Final PDK Template Documents:
WISE Baseline Acceptable Use Policy and Conditions of Use (Version 1): WISE-SCI-Baseline-AUP-V1.pdf
Service Operations Security Policy template: WISE-SCI-PDK-ServiceOpsSecPol-V2.pdf
Documents being worked on - see "Working documents" below
Aim:
An activity of the WISE SCI working group
We have had a lot of feedback that the Policy Development Kit (which came from the AARC project) is good but doesn't necessarily fit use cases. People have to make significant modifications. We would like to pull in the feedback from these first-hand implementation experiences and produce an improved set of templated policies.
In particular, some communities are looking for something very easy to pick up and define requirements on participating services (e.g. CS3MESH). Our first objective is to update the Security Operations Policy (and possibly the top level policy that ties participants together).
Meetings (SCI-WG PDK):
- Discussed during EUGridPMA 28-30 September 2021
- October 4th 2021
- See WISE Community meeting below - 26-27 October 2021
- Friday 22nd October (morning) 10:00 CEST
- At the WISE/SIG-ISM Meeting October 26/27 https://events.geant.org/event/742/ and Slides
- November 15th 15:00 CET
- November 29th 15:00 CET
- December 13th 2021 15:00 CET
- January 24th 2022 15:00 CET
- February 2nd 15:00 CET
- February 21st 15:00 CET
- March 7th 15:00 CET
- March 21st 15:00 CET - cancelled (clash with ISGC2022 security workshop)
- April 4th 15:00 CEST
- May 3rd 2022 15:00 CEST
- May 16th 2022 15:00 CEST
- May 31st 2022 15:00 CEST
- July 4th 2022 15:00 CEST
- August 1st 2022 15:00 CEST
We failed to reach consensus on an updated Data Protection policy template - so activity then stopped (for now)- we will come back to this in 2023
Resources:
The final work from the AARC Project is at https://aarc-community.org/policies/policy-development-kit/ this has been slightly updated with time
We have a (unmaintained) Moodle course at https://e-academy.geant.org/moodle/course/view.php?id=16
Existing Security Operations Policy Options:
- PDK version https://docs.google.com/document/d/1_cNMF3l3YVPqBBH0MPqx9DLAL1t3Z33_fJcjln8Xk48/edit#heading=h.idp93lqbm8kt
- The PDK was used to produce a Service Operations Security Policy for EOSC-hub which was then also adopted by EGI. Some wording was changed from the initial PDK to the EOSC-hub version, including the reference to Sirtfi was removed from point 4 and "Privacy Statement" was changed to "Privacy Notice"
- The EOSC-hub/EGI policy from June 2020 onwards is available at: https://documents.egi.eu/document/3601
- The EOSC Security Baseline may serve as a best option for loosely coupled federations https://docs.google.com/document/d/1a8TQAfOnB0CADo_n5nn7-DQX6jV7Iz-2i90hBAzMgGY/edit#heading=h.eyau1431a74f (plan to adopt almost as is)
- Based on Iris https://www.iris.ac.uk/wp-content/uploads/2021/05/IRIS-Service-Operations-Security-Policy.pdf (though that one removed Sirtfi and only referred to it in footnotes. Wanted self contained). Advantage is long list of references.
- Less prescriptive
- Elixir
- This is our Service operations security policy:
https://docs.google.com/document/d/1TKczGc_9U-i3XTT3pVqy8EpHyMrTZ9m9rMFFwhlFMtg/edit?usp=sharing - You may be interested also in our ToU for service providers which was missing from AARC PDK and was developed by ourselves:
https://docs.google.com/document/d/10DBkPr_zWpFJPWTav8SMw61IVExIU0349pUkBl9cLjw/edit# It has the same license as the AARC PDK (CC-BY-SA-NC) - See page 14 - 15 for feedback from life sciences https://zenodo.org/record/4559400#.YWRFLC8RpQI
- This is our Service operations security policy:
- Trusted CI https://www.trustedci.org/guide-overview?rq=MISPP
- HIFIS (previously HDF) https://hifis.net/doc/helmholtz-aai/security-response/
Anchor | ||||
---|---|---|---|---|
|
Working Documents:
- Service Operations Security Policy
Google doc
...
- used to produce version 2 template of Service Operations Security
...
- Policy (see top of this page)
https://docs.google.com/document/d/1oO2OsBG99Wf3ecvjU28qma4ubyzpBJgMIB93eRpz6Ck/edit#heading=h.idp93lqbm8kt
Meetings:
- Discussed during EUGridPMA October 2021
- October 4th 2021
- Friday 22nd (morning) 10:00 CEST
- At the WISE/SIG-ISM Meeting October 26/27 https://events.geant.org/event/742/ and Slides
- November 15th 15:00 CET
- November 29th 15:00 CET
- December 13th 15:00 CET
- Community Security Policy
Google doc with "work in progress" draft of Community Combined Security Policy
https://docs.google.com/document/d/1SNew2NMI96EGZtbdnPZyyLIZ6mGYUeLgik_d-MMT540/edit?usp=sharing - Data Protection policy template
Google doc with "work in progress" draft of updated version of AARC policy template for Data Protection:
https://docs.google.com/document/d/11S5UrCytHdeh4mNQc3btvZPW_ox_QgSBx0lII-XhKoI/edit?usp=sharing
AARC guidance documents on Data Protection and GDPR:
WISE Meeting October 27th 2021WISE Meeting October 27th
Time | Item |
---|---|
10m | PDK introduction
|
10m | Evolution of Security Operations Policy
|
10m | Q&A e.g. feedback from CS3MESH |
30m | Work on Security Operations Policy (not the baseline) and incorporate feedback
|
...