...
Auditing may be done by analyzing a representative sample of activity or a comprehensive report of activity over the audit period. A comprehensive report is preferred when the queries driving the report can be targeted to precisely address the threat scenario. Sampling is used as an alternative when comprehensive reporting is not feasible to address a given audit query, such as for activity common to all users within the application.
Overview
The Synapse audit should occur twice a year, once in June and once in January. Each audit should contain data from the last two quarters. The purpose of the audit is to ensure that there have not been any data breaches or security risks during the respective audit period.
The Synapse Governance Team should submit the audit report annually during the Synapse continuing review, which occurs in October.
Timeline
In May and November, the Synapse Security Engineer should pull MD5 duplicate data, state change data, and top downloader data from the previous two quarters. The Security Engineer should post this data on Synapse, and email it to ACT@sagebionetworks.org.
During the months of June and December, the Synapse ACT Team will sort the state change and MD5 data and email respective community leads to determine whether any files pose a security risk. If the project owner is external to Sage, email Xa to investigate before emailing the external Synapse user.
The Governance and Security teams will draft an audit report following this example from 2020.
The Director of Governance will review and approve the audit report draft
Add in WIRB and security compliance submission details
To be done:
Breach SOP, where to store annotated files and completed reports, audit report template
Threat Scenarios
Data access
...