...
Remove all the defintions already in eduGAIN Constitution.
| Word/Term | Definition |
|---|
Identity Provider, a service that creates, maintains, and manages identity information for principals and provides authentication services to relying parties
| CSIRT | Computer Security Incident Response Team |
| eduGAIN | The eduGAIN inter-federation service connects identity federations around the world, simplifying access to content, services and resources for the global research and education community. |
| eSG | eduGAIN Steering Group, the governing body of eduGAIN |
| Entity Security Contact |
| An entity mail address monitored by multiple individuals |
Purpose and Responsibilities
eduGAIN-CSIRT provides computer security incident response coordination for eduGAIN. It serves as the primary contact point for all security related issues affecting eduGAIN.
The group eduGAIN-CSIRT maintains a communication infrastructure to assure that all the relevant information is received by the relevant entities relevant Federation Operators and Entities security contacts in eduGAIN. That the information is processed and needed response actions are carried out is the responsibility of the entity and the hosting federation(s).
...
- the eduGAIN-CSIRT Security Officer.
- Senior security professionals from IT infrastructures so designated by the eduGAIN-CSIRT Security Officer and the eduGAIN Steering Group Chair. The designation process will be based on the principles of fair representation of the federations and the research and education infrastructures, regional coverage and proven IT security skills.
- Each member of the eduGAIN-CSIRT will be funded by the respective organization either through the GEANT project, or direct funding.
- Invited members: GEANT CERT Security Officer. Others?
...
The Term of Office is unlimited.
Method of Appointment
The eSG GEANT project appoints the eduGAIN-CSIRT Chair.
...
The operation of eduGAIN-CSIRT will obey the eduGAIN Declaration and the eduGAIN Constitution. and follow the procedures approved by the eSG. Any Stakeholder within eduGAIN has the right to suggest new policies and procedures: such requests should be submitted to the Security Officer. The decision whether to accept this request or not will be recorded in the minutes of the meeting and feedback will be provided to the original requestor.
...
All the members of the Group must subscribe to the eduGAIN-CSIRT mailing list (edugain-support-sec-team@lists.geant.org)
and should use it as the primary written communication channel. To allow for low latency
communications, the team may community using end-to-end encrypted instant messaging channels
provided all end-points have been pre-authenticated during a face-to-face validation.
The group
deliberations happen at face-to-face meetings, phone/video conferences, or via the group mailing list.
To enable consideration, where practicable, the draft agenda together with reports and documents that relate to the group will be
forwarded to members three working days prior to scheduled meetings.
Accurate minutes will be kept
of each meeting of the group. The minutes of a meeting shall be submitted to group members for
ratification at the next subsequent meeting of the group.
...
eduGAIN-CSIRT is authorized by the eSG to coordinate computer security incident response activities within its Terms of Reference and the applicable security policies. The eSG is the governing body of eduGAIN-CSIRT.
TO BE DISCUSSED:
should we explicitly mention particular actions we would need to take in situations where we would need to take serious actions like suspending participants as a last resort to protect eduGAIN as such