MinSec Check: Applications: Developer Training

[akkornel]

In MinSec for Applications, the Developer Training item has the following:

Attend at least one Stanford Information Security Academy training course annually.

I'm not sure what to do about this one, given that none of the application developers are part of Stanford.

[akkornel]

I asked ISO about this in SNOW RITM00078622, and here is what I noted from the response: From the perspective of the sysadmin [I meant "developer"] training, the question to answer is "Are the developers receiving security training that is relevant to their job?" That is the question that needs to be answered.

So, I have opened Globus support ticket 345849 to find out!

[akkornel]

I've heard back from Globus on this item, and have been told "All Globus product software engineers receive role-based HIPAA Security and Privacy training." I've also been told that the training is annual.

So, I think that should cover things at least for Moderate Risk. If we decide to pay for a High-Assurance subscription (which we'd likely need for processing High Risk data), or if we decide to pay for a BAA, then we can dig into that deeper (as we'd be going through the DRA process anyway!).