This is the Service operations security policy for “MyAccessID” and the Services connecting on it.

By running a Service connected to MyAccessID, you agree to the conditions laid down in this document and other referenced documents, which may be subject to revision.

  1. You shall comply with all relevant MyAccessID Policies
  2. You shall provide and maintain accurate contact information, including at least one Security Contact who shall support Sirtfi [R1] on behalf of the service.
  3. You are held responsible for the safe and secure operation of the Service. Any information you provide regarding the suitability and properties of the Service should be accurate and maintained. The Service shall not be detrimental to the MyAccessID Service nor to any of its Participants.
  4. You should follow IT security best practices including pro-actively applying updates or configuration changes related to security.You shall respond appropriately, and within the specified time period, on receipt of security notices from the MyAccessID Serviceor any of its Participants. You must support the Sirtfi Framework [R1] on behalf of your service.
  5. You shall document your processing of personal data in a Privacy Statement that is displayed to the User and shared with the MyAccessID Service. 
    1. You shall apply due diligence in maintaining the confidentiality of user credentials and of any data you hold where there is a reasonable expectation of privacy. 
    2. You shall collect and retain auditing information in compliance with policies and procedures [R1], and must assist the MyAccessID Service in security incident response.
    3. You shall use logged information, including personal data, only for administrative, operational, accounting, monitoring and security purposes. You shall apply due diligence in maintaining the confidentiality of logged information. 
  6. Provisioning of Services is at your own risk. Any software provided by MyAccessID is provided on an as-is basis, and subject to its own license conditions. There is no guarantee that any procedure applied by the MyAccessID Service is correct or sufficient for any particular purpose. The MyAccessID Service and other Participants acting as service hosting providers are not liable for any loss or damage in connection with your participation in the IT Infrastructure.
  7. You may control access to your Service for administrative, operational and security purposes and shall inform the affected users where appropriate
  8. Your Service’s connection to the MyAccessID may be controlled for administrative, operational and security purposes if you fail to comply with these conditions

Upon retirement of a service, the obligations specified in clauses 1, 2, 5 and 6 shall not lapse for the retention period 6 months agreed with GEANT.

R1: https://refeds.org/sirtfi

  • No labels