Audit Details for ACT
- Emily Lang (Unlicensed)
- Kimberly Corrigan
- Ann Novakowski
Version | Summary |
|---|---|
10/24/2022 | Updated list of Project Leads |
10/24/2022 | Created version tracking table |
ACT Data Sorting and Triaging
The Synapse ACT determines which flagged entities require further investigation or action. In general, we are most concerned about entities that are publicly available that have unintentionally become unrestricted or uncontrolled. Please reference the use case tables below to identify when it is necessary to reach out to a Project Lead or Synapse user. Project Leads are as follows (as of Oct 2022)*:
AD Knowledge Portal: @Anna Greenwood (Unlicensed)
Challenges: @Jake Albrecht (Unlicensed)
GENIE: @Chelsea Nayan
mHEALTH: @Solly Sieberts
HTAN: @Ashley Clayton
Hackathons: @Jineta Banerjee
*If unsure, you can refer to this spreadsheet for the list of Sage PIs. The Sage PI can direct you to the Project Lead on projects not/listed here.
Change of State Audit Use Cases
Use Case | Why is this needed? | Action Needed |
AR/Click-wrap (controlled/restricted) was removed from a public entity/project (this query should only include public entities in public projects). | Audit for security to ensure there have been no accidental breaches or loss of data. | Sort through Jira tickets to see whether this was accounted for. Otherwise reach out to the Community Manager. For scenarios where the entity/project is not linked to a Sage-managed Synapse Community, please reach out to the Synapse Security Engineer for further investigation before contacting external Synapse users. The Synapse Security Engineer should investigate whether the flagged entity contains local access settings, indicating that the entity’s access settings were not unintentionally acquired from the parent folder/project. If it seems that an entity’s access settings were inherited accidentally, ACT should reach out to the project owner. |
File switched to public and then back to private AND there is an access change to a less restrictive state than the original public file. | Audit for security to ensure there have been no accidental breaches or loss of data. | If the file was public for more than a day, investigate whether data was downloaded. If the data was downloaded during this time, reach out to the Community Manager. |
Sage employee’s test project is public. | Internal QA | Reach out to Community Manager (or the project owner if it is not associated with a community) to see whether the owner can make the entity private. |
AR/click-wrap was added AND the project or entity was made public. | Internal QA | Do not reach out to Community Manager, but ACT should ensure that the project is listed in the Conditions for Use Synapse page |
MD5 Audit Use Cases
Use Case | Query Information Need | Why is this needed? | Action Needed |
Instances where a restricted/controlled entity is copied and the resulting public duplicate is less restricted/controlled (regardless of if the source entity was public) | Date of event For both source and duplicates we will need: Project: synID, name Entity: synID, name, created by, last modified by, controlled status (was/is controlled), restricted status (was/is restricted), public/private Potential follow-up: If a breach is discovered, we will need: any downloaders after the date at which the AR/click-wrap was removed so we can contact them) | Audit for security to ensure that any duplicated files are under the correct access requirements | Reach out to Community Manager Reach out to Synapse Security Engineer if there is no Sage Community Manager associated with the project/entity |
Top Downloader Data
For Top Downloader Data, the Synapse Governance Team should review the 20 top downloaders and reach out to them directly if an issue is suspected.
Example Email:
Your Synapse account has been identified during a routine Synapse audit as having accessed a large number of files in the last six months. This activity may be expected due to how you use Synapse, or may be the result of a compromised or shared account.
Please reply to this email message to confirm that you are not aware of a breach of your Synapse credentials and that you have not shared them with anyone else.
Ensure that you document Community Manager and Synapse User responses within the respective audit data export doc to track which flagged entities are problematic and which are not.
What to Do if a Breach is Detected
Please follow this Synapse Data Breach SOP and reference this Synapse incident confluence page for steps on reporting breaches and a log of incidents that have occurred, respectively.
Note that in a case where an access requirement/click-wrap was inappropriately removed, ACT should request a list of downloaders following the removal date from the Synapse Security Engineer.
Make sure you log the incident both in the Governance Incident Tracker and in the Confluence Incident Log.