Draft available at https://docs.google.com/document/d/176vzNaoK6KvKTMp8Glk2n1NaM6bxiS1QqH8M3_mu7NI/edit#
Objective
Provide new or evolving Research Communities and Infrastructures with the guidance they need to develop a complete policy suite supporting Federated Identity Management
Audience
Operational Management of Research Communities and their respective infrastructures
Process
- Identify Policies Required for Compliance with Snctfi
- Identify Example Policies from other infrastructures to serve as inspiration
- Produce a training module to enable Research Communities to have a basic starter pack for policies
- Encourage RCs to make policy decisions (e.g. log retention, minimum assurance etc)
- Translate those decisions into policy templates
Pre-Requisites
- Stable DP CoCo Version
- Aligned AUP AARC Deliverable
Which policies do we need?
Policy Need | Source | Template Basis | Comment | Name | What should we produce? |
---|---|---|---|---|---|
Incident Response Procedure | Sirtfi | EGI Incident Response, should link to Sirtfi, AARC work | Incident Response Procedure | Template | |
Policy on authentication, authorisation, access control, physical and network security, security vulnerability handling and security incident handling for all Constituents | Snctfi | EGI Operational Security Policy | Top level policy that covers physical and network security, vulnerability handling and refers to additional policies on Acceptable Assurance, Incident Response Procedure, Membership management | Top Level Policy | Template |
AUP for end users | Snctfi | AARC Unified AUP | EGI seems to have 2 AUPS, Infrastructure and User Community | Infrastructure AUP | Template |
Policies and procedures regulating the behaviour of the management of the Collection of users | Snctfi | EGI Membership Management | Membership Management | Template | |
Collections of users aims and purposes | Snctfi | Where does this go? | |||
Data Protection Policy, e.g. DP CoCov2 | Snctfi | CoCo | Data Protection Code of Conduct | Framework description | |
Privacy Policy | CoCo | AARC Template | Privacy Policy | Template | |
Policy on eligibility to use the infrastructure (i.e. services) | Elixir | Similar to EGI Service Operations, there is some overlap with the Top Level Policy | Service Eligibility | Template |