Versions Compared

Old Version 83

changes.mady.by.user David Groep

Saved on

compared with

New Version 84

changes.mady.by.user David Groep

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleThink about your crown jewels, risks, any regulations and legal things, privacy - and what to do if things go wrong ...

...

Why? "Bad things can happen to good science" (1), and while you may not think of it at first, the data, ways of working, and collections created in your collaboration are valuable and deserve protection. External cybersecurity attacks of course come to mind, but in many cases inadvertent accidents happen and are at least as big a risk. Identifying your 'primary assets' (or the 'crown jewels' of the collaboration) helps you to identify where you need extra protections, and how to prevent deletion, changes, or loss of data ... and people. There may also be legal and regulatory reasons to apply controls through your AAI. They can be in the research data itself, like medical and patient data, dual-use goods and knowledge, commercially confidential data, or ethical reasons on human research or in the Nagoya Protocol.
And protect your own peers in the collaboration: they should know how their name, email address, or roles that are used in the AAI are protected. And for some sensitive or high-profile research, also names and contact info needs to be protected!

Recommendation: 

  • identify your crown jewels or primary assets. These are not computer things, nor your AAI, but research data, research processes, and knowledge.
  • define your rules of participation and the escalation procedure in case of non-compliance. If you are dealing with sensitive subjects, or sensitive research, consider the risks and what measures in your AAI can help. If you use a hosted AAI, discuss the conditions and guarantees with your (Snctfi-ed) provider.

...

...

  • can apply to your research collaboration

...

  • - to clarify privacy for access personal data (the personally identifiable information that results from your collaborators usin services, infrastructure, and the AAI itself)
  • Do a (brief) risk assessment to check the impact of inadvertent or malicious events. Prioritise risks your crown jewels, and keep in mind that controls should not make your primary mission impossible!
  • Does your collaboration work with human, societal data, or collects questionnaires? Is your research likely to be classed as dual-use or export restructured? Does the research, or your collaboration users, touch on knowledge safety? Is approval by medical/ethical commissions needed? Are you dealing with biodiversity or genetic resources subject to the Nagoya Protocol? Do a specific risk assessment or ask your institution for guidance.

Applicable guidance: REFEDS Data Protection Code of Conduct, (1) Open Science Cyber Risk Profile (Sean Peisert et al, TrustedCI), ITSRM2 (risk management), Privacy Notices


  1. Define, or agree to adopt as is, the following 6 documents and seek endorsement from the governance body
    Expand
    titleview the 6 documents
    Membership management 
    Privacy Policy 
    AAOPS 
    Security Operational Baseline 
    Incident response procedure 
    Membership Management
  2. Review the AEGIS endorsed policy guidelines required for AARC compliance and ensure their technical implementation
    1. Identify your assurance requirements following https://aarc-community.org/guidelines/aarc-g031/ 
    2. Identify suitable token lifetimes https://aarc-community.org/guidelines/aarc-g081/
  3. Ensure that the policies are presented to and accepted by the relevant audiences
  4. Publish your documents and responsible parties at a suitable location

...