Versions Compared

Old Version 17

changes.mady.by.user Hannah Short

Saved on

compared with

New Version 18

changes.mady.by.user Hannah Short

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Policy NeedSourceTemplate BasisAudienceCommentNameWhat should we produce?Actions
Incident Response ProcedureSirtfiEGI Incident Response, should link to Sirtfi, AARC workProxy, Services
  • What about policies?
  • Incident Response Procedure from AARC
Incident Response ProcedureTemplateH to add template based on AARC and EGI

Policy on

  • authentication, 
  • authorisation, 
  • access control, 
  • physical and network security, 
  • security vulnerability handling and 
  • security incident handling → IR procedure

for all Constituents

SnctfiEGI Operational Security PolicyProxy, Services

Top level policy that covers physical and network security, vulnerability handling and refers to additional policies on Acceptable Assurance, Incident Response Procedure, Membership management

We either make very modular or try to make this quite long


Top Level PolicyTemplate
AUP for end usersSnctfiWISE Baseline AUPUsers
  • EGI seems to have 2 AUPS, Infrastructure and User Community
  • Wait for Ian's WISE Baseline AUP
Infrastructure AUPTemplateWait for Ian, check with him
Collections of users' aims and purposesSnctfi

This is the User Community AUP. There is an example somewhere. Would be better if these could be combined.


Policies and procedures regulating the behaviour of the management of the Collection of users 

SnctfiEGI Membership Management
In XSEDE it's much more simpleMembership ManagementTemplateU to add template based on https://docs.google.com/document/d/1vPcAja1EyTp-kJPvJpwu3NSd8e1aVcytY3nSGthWNLU/edit#

Data Protection Policy, e.g. DP CoCov2

SnctfiCoCo
Could be included in top levelData Protection Code of ConductFramework descriptionU to go through CoCov2 and check whether this is prescriptive enough

Privacy Policy 

CoCoCoCo Template

Privacy PolicyTemplateH to add the Privacy Policy template from CoCov2
Policy on eligibility to join the infrastructure (i.e. services)Elixir

NOT Similar to EGI Service Operations, there is some overlap with the Top Level Policy.

Try and include in overall policy

Service EligibilityTemplate
Risk Data Protection Impact Assessment (DPIA)Data Privacy Statement??

NOT A POLICY but could inform policy decisions

????

. Could be one of the steps to think about before the policy.

https://wise-community.org/risk-assessment-template/





Example Policy Sets

CTSC PoliciesRelevant for AARC?
Acceptable Use Policy TemplateYes
Access Control Policy TemplateYes
Asset Management Policy Template
Asset-Specific Access and Privilege Specification Template
Disaster Recovery Policy TemplateNo
Incident Response Policy and Procedures TemplateYes
Information Asset Inventory TemplateNo
Information Classification Policy TemplateNo
Information Security Training and Awareness Policy TemplateNo
Master Information Security Policy & Procedures TemplateYes
Password Policy TemplateNo
Physical Security Policy TemplateYes

...

ActionStatusWho
Reword "Research Community" to Infrastructure
  •   
Hannah
IR Procedure Template
  •   
Hannah
AUP Template
  •   
Ian
Membership Management Template
  •   
Uros
CoCov2 Privacy Policy Template
  •   
Hannah
Check whether CoCov2 can be our "policy"
  •   
Uros
Send an update to Irina
  •   
Hannah
Consider DPIA
  •  
Uros
Put on AARC Website in a modular format
  •  
...