Draft available at https://docs.google.com/document/d/176vzNaoK6KvKTMp8Glk2n1NaM6bxiS1QqH8M3_mu7NI/edit#
Objective
Provide new or evolving Research Communities and Infrastructures with the guidance they need to develop a complete policy suite supporting Federated Identity Management. This should be done with input from the wider community, through FIM4R, WISE and relevant bodies.
Audience
Operational Management of Research Communities and their respective infrastructures
Process
- Identify key actors in Blueprint Architecture (Membership Manager, Proxy Operator, etc)
- Identify Policies Required for Compliance with Snctfi
- Identify Example Policies from other infrastructures to serve as inspiration
- Produce a training module to enable Research Communities to have a basic starter pack for policies
- Encourage RC actors to make policy decisions (e.g. log retention, minimum assurance etc)
- Translate those decisions into policy templates
Assumptions
- RCs/Infrastructures may not have a security focussed person, could just be a PI. Definitely can't assume CSIRT body
- Those using this policy pack are following the AARC blueprint
Pre-Requisites
- Stable DP CoCo Version
- Aligned AUP AARC Deliverable
Which policies do we need?
Policy Need | Source | Template Basis | Comment | Name | What should we produce? |
---|---|---|---|---|---|
Incident Response Procedure | Sirtfi | EGI Incident Response, should link to Sirtfi, AARC work | Incident Response Procedure | Template | |
Policy on authentication, authorisation, access control, physical and network security, security vulnerability handling and security incident handling for all Constituents | Snctfi | EGI Operational Security Policy | Top level policy that covers physical and network security, vulnerability handling and refers to additional policies on Acceptable Assurance, Incident Response Procedure, Membership management | Top Level Policy | Template |
AUP for end users | Snctfi | AARC Unified AUP | EGI seems to have 2 AUPS, Infrastructure and User Community | Infrastructure AUP | Template |
Policies and procedures regulating the behaviour of the management of the Collection of users | Snctfi | EGI Membership Management | Membership Management | Template | |
Collections of users aims and purposes | Snctfi | Where does this go? | |||
Data Protection Policy, e.g. DP CoCov2 | Snctfi | CoCo | Data Protection Code of Conduct | Framework description | |
Privacy Policy | CoCo | AARC Template | Privacy Policy | Template | |
Policy on eligibility to use the infrastructure (i.e. services) | Elixir | Similar to EGI Service Operations, there is some overlap with the Top Level Policy | Service Eligibility | Template | |
Risk Assessment | ?? | ?? | ?? | ?? | ?? |
Example Policy Sets
Differences with EGI Policies?
- Cannot assume a CSIRT for each Infrastructure
- Assume there is one AUP
- Resource Centres are not relevant
- There are not necessarily multiple User Communities