Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The periodic audit of Synapse activity is intended to surface potential threat scenarios concerning the privacy and security of data held in the Synapse. The approach to this audit is informed by an assessment of risks to priority data, such as the data sets associated with  Synapse projects marked with restricted access control lists. The risk assessment process considers access control at the point when access is granted, when access is used, and when access may become uncontrolled.

...

Child pages (Children Display)

Audit Timeline

When

Who

What

First two weeks of January and July

Synapse Security Engineer

Run Automation

  • Pull MD5 Duplicate Data, State Change Data, Top Downloader Data from past 2 quarters

  • Post data files onto Synapse

  • Email data files to ACT@sagebionetworks.org

Reference “Engineering Audit Resources” page for details

Second two weeks of January and July

Synapse ACT

Sort Data & Triage Threats

  • Sort MD5 Duplicate Data, State Change Data, & Top Downloader Data

  • Review top 20 downloaders and reach out to Community Managers, project owners, or Sage employees regarding potential security or privacy threats if any are suspected.

  • Document responses and note resolutions

Reference the “Audit Details for ACT” page for details

Mid September

Synapse Security Engineer and Synapse ACT

Generate Audit report following this template

  • Synapse ACT will enter information based on the past two audit cycles. For example, the October 2021 report will contain data from the January 2020 and July 2020 audits

  • Synapse ACT will tag the Synapse Security Engineer for review

  • Once the draft is finalized, Synapse ACT will email the Director of Governance for final review

Reference the “Audit Report” page for details

Late September

Director of Governance (Christine)

Review and Approve/Reject Audit Report

  • Synapse ACT will email the finalized draft to the Director of Governance and make modifications if necessary

October

Synapse Security Engineer and Governance Regulatory Support Team

Security Engineer: Submit Audit Report to HITRUST

Governance Regulatory Support Team: Submit Audit Report to WIRB during Synapse Continuing Review

Reference the “Audit Report” page for details