View Source

Practical steps to getting started with Policies for a Research Collaboration

Note: we are missing DP CoCo from these steps

Define a unique name for your collaboration (recommend DNS)
Identify a governance body to make policy decisions
Define the purpose of your collaboration (this will be used for your AUP)
We strongly suggest (although this is out of scope here)
1. Identifying your primary assets
2. Completing a risk assessment
3. Defining your rules of participation and the escalation procedure in case of non-compliance
4. Any additional legal and regulatory compliance necessary
Define, or agree to adopt as is, the following 6 documents and seek endorsement from the governance body
Review the AEGIS endorsed policy guidelines required for AARC compliance and ensure their technical implementation
1. Identify your assurance requirements following https://aarc-community.org/guidelines/aarc-g031/
2. Identify suitable token lifetimes
Ensure that the policies are presented to and accepted by the relevant audiences
Publish your documents and responsible parties at a suitable location

Document	AARC template for interoperability	Examples where no template is recommended for interoperability purposes
Membership management	Membership Management
AUP	WISE AUP
Privacy Policy		REFEDS privacy notice
AAOPS	Attribute Authority Operational Security
Security Operational Baseline	Security Operational Baseline
Incident response procedure		EOSC, UK-IRIS, AARC federated incident response procedure

-------

Full Trust Framework links

An analysis of the improvements required on PDK v1 is included in https://doi.org/10.5281/zenodo.15506826

AARC > The AARC Policy Development Kit > Screenshot 2025-10-29 at 13.40.44.png

AARC > The AARC Policy Development Kit > image-2025-10-29_14-25-9.png

Research Governance	Users	Identity	Collaboration Management	Infrastructure Integration and Service Providers
Rules of Participation			Membership Management	Service Levels 'AIC' Security ????????? - ASK DAVID
Identification of Primary Assets	WISE AUP		WISE AUP	WISE AUP
Research Risk Assessment		Attribute Authority Operational Security	Attribute Authority Operational Security
Escalation Procedure		Sirtifi	Security Operational Baseline	Security Operational Baseline
Legal and Regulatory Complience	(EEA) Privacy Notice	REFEDS DP CoCo	REFEDS DP CoCo	REFEDS DP CoCo
		WISE AUP and Privacy Notice	Sensitive Data Access (Policies)	Sensitive Data Access (Enforcement)
		REFEDS Assurance Framework	Assurance Requirements	Assurance Requirements
			Incident Response Procedure	Incident Response Procedure
			Sirtifi	Sirtifi
			Notice management (presentation)	Notice management (provision)
			Privacy Notice	Privacy Notice

No Work Needed	Reference Externally	Work Need	Out of Scope	Not a Policy