This is the Service operations security policy for “GEANT AAI Service” and the Services connecting on it.

By running a Service connected to GEANT AAI Service, you agree to the conditions laid down in this document and other referenced documents, which may be subject to revision.

  1. You shall comply with all relevant GEANT AAI Service Policies
  2. You shall provide and maintain accurate contact information, including at least one Security Contact who shall support Sirtfi [R1] on behalf of the service.
  3. You are held responsible for the safe and secure operation of the Service. Any information you provide regarding the suitability and properties of the Service should be accurate and maintained. The Service shall not be detrimental to the GEANT AAI Service Service nor to any of its Participants.
  4. You should follow IT security best practices including pro-actively applying updates or configuration changes related to security.You shall respond appropriately, and within the specified time period, on receipt of security notices from the GEANT AAI Service Serviceor any of its Participants. You must support the Sirtfi Framework [R1] on behalf of your service.
  5. You shall document your processing of personal data in a Privacy Statement that is displayed to the User and shared with the GEANT AAI Service Service. 
    1. You shall apply due diligence in maintaining the confidentiality of user credentials and of any data you hold where there is a reasonable expectation of privacy. 
    2. You shall collect and retain auditing information in compliance with policies and procedures [R1], and must assist the GEANT AAI Service Service in security incident response.
    3. You shall use logged information, including personal data, only for administrative, operational, accounting, monitoring and security purposes. You shall apply due diligence in maintaining the confidentiality of logged information. 
  6. Provisioning of Services is at your own risk. Any software provided by GEANT AAI Service is provided on an as-is basis, and subject to its own license conditions. There is no guarantee that any procedure applied by the GEANT AAI Service Service is correct or sufficient for any particular purpose. The GEANT AAI Service Service and other Participants acting as service hosting providers are not liable for any loss or damage in connection with your participation in the IT Infrastructure.
  7. You may control access to your Service for administrative, operational and security purposes and shall inform the affected users where appropriate
  8. Your Service’s connection to the GEANT AAI Service may be controlled for administrative, operational and security purposes if you fail to comply with these conditions

Upon retirement of a service, the obligations specified in clauses 1, 2, 5 and 6 shall not lapse for the retention period 6 months agreed with GEANT.

R1: https://refeds.org/sirtfi

  • No labels