...
Due to the diverse nature of data and services, the Policy Development Kit, while providing context, does not have specific recommendations, policy templates, or procedures. Public resources related to service management, risk assessment, and “AIC” (or “CIA”) information classification are provided below.
Service Levels
Service Management Systems, like the ISO 20 000 standards or FitSM, expect services to be “aligned to the needs and expectations of (potential) customers. Both the service provider and customer are aware of agreed service targets” (quoted from the FitSM standards). When working with a research collaboration, you may be faced with ‘unknown’ data and many implicit expectations, and making the users aware of what your service can and cannot do is essential for both security and functionality.
...
If you want to provide service guarantees to some of your collaborations, you can also add references to service level agreements at the end of the AUP presentation (“Applicable service levels agreements are located at: <URL>”).
Data classification: availability, integrity, confidentiality
A property of the information, rather than the infrastructure, the triad of availability, integrity, and confidentiality (seen in various permutations as well, like the “CIA Triad”), these different aspects of data security are foundational for both security as well as regulatory compliance.
...
Beware of implicit expectations of users, and document the agreements as part of your Service Level Agreement (SLA) or Operational Level Agreements (OLA). Remember that in some cases you may need to (self) certify for compliance to legislation and implementing acts. This is especially common for personal and health data, but can also apply to dual-use and export-restricted knowledge.
Resources
- https://wise-community.org/wise-baseline-aup/
- https://www.itgovernance.co.uk/blog/what-is-the-cia-triad-and-why-is-it-important
- https://www.fitsm.eu/downloads/ (especially the Overview and Vocabulary)
- https://www.itgovernance.co.uk/blog/why-iso-27005-risk-management-is-key-to-iso-27001 (risk management and assets)
- https://www.trustedci.org/oscrp Open Science Cyber Risk Profile
- https://hora.surf.nl/index.php/BIV_classificaties (Higher Education and Research Reference Architecture, IAC classifications for objects (in Dutch))
- ...