Draft available at https://docs.google.com/document/d/176vzNaoK6KvKTMp8Glk2n1NaM6bxiS1QqH8M3_mu7NI/edit#
Table of Contents
Objective
Provide new or evolving Research Communities and Infrastructures with the guidance they need to develop a complete policy suite supporting Federated Identity Management. This should be done with input from the wider community, through FIM4R, WISE and relevant bodies. For this work in AARC, the policy kit should be tightly scoped to the blueprint architecture but there is an expectation that the work be extended to be relevant for infrastructures in general.
...
| Policy Need | Source | Template Basis | Audience | Comment | Name | What should we produce? | Actions |
|---|---|---|---|---|---|---|---|
| Incident Response Procedure | Sirtfi | EGI Incident Response, should link to Sirtfi, AARC work | Proxy, Services |
| Incident Response Procedure | Template | H to add template based on AARC and EGI |
Policy on
for all Constituents | Snctfi | EGI Operational Security Policy | Proxy, Services | Top level policy that covers physical and network security, vulnerability handling and refers to additional policies on Acceptable Assurance, Incident Response Procedure, Membership management We either make very modular or try to make this quite long | Top Level Policy | Template | |
| AUP for end users | Snctfi | WISE Baseline AUP | Users |
| Infrastructure AUP | Template | Wait for Ian, check with him |
| Collections of users' aims and purposes | Snctfi | This is the User Community AUP. There is an example somewhere. Would be better if these could be combined. | |||||
Policies and procedures regulating the behaviour of the management of the Collection of users | Snctfi | EGI Membership Management | In XSEDE it's much more simple | Membership Management | Template | U to add template based on https://docs.google.com/document/d/1vPcAja1EyTp-kJPvJpwu3NSd8e1aVcytY3nSGthWNLU/edit# | |
Data Protection Policy, e.g. DP CoCov2 | Snctfi | CoCo | Could be included in top level | Data Protection Code of Conduct | Framework description | U to go through CoCov2 and check whether this is prescriptive enough | |
Privacy Policy | CoCo | CoCo Template | Privacy Policy | Template | H to add the Privacy Policy template from CoCov2 | ||
| Policy on eligibility to join the infrastructure (i.e. services) | Elixir | NOT Similar to EGI Service Operations, there is some overlap with the Top Level Policy. Try and include in overall policy | Service Eligibility | Template | |||
| Risk Assessment (DPIA) | Data Privacy Statement | ?? | NOT A POLICY but could inform policy decisions | ?? | ?? |
...
- Cannot assume a CSIRT for each Infrastructure
- Assume there is one AUP
- Resource Centres are not relevant
- There are not necessarily multiple User Communities
| Action | Status | Who |
|---|---|---|
| Reword "Research Community" to Infrastructure | Hannah | |
| IR Procedure Template | Hannah | |
| AUP Template | Ian | |
| Membership Management Template | Uros | |
| CoCov2 Privacy Policy Template | Hannah | |
| Check whether CoCov2 can be our "policy" | Uros |