Check MinSec controls

[akkornel]

As per #7, "If we meet the technical controls on our side, that is sufficient." So, let's take a look at those controls, and see what (if anything) needs to be done.

Below are all of the different MinSec points that apply to the Low and Medium Risk levels. Applications and Saas/PaaS are both listed because Globus is a tightly-bound collection of programs that run on the client/server side, and the Globus Internet-based service. For more information, reference the draft Globus Security page, at TBD.

Each point below will have a referenced GitHub issue number, where notes/discussion on that issue can take place. Items marked "N/A" do not apply. Items without any marking haven't been reviewed yet.

MinSec for Applications, all risk levels:

• Patching: #11
• Vulnerability Management: #13
• Inventory: #21
• Firewall: #12
• Credentials and Access Control: #14

MinSec for Applications, Medium Risk and above:

• Two-Step Authentication: #15
• Centralized Logging: #16
• Secure Software Development: #23
• Developer Training: #22
• Backups: #8

MinSec for SaaS/PaaS, all risk levels:

• Product Selection:
• Pre-implementation Planning:
• Inventory and Asset Classification: #21
• Credential and Key Management: #24
• Encryption: #25

MinSec for SaaS/PaaS, Medium Risk and above:

• Two-Step Authentication: #26
• Logging and Auditing: #27
• Data Management: #28