Skip to end of banner
Go to start of banner

Platform Audit Approach

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

The periodic audit of Synapse activity is intended to surface potential threat scenarios concerning the privacy and security of data held in the Synapse. The approach to this audit is informed by an assessment of risks to priority data, such as the data sets associated with  Synapse projects marked with restricted access control lists. The risk assessment process considers access control at the point when access is granted, when access is used, and when access may become uncontrolled.

Auditing may be done by analyzing a comprehensive report of activity over the audit period. A comprehensive report is generated by running queries that precisely target privacy threat scenarios.

Overview

The Synapse audit should occur twice a year, once in July and once in January. Each audit should contain data from the two quarters prior to the data pull. The purpose of the audit is to ensure that there have not been any data breaches or security risks during the respective audit period.

An audit report is generated during each audit to analyze the data and explain whether there have been any security breaches or privacy concerns. The Governance Regulatory Support Team should submit the audit report to WIRB annually in October during the Synapse continuing review, which occurs in October.

Audit Constraints

The Synapse audit approach was revised in 2020 to focus on specific threats identified through a risk assessment process. Automated queries were designed to report on the activity related to each threat.

The audit reports are limited by the time spans available to the automated queries. Some queries are based on changes to properties of objects and a query may not be able to compare an event with activity outside of its observation window. In these cases, the query will not surface a conflict between the event and a prior state. Additionally, the audit reports are constrained by what data is available in the Synapse data warehouse. Currently, account tier information (i.e. anonymous, registered, certified, validated) is not captured in the data warehouse, and therefore cannot be analyzed in the audit report. Additionally, changes to access requirement text is not captured and likewise cannot be reported.

Audit Timeline

When

Who

What

First two weeks of January and July

Synapse Security Engineer

Run Automation

  • Pull MD5 Duplicate Data, State Change Data, Top Downloader Data from past 2 quarters

  • Post data files onto Synapse

  • Email data files to ACT@sagebionetworks.org

Reference “Data Warehouse Queries, Documentation, and Handline” section for details

Second two weeks of January and July

Synapse ACT

Sort Data & Triage Threats

  • Sort MD5 Duplicate Data, State Change Data, & Top Downloader Data

  • Reach out to top 20 downloaders and to Community Managers, project owners, or Sage employees regarding potential security or privacy threats

  • Document responses and note resolutions

Reference the “ACT Data Sorting and Triaging” section for details

Mid September

Synapse Security Engineer and Synapse ACT

Generate Audit report following this template

  • Synapse ACT will enter information based on the past two audit cycles. For example, the October 2021 report will contain data from the January 2020 and July 2020 audits

  • Synapse ACT will tag the Synapse Security Engineer for review

  • Once the draft is finalized, Synapse ACT will email the Director of Governance for final review

Reference the “Generating the Audit Report” section for details

Late September

Director of Governance (Christine)

Review and Approve/Reject Audit Report

  • Synapse ACT will email the finalized draft to the Director of Governance and make modifications if necessary

October

Synapse Security Engineer and Governance Regulatory Support Team

Security Engineer: Submit Audit Report to HITRUST


Governance Regulatory Support Team: Submit Audit Report to WIRB during Synapse Continuing Review

Reference the “Generating the Audit Report” section for details

Audit Report

Generating the Report:

The audit report should be generated annually in September, and the report requires approval by the Sage Bionetworks Director of Governance. The report should contain data from the past two audit cycles. For example, the October 2021 audit report should contain data from the Q1/Q2 2020 audit and the Q3/Q4 2020 audit periods. 

Use this audit report template to generate the report. The same audit report can be submitted to WIRB and to HITRUST. The report should be finalized by the end of September so that it can be submitted to WIRB and HITRUST in October.

Submitting the Report:

One audit report will be generated for both the WIRB and HITRUST submissions. 

  1. WIRB Submission:

    1. The Governance Regulatory Support team will submit the audit report during the Synapse Continuing Review, which occurs annually in October. For reference, Synapse submissions to WIRB are stored here.

  2. HITRUST Submission:

    1. The Synapse Security Engineer will submit the audit report to HITRUST annually in October.

Storing the Report:

Store the audit report, associated data files, and Community Manager/Synapse user responses here.



  • No labels