Draft available at https://docs.google.com/document/d/176vzNaoK6KvKTMp8Glk2n1NaM6bxiS1QqH8M3_mu7NI/edit# 

Objective 

Provide new or evolving Research Communities  and Infrastructures with the guidance they need to develop a complete policy suite supporting Federated Identity Management. This should be done with input from the wider community, through FIM4R, WISE and relevant bodies. For this work in AARC, the policy kit should be tightly scoped to the blueprint architecture but there is an expectation that the work be extended to be relevant for infrastructures in general. 

Audience 

Operational Management of Research Communities and their respective infrastructures

Process

1. Identify key actors in Blueprint Architecture (Membership Manager, Proxy Operator, etc) 
2. Identify Policies Required for Compliance with Snctfi
3. Identify Example Policies from other infrastructures to serve as inspiration
4. Produce a training module to enable Research Communities to have a basic starter pack for policies
   1. Introduce the concept of frameworks and policies, why are they important 
   2. Introduce Snctfi
   3. Encourage RC actors to make policy decisions (e.g. log retention, minimum assurance etc)
   4. Translate those decisions into policy templates
   5. Q & A
5. Place templates on the AARC Website and produce an AARC Guideline document that links to each piece

Assumptions

• RCs/Infrastructures may not have a security focussed person, could just be a PI. Definitely can't assume CSIRT body 
• Those using this policy pack are following the AARC blueprint

Pre-Requisites

1. Stable DP CoCo Version
2. Aligned AUP AARC Deliverable
   

Use Cases

• EPOS
• Life Sciences
• HelmHoltz Data Federation

Roles

• PI/Membership Manager (including Security Contact) 
• Proxy Operator
• Users
• Service Management (including Security Contact)
• Infrastructure Management (including Security Contact)

Next Steps

1. Design a top level policy, either modular or verbose
2. Add templates for easy wins (IR, AUP, Privacy Policy from CoCo, Membership Management )  
3. More difficult modules (Authentication Assurance - Uros Stevanovic)

Which policies do we need?

Example Policy Sets

Differences with EGI Policies?

• Cannot assume a CSIRT for each Infrastructure
• Assume there is one AUP
• Resource Centres are not relevant
• There are not necessarily multiple User Communities

Notes & Thoughts 

Objective: Provide new or evolving Research Communities  and Infrastructures with the guidance they need to develop a complete policy suite supporting Federated Identity Management

Audience: Operational Management of Research Communities and their respective infrastructures

Relevant questions:

• We’re worried that we will have legal issues receiving federated identities, which policies do we need?

• What is a reasonable expectation of assurance of incoming identities?

• How can I ensure that all my users are covered by an incident response capability?

• What checks and measures should I put in place when managing the users of my community services, or members of virtual organisations?

Introductory Content:

• Make clear why these policies should be adopted, where they have come from and examples of how they help

Policy Areas:

(Would be good to have actionable points as well as dry document examples)

(Can we encourage people to be in the right mindset to make their own decisions about timelines for policy decisions etc)

Snctfi (top level)  -- for scalable, bounded communities https://aarc-project.eu/policies/snctfi/

Data Protection & Privacy

• CoCo (&v2)

• AARC deliverable template

• Risk Assessment (due to the GDPR) -> WISE https://wise-community.org/risk-assessment-template/

Membership management & AUP

• Can cover Users, Communities and contributing services

• Attribute request/release

• AUP - Acceptable Use Policy

• Accounting, logging, monitoring policies

• LoA (What is the acceptable level? Is step up required?)

• REFEDS LoA

• AARC minimum LoA https://aarc-project.eu/wp-content/uploads/2015/11/MNA31-Minimum-LoA-level.pdf

• MFA

Security Incident Response

• Sirtfi (Able to assert for RC? Require it for incoming federated users? Is step up required?)

• AARC deliverable template

• Security policies e.g. EGI

Sources of input:

• EGI security and community policies

• AARC templates

• CoCo work

• WLCG policies

• ELIXIR AAI strategy Appendix A: Acceptable Usage Policy, Appendix B: Policy for Relying Parties, Appendix C: Requirements for ELIXIR AAI operators

Also, maybe we can re-use the EGI work (Security and Community policies)

Crazy ideas for how this could work...

• Moodle course walking people through decisions for each policy aspect

• Website static pages (bit dull)

• Recorded video snippets for each aspect (Uros and Hannah can do a double act of questions and answers!)

• “Click in” style website

• Road show

• Face-to-face session where we split the room into sections and ask for questions on specific policies

• Recorded interviews with experts on specific topics, e.g. GDPR, Security Incident Response

Key Ideas for each topic:

• What is this policy for?

• Sub policies

• Does my RC/Infrastructure need it?

• What do I need to do?

• Who needs to agree to the policy and where should it live?

• Template

Could group as:

• General Policies

• Audience Specific

See e.g. https://edms.cern.ch/ui/#!master/navigator/project?P:1412060393:1412060393:subDocs

And https://wiki.egi.eu/wiki/SPG:Documents