LACE (CCSQ Lean Agile Center of Excellence)

Page tree

Original Story:

Collect & document baseline configs on our F5s, ensure each device is in line with others in as much as they can be.

As the HIDS contractor I must develop and maintain baseline configurations to be compliant with CMS security requirements.

Download current config on each F5

Compare configs to identify any unexpected misalignment.

Remediate misalignments

update documents

F5 Functional baselines for new requests. (Where do we start)

Load Balancing

Virtual server deployments

These would include details around Pool membership, ports, cyphers... certs ... etc.

Internal vs external facing URL baselines

Scan URLs in Non Prod before applying new cipher string.

Apply new cipher string to profiles associated with each URL.

Scan URLs after applying new cipher string to make sure all URLs in Non Prod are using strong cipher.

 

Reworked Story:

Story 1: “Develop security compliant baseline for balancer instances”

As a network engineer, I can rapidly recover a balancer instance so that secure availability is restored and aligned with the rest of the balancing cluster (Stories describe the need, intent and expected outcome for the business/community)

Acceptance Criteria: (Acceptance criteria define the explicit business requirements associated with the intent of the story)

  • Verify that there is a valid baseline configuration for balancer instances
  • Verify that the baseline configuration is compliant with CMS security policy
  • Verify that the baseline contains valid internal and external URL routing
  • Verify there is accessible documentation for the baselines

Tasks: (tasks describe how the work will be done/implemented)

  • Download current config on each F5
  • Compare configs to identify any unexpected misalignment.
  • Remediate misalignments
  • update documents

DoD (describes all non-functional requirements for all work the team does, and does not need to be part of every work item)

  • All acceptance criteria are met
  • All acceptance criteria successfully pass testing with such’n’such tools
  • All documentation follows standard format
  • Any documentation produced is tagged correctly
  • All work is validated to be aligned with CMS Security policy
  • No labels