
| Control | Name | Status | Tracking |
|---|---|---|---|
| CM-2 | Baseline Configuration | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/261 |
| CM-3 | Configuration Change Control | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
| CM-4 | Security Impact Analysis | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
| CM-5 | Access Restrictions for Change | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
| CM-6 | Configuration Settings | To implement | |
| CM-7 | Least Functionality | To implement | |
| CM-8 | Information System Component Inventory | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
| CM-9 | Configuration Management Plan | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
| Control | Name | Status | Tracking |
|---|---|---|---|
| CP-2 | Contingency Plan | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/263 |
| CP-9 | Information System Backup | Inherited | |
| CP-10 | Information System Recovery and Reconstitution | Inherited |
| Control | Name | Status | Tracking |
|---|---|---|---|
| IA-2 | Identification and Authentication (Organizational Users) | Inherited | https://github.com/GCTC-NTGC/TalentCloud/issues/264 |
| IA-4 | Identifier Management | Inherited | |
| IA-5 | Authenticator Management | Inherited | |
| IA-5(1) | Authenticator Management | Password-Based Authentication | Inherited | |
| IA-5(6) | Authenticator Management | Protection of Authenticators | Inherited | |
| IA-6 | Authenticator Feedback | Inherited | |
| IA-8 | Identification and Authentication (Non-Organizational Users) | Inherited | https://github.com/GCTC-NTGC/TalentCloud/issues/264 |
| Control | Name | Status | Tracking |
|---|---|---|---|
| IR-4 | Incident Handling | Inherited | |
| IR-5 | Incident Monitoring | Inherited | |
| IR-6 | Incident Reporting | Inherited | |
| IR-8 | Incident Response Plan | Inherited |
| Control | Name | Status | Tracking |
|---|---|---|---|
| PL-4 | Rules of Behavior | Inherited | https://github.com/GCTC-NTGC/TalentCloud/issues/265 |
| PL-7 | Security Concept of Operations | To implement |
| Control | Name | Status | Tracking |
|---|---|---|---|
| RA-2 | Security Categorization | To implement | |
| RA-5 | Vulnerability Scanning | Inherited | https://github.com/GCTC-NTGC/TalentCloud/issues/266 |
| Control | Name | Status | Tracking |
|---|---|---|---|
| SA-8 | Security Engineering Principles | To implement | |
| SA-11 | Developer Security Testing and Evaluation | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/267 |
| SA-11(1) | Developer Security Testing and Evaluation | Static Code Analysis | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/268 |
| SA-11(4) | Developer Security Testing and Evaluation | Manual Code Reviews | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/269 |
| SA-15(4) | Development Process, Standards, and Tools | Threat Modeling / Vulnerability Analysis | To implement |
| Control | Name | Status | Tracking |
|---|---|---|---|
| SC-7 | Boundary Protection | Inherited | |
| SC-8 | Transmission Confidentiality and Integrity | Inherited | |
| SC-8(1) | Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection | Inherited | |
| SC-12 | Cryptographic Key Establishment and Management | Inherited | |
| SC-13 | Cryptographic Protection | Inherited | |
| SC-28(1) | Protection of Information at Rest | Cryptographic Protection | Partly to implement and partly Inherited |
| Control | Name | Status | Tracking |
|---|---|---|---|
| SI-2 | Flaw Remediation | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/270 |
| SI-4 | Information System Monitoring | Inherited | |
| SI-10 | Information Input Validation | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/271 |
| SI-11 | Error Handling | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/272 |
| SI-12 | Information Handling and Retention | To implement |