Version | Summary |
|---|---|
10/24/2022 | Updated list of Project Leads |
10/24/2022 | Created version tracking table |
...
The Synapse ACT determines which flagged entities require further investigation or action. In general, we are most concerned about entities that are publicly available that have unintentionally become unrestricted or uncontrolled. Please reference the use case tables below to identify when it is necessary to reach out to a Project Lead or Synapse user. Project Leads are as follows (as of Oct 2022)*:
AD Knowledge Portal: Mette Peters (Unlicensed)
Challenges: Thomas Yu Jake Albrecht (Unlicensed)
GENIE: Chelsea Nayan
mHEALTH: Solly Sieberts
HTAN: Ashley Clayton
Hackathons: Jineta Banerjee
...
Change of State Audit Use Cases
Use Case | Why is this needed? | Action Needed |
AR/Click-wrap (controlled/restricted) was removed from a public entity/project (this query should only include public entities in public projects). | Audit for security to ensure there have been no accidental breaches or loss of data. | Sort through Jira tickets to see whether this was accounted for. Otherwise reach out to the Community Manager. For scenarios where the entity/project is not linked to a Sage-managed Synapse Community, please reach out to the Synapse Security Engineer for further investigation before contacting external Synapse users. The Synapse Security Engineer should investigate whether the flagged entity contains local access settings, indicating that the entity’s access settings were not unintentionally acquired from the parent folder/project. If it seems that an entity’s access settings were inherited accidentally, ACT should reach out to the project owner. |
File switched to public and then back to private AND there is an access change to a less restrictive state than the original public file. | Audit for security to ensure there have been no accidental breaches or loss of data. | If the file was public for more than a day, investigate whether data was downloaded. If the data was downloaded during this time, reach out to the Community Manager. |
Sage employee’s test project is public. | Internal QA | Reach out to Community Manager (or the project owner if it is not associated with a community)tosee whether the owner can make the entity private. |
AR/click-wrap was added AND the project or entity was made public. | Internal QA | Do not reach out to Community Manager, but ACT should ensure that the project is listed in the Conditions for Use Synapse page |
MD5 Audit Use Cases
Use Case | Query Information Need | Why is this needed? | Action Needed |
Instances where a restricted/controlled entity is copied and the resulting public duplicate is less restricted/controlled (regardless of if the source entity was public) | Date of event For both source and duplicates we will need: Project: synID, name Entity: synID, name, created by, last modified by, controlled status (was/is controlled), restricted status (was/is restricted), public/private Potential follow-up: If a breach is discovered, we will need: any downloaders after the date at which the AR/click-wrap was removed so we can contact them) | Audit for security to ensure that any duplicated files are under the correct access requirements | Reach out to Community Manager Reach out to Synapse Security Engineer if there is no Sage Community Manager associated with the project/entity |
...
For Top Downloader Data, the Synapse Governance Team should review the 20 top downloaders and reach out to them directly if an issue is suspected.
Example Email:
Your Synapse account has been identified during a routine Synapse audit as having accessed a large number of files in the last six months. This activity may be expected due to how you use Synapse, or may be the result of a compromised or shared account.
Please reply to this email message to confirm that you are not aware of a breach of your Synapse credentials and that you have not shared them with anyone else.
Ensure that you document Community Manager and Synapse User responses within the respective audit data export doc to track which flagged entities are problematic and which are not.
...