Versions Compared

Old Version 38

changes.mady.by.user Hannah Short

Saved on

compared with

New Version Current

changes.mady.by.user Uros Stevanovic

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Draft Ongoing draft available at https://docs.google.com/document/d/176vzNaoK6KvKTMp8Glk2n1NaM6bxiS1QqH8M3_mu7NI/edit# 

Preliminary version (2018-07-31, as a pdf) of the AARC Policy Development Kit.

Table of Contents

Objective 

...

  • PI/Membership Manager (including Security Contact) 
  • Proxy Operator
  • Users
  • Service Management (including Security Contact)
  • Infrastructure Management (including Security Contact)

Next Steps

  1. Excel of Training Course https://docs.google.com/spreadsheets/d/16sdyV_MtD8AsvJb1wZvPuCsjTdpKjHhED91ymcCmRFY/edit?usp=sharing 
  2. Document of content https://docs.google.com/document/d/176vzNaoK6KvKTMp8Glk2n1NaM6bxiS1QqH8M3_mu7NI/edit?usp=sharing 
  3. Slides pending

Which policies do we need?

...

ActionStatusWho
Reword "Research Community" to Infrastructure
  •   
Hannah
IR Procedure Template, cross check with CTSC & EGI, add internal part
  •   
Hannah
AUP Template, should be a reasonable version
  •   
Ian
Membership Management Template
  •   
Uros
CoCov2 Privacy Policy Template
  •   
Hannah
Check whether CoCov2 can be our "policy"
  •   
Uros
Send an update to Irina
  •   
Hannah
Consider DPIA
  •   
Uros
Put on AARC Website/Moodle in a modular format
  •   
Irina & Consultant
Ask David about RAF and Assurance Profiles
  •   

Uros

Move frameworks before policies
  •   
Hannah
Top Level Policy, check whether it really covers things
  •   
Hannah
Add "Other things you may want to think about"
  •   
Hannah
Add diagram
  •   
Hannah
Send invitation
  •   
Irina
Disseminate invitation
  •   
Uros/Hannah/Irina
Licensing
  •   
Hannah
Acceptable Authentication Assurance improve
  •   
Hannah
Put on slides and give to Irina
  •   
Uros/Hannah
Insert "top" Data Protection Policy (for Infra), in comparison per Service
  •  
Uros
Update AUP to reflect recent changes (2018-07-31)
  •  
Uros



Expand
titlePrevious Notes

Notes & Thoughts 

Objective: Provide new or evolving Research Communities  and Infrastructures with the guidance they need to develop a complete policy suite supporting Federated Identity Management

Audience: Operational Management of Research Communities and their respective infrastructures 

Relevant questions:

  • We’re worried that we will have legal issues receiving federated identities, which policies do we need?

  • What is a reasonable expectation of assurance of incoming identities? 

  • How can I ensure that all my users are covered by an incident response capability?

  • What checks and measures should I put in place when managing the users of my community services, or members of virtual organisations? 


Introductory Content:

  • Make clear why these policies should be adopted, where they have come from and examples of how they help


Policy Areas:

(Would be good to have actionable points as well as dry document examples)

(Can we encourage people to be in the right mindset to make their own decisions about timelines for policy decisions etc)

Snctfi (top level)  -- for scalable, bounded communities https://aarc-project.eu/policies/snctfi/

Data Protection & Privacy


Membership management & AUP

  • Can cover Users, Communities and contributing services

  • Attribute request/release

  • AUP - Acceptable Use Policy 

  • Accounting, logging, monitoring policies

  • LoA (What is the acceptable level? Is step up required?)


Security Incident Response 

  • Sirtfi (Able to assert for RC? Require it for incoming federated users? Is step up required?)

  • AARC deliverable template

  • Security policies e.g. EGI



Sources of input:

  • EGI security and community policies

  • AARC templates

  • CoCo work

  • WLCG policies

  • ELIXIR AAI strategy Appendix A: Acceptable Usage Policy, Appendix B: Policy for Relying Parties, Appendix C: Requirements for ELIXIR AAI operators


Also, maybe we can re-use the EGI work (Security and Community policies)

Crazy ideas for how this could work...

  • Moodle course walking people through decisions for each policy aspect

  • Website static pages (bit dull) 

  • Recorded video snippets for each aspect (Uros and Hannah can do a double act of questions and answers!)

  • “Click in” style website 

  • Road show

  • Face-to-face session where we split the room into sections and ask for questions on specific policies 

  • Recorded interviews with experts on specific topics, e.g. GDPR, Security Incident Response

Key Ideas for each topic:

  • What is this policy for?

  • Sub policies

  • Does my RC/Infrastructure need it? 

  • What do I need to do? 

  • Who needs to agree to the policy and where should it live?

  • Template


Could group as:

  • General Policies

  • Audience Specific 

See e.g. https://edms.cern.ch/ui/#!master/navigator/project?P:1412060393:1412060393:subDocs

And https://wiki.egi.eu/wiki/SPG:Documents

...