Yale University Library is implementing an exciting new open source platform for describing and managing special collection materials called ArchivesSpace.
Part of the implementation included working with Yale’s Information Security department to complete a Security Design Review of the application and infrastructure. Working with John Lee from InfoSec is always a great experience. The SDR process, recently improved, is required for any new service or application brought up on the Yale network. It begins with a comprehensive questionnaire about the application, data, and users of the system. InfoSec runs a series of scans (Accunetix, Nessus, etc.) to suss out any vulnerabilities that could compromise the application and Yale network.
The reports detail the vulnerabilities and rank them as High, Med or Low risk. Application owners then work with InfoSec on remediation. Once all High and Med risks are resolved, and Low-level risks remedied or accepted as is, the application receives final security approval. The process is informative and keeps the Library in compliance with Yale security standards.