The periodic audit of Synapse activity is intended to surface potential threat scenarios concerning the privacy and security of data held in the Synapse. The approach to this audit is informed by an assessment of risks to priority data, such as the data sets associated with with Synapse projects marked with restricted access control lists. The risk assessment process considers access control at the point when access is granted, when access is used, and when access may become uncontrolled.
Auditing may be done by analyzing a representative sample of activity or a comprehensive report of activity over the audit period. A comprehensive report is preferred when the queries driving the report can be targeted to precisely address the threat scenario. Sampling is used as an alternative when comprehensive reporting is not feasible to address a given audit query, such as for activity common to all users within the applicationgenerated by running queries that precisely target privacy threat scenarios.
Overview
The Synapse audit should occur twice a year, once in June July and once in January. Each audit should contain data from the last two quarters prior to the data pull. The purpose of the audit is to ensure that there have not been any data breaches or security risks during the respective audit period.
The Synapse Governance An audit report is generated during each audit to analyze the data and explain whether there have been any security breaches or privacy concerns. The Governance Regulatory Support Team should submit the audit report to WIRB annually in October during the Synapse continuing review, which occurs in October.
Timeline
...
In May and November, the Synapse Security Engineer should pull MD5 duplicate data, state change data, and top downloader data from the previous two quarters. The Security Engineer should post this data on Synapse, and email it to ACT@sagebionetworks.org.
...
During the months of June and December, the Synapse ACT Team will sort the state change and MD5 data and email respective community leads to determine whether any files pose a security risk. If the project owner is external to Sage, email Xa to investigate before emailing the external Synapse user.
...
.
...
The Director of Governance will review and approve the audit report draft
...
Add in WIRB and security compliance submission details
To be done:
...
Threat Scenarios
1. Data access
Synapse implements an access control system based on the properties of the dataset and/or on the properties of the user profile attempting to gain access.. Public datasets may be controlled (users must agree to
...
specific terms and request access from ACT or another specified entity and may be required to upload certain documentation based on the dataset), restricted (users must agree to specific terms, but access is granted automatically after terms are accepted), or open (users can view data either anonymously or once they have created a Synapse account).
Within dataset specific access requirements and project sharing settings, data contributors may specify whether users must be registered (created account and agreed to Synapse Pledge), certified (passed quiz indicating security and privacy policy awareness), or validated (identity linked to account has been verified) to obtain access.
Rather than restricting or controlling data, project administrators can also choose to make their projects or folders private and only share them with specific synapse users and teams. General Synapse users will not be able to view or access private projects or entities unless explicitly shared to them by a project administrator.
Data Access Threat Scenarios
Threat: A Synapse user intentionally or inadvertently accesses controlled data without qualification
...
Identify through data warehouse query and end user reporting:
☑ Users who have posted or
...
accessed controlled data without the
...
Users who should have access removed at a prior time no longer have access
appropriate access level required for the respective dataset.
Threat: A Synapse user with significant access to data intentionally or inadvertently shares access
Identify through data warehouse query and end user reporting:
☑ A single file downloaded multiple times by a single user
Data Access Associated
...
Queries: Top downloaders
Data handling
Synapse allows end users to upload data once they have certified their account through a training module. The certification process is an administrative control that trains users on appropriate data handling procedures. Once granted data upload rights, an end user is expected to respect the permission sets associated with the data sets they handle.
...