= Meeting in Vienna 20081222 = Meeting opened 10:30 Present: Philipp Dunkel, Rasika, iang (minutes). Action points in bold. == Misc == * Rasika could be added to internal audit team for now * as -> Internal Audit (test taken 2008 december) * (unknown when final result is revealed) == Disaster Recovery == * discussion consisted of a working attempt to create a Disaster Recovery plan. * (rasika) created a starter list of [[BusinessProcesses]], following CISA guide. * developed plan from processes as per [[DisasterRecovery]] * see SM * Redundant versus hot standby * MySQL has online PUSH? * (Philipp D) we want hot standby, is already in MySQL? sysadm? * don't want any software development effort put in .... * Hot standby machines should exist in the same facility. * cannot secure elsewhere * could ask HCC === Backups === * where? * for security and reliability: they should be in the same place * Disaster Level 1: hard * Disaster Level BIT: BIT is down * Availability of backups offsite * Security cannot be ensured for transmission and storage of remote data... * offsite backups need to be offsite. * Suggest * Make it incremental: dailies stay in the same town * rotate physical backups: new one arrives; send old one to escrow. * Weekly fedex packages to somewhere... * recover from next neighbour jurisdiction == Privacy == * (Rasika) Background Check * procedure and ruling (recommendation) should be public * interview, documents should not be public, * summary of evidence should be in the ruling. * Arbitrator can rule on the escrow questions of evidence * New proposal (written by Philipp D) reviewed quickly on laptop screen * it has been sent to board only so far * was written in a meeting last week between Philipp D and Philipp G * Some basic pointers needed * that is, training + test * '''ask Ted''' to set up, start pumping in some questions * need a legitimacy step for test+questions * board or policy to be asked to approve at some point * Go back to board, ask for objections, into SM. * '''Philipp D:''' the proposal needs to be distributed, only to board so far == Software Development == * 4 eyes work in the software development * today, software development == philipp G * Philipp wants a governance methodology for SD? * he may want to provide 4 eyes, in software development * (PG? PD?) has provided a way to do the software development methodology. * '''Philipp G''' is writing up the Software Development * "define this to the point that you can hand it over to someone else" * 29th Monday after Xmas * Assurer Change from Software Development to Sysadms. * Ted has the patch to switch off the old Assurers * Ask '''Ted to RESEND''' it as a patch to Philipp G + Philipp D * mechanism: is it a patch(1) ? * Software Development Patch procedure, needs to cover * sending patches to the sysadms * receiving patches from the sysadms * (rasika) this is the role of the media librarian * Governance as it impacts software development * Philip D: 4 eyes needed over all support actions * means we don't need so much control on TrustCheck * Software Development cannot install patches, only Sysadms. * Must be a handover. * Review of patches * Sysadms can review the patch; all source code is PHP, non-black * Sysadms have the responsibility to do a random check: * "random" means also to include "all" and "none". * other people can also check it. * if a check is done, comment added to code in subversion * sysadms do not write code: they only add comments!!!! * sysadms will be kicked out if they fix code * perhaps make the comments into an ACL-controlled file like README or REVIEW-COMMENTS at top of tree * Software development does not know which checks are done. * so, code and patches might be checked at time. Formal meeting closed 18:30. ---- . CategoryAdvisory