This repository has been archived by the owner on Aug 11, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 12
Security Control Traceability Matrix
Gray O'Byrne edited this page Sep 17, 2018
·
7 revisions
This page is used to track security control implementation and documentation for Talent Cloud.
Many security controls are inherited either from TBS cloud environment or GCaccount.
Control | Name | Status | Tracking |
---|---|---|---|
AC-2 | Account Management | To implement | |
AC-2(1) | Account Management | Automated System Account Management | To implement | |
AC-3 | Access Enforcement | Needs automated test | https://github.com/GCTC-NTGC/TalentCloud/issues/254 |
AC-4 | Information Flow Enforcement | Inherited | |
AC-5 | Separation of Duties | Needs documentation | https://github.com/GCTC-NTGC/TalentCloud/issues/255 |
AC-6 | Least Privilege | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/256 |
AC-6(10) | Least Privilege | Prohibit Non-Privileged Users from Executing Privileged Functions | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/257 |
AC-7 | Unsuccessful Logon Attempts | Inherited | |
AC-9 | Previous Logon (Access) Notification | To implement |
Control | Name | Status | Tracking |
---|---|---|---|
AU-2 | Auditable Events | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/258 |
AU-3 | Content of Audit Records | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/259 |
AU-6 | Audit Review, Analysis, and Reporting | To implement | |
AU-8 | Time Stamps | To implement | |
AU-12 | Audit Generation | To implement |
Control | Name | Status | Tracking |
---|---|---|---|
CA-8 | Penetration Testing | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/260 |
Control | Name | Status | Tracking |
---|---|---|---|
CM-2 | Baseline Configuration | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/261 |
CM-3 | Configuration Change Control | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
CM-4 | Security Impact Analysis | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
CM-5 | Access Restrictions for Change | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
CM-6 | Configuration Settings | To implement | |
CM-7 | Least Functionality | To implement | |
CM-8 | Information System Component Inventory | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
CM-9 | Configuration Management Plan | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/262 |
Control | Name | Status | Tracking |
---|---|---|---|
CP-2 | Contingency Plan | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/263 |
CP-9 | Information System Backup | Inherited | |
CP-10 | Information System Recovery and Reconstitution | Inherited |
Control | Name | Status | Tracking |
---|---|---|---|
IA-2 | Identification and Authentication (Organizational Users) | Inherited | https://github.com/GCTC-NTGC/TalentCloud/issues/264 |
IA-4 | Identifier Management | Inherited | |
IA-5 | Authenticator Management | Inherited | |
IA-5(1) | Authenticator Management | Password-Based Authentication | Inherited | |
IA-5(6) | Authenticator Management | Protection of Authenticators | Inherited | |
IA-6 | Authenticator Feedback | Inherited | |
IA-8 | Identification and Authentication (Non-Organizational Users) | Inherited | https://github.com/GCTC-NTGC/TalentCloud/issues/264 |
Control | Name | Status | Tracking |
---|---|---|---|
IR-4 | Incident Handling | Inherited | |
IR-5 | Incident Monitoring | Inherited | |
IR-6 | Incident Reporting | Inherited | |
IR-8 | Incident Response Plan | Inherited |
Control | Name | Status | Tracking |
---|---|---|---|
PL-4 | Rules of Behavior | Inherited | https://github.com/GCTC-NTGC/TalentCloud/issues/265 |
PL-7 | Security Concept of Operations | To implement |
Control | Name | Status | Tracking |
---|---|---|---|
RA-2 | Security Categorization | To implement | |
RA-5 | Vulnerability Scanning | Inherited | https://github.com/GCTC-NTGC/TalentCloud/issues/266 |
Control | Name | Status | Tracking |
---|---|---|---|
SA-8 | Security Engineering Principles | To implement | |
SA-11 | Developer Security Testing and Evaluation | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/267 |
SA-11(1) | Developer Security Testing and Evaluation | Static Code Analysis | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/268 |
SA-11(4) | Developer Security Testing and Evaluation | Manual Code Reviews | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/269 |
SA-15(4) | Development Process, Standards, and Tools | Threat Modeling / Vulnerability Analysis | To implement |
Control | Name | Status | Tracking |
---|---|---|---|
SC-7 | Boundary Protection | Inherited | |
SC-8 | Transmission Confidentiality and Integrity | Inherited | |
SC-8(1) | Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection | Inherited | |
SC-12 | Cryptographic Key Establishment and Management | Inherited | |
SC-13 | Cryptographic Protection | Inherited | |
SC-28(1) | Protection of Information at Rest | Cryptographic Protection | Partly to implement and partly Inherited |
Control | Name | Status | Tracking |
---|---|---|---|
SI-2 | Flaw Remediation | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/270 |
SI-4 | Information System Monitoring | Inherited | |
SI-10 | Information Input Validation | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/271 |
SI-11 | Error Handling | To implement | https://github.com/GCTC-NTGC/TalentCloud/issues/272 |
SI-12 | Information Handling and Retention | To implement |