Security Event Review Checklist

Security events will be reviewed every Wednesday. Make github issues for each problem identified. For any incidents that happen regarding accounts, notify the FEC CISO, Wenchun Jiang, and follow the 18F incident response handbook.

The development team will have a rotation of log duty. Scheduling people for their rotation will be managed by the system owner during sprint planning.

Checklist:

1. If reviewing during week 2 of a sprint, create github issues for next sprint and tag them with the proper milestone.
2. Review Snyk for all repositories and:

• Open a ticket for all alerts, including a due date (30 days for high, 60 days for medium, and 90 days for low). Example title: [Med] Snyk: Open Redirect (due 10/8/18)
• Make sure open alerts are tagged with a release that ends before the due date.
• Notify PM's in #product-management channel in Slack if open alerts are getting close to their deadline

3. Review production logs for account creations, ensure these were approved in a ticket, and verify that the number of service keys in cloud.gov is unchanged.
4. Review production logs for account permission elevations, ensure these were approved in a ticket
5. Review actionable security events on production logs for successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, system events, all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes.
6. Deactivate any accounts for people who have left the team.
7. Note any findings in the Security Event Review issue.
8. Close the Security Event Review issue.

See all Security Event Review issues here

---

Example searches and checks

Vulnerabilities

SNYK DASHBOARD: https://snyk.io/org/fecgov/projects

• FEC-CMS: package.json and requirements.txt
• OPENFEC package.json, requirements.txt, and flyway
• FEC-EREGS package.json and requirements.txt
• FEC-PATTERN-LIBRARY package.json

Note: We're going to wait until sprint 12.3 to add the regulations-site, parser, and core repos

If you haven't done so yet, you can also sign up for a free open-source account with Snyk and make a specialized dashboard and get security alerts mailed to you.

Search logs

Compare account creation to account approvals

Look for account creations and other security events In Kibana do searches like:

CMS accounts created or edited in the past 14 days

check cloud.gov users

Check or via dashboard scroll to the users section. Users need to be out of all spaces before you can use the dashboard tool to remove them as org users.

Note that deployer accounts have long, random strings for their names.

Offboarding

When you are offboarding someone who has left the team, first let them know. Be sure to thank them for their contributions and offer to reactivate access if they need it in the future. Create an issue in the fec-accounts repo to track their offboarding. On the ticket, use the checklist below to track if they have the following accounts, and remove them:

• GitHub groups
• Wagtail
• cloud.gov
• RDS log in
• Amazon
• New Relic
• api.data.gov admin
• Move user to fecgov Slack #Alumni channel