Draft available at https://docs.google.com/document/d/176vzNaoK6KvKTMp8Glk2n1NaM6bxiS1QqH8M3_mu7NI/edit#

Objective

Provide new or evolving Research Communities and Infrastructures with the guidance they need to develop a complete policy suite supporting Federated Identity Management. This should be done with input from the wider community, through FIM4R, WISE and relevant bodies. For this work in AARC, the policy kit should be tightly scoped to the blueprint architecture but there is an expectation that the work be extended to be relevant for infrastructures in general.

Audience

Operational Management of Research Communities and their respective infrastructures

Process

Identify key actors in Blueprint Architecture (Membership Manager, Proxy Operator, etc)
Identify Policies Required for Compliance with Snctfi
Identify Example Policies from other infrastructures to serve as inspiration
Produce a training module to enable Research Communities to have a basic starter pack for policies
1. Encourage RC actors to make policy decisions (e.g. log retention, minimum assurance etc)
2. Translate those decisions into policy templates

Assumptions

RCs/Infrastructures may not have a security focussed person, could just be a PI. Definitely can't assume CSIRT body
Those using this policy pack are following the AARC blueprint

Pre-Requisites

Stable DP CoCo Version
Aligned AUP AARC Deliverable

Use Cases

EPOS
Life Sciences

Which policies do we need?

Policy Need	Source	Template Basis	Audience	Comment	Name	What should we produce?
Incident Response Procedure	Sirtfi	EGI Incident Response, should link to Sirtfi, AARC work	Proxy, Services	What about policies?	Incident Response Procedure	Template
Policy on authentication, authorisation, access control, physical and network security, security vulnerability handling and security incident handling for all Constituents	Snctfi	EGI Operational Security Policy	Proxy, Services	Top level policy that covers physical and network security, vulnerability handling and refers to additional policies on Acceptable Assurance, Incident Response Procedure, Membership management We either make very modular or try to make this quite long	Top Level Policy	Template
AUP for end users	Snctfi	WISE Baseline AUP	Users	EGI seems to have 2 AUPS, Infrastructure and User Community	Infrastructure AUP	Template
Collections of users' aims and purposes	Snctfi			This is the User Community AUP. There is an example somewhere. Would be better if these could be combined.
Policies and procedures regulating the behaviour of the management of the Collection of users	Snctfi	EGI Membership Management		In XSEDE it's much more simple	Membership Management	Template
Data Protection Policy, e.g. DP CoCov2	Snctfi	CoCo		Could be included in top level	Data Protection Code of Conduct	Framework description
Privacy Policy	CoCo	CoCo Template			Privacy Policy	Template
Policy on eligibility to join the infrastructure (i.e. services)	Elixir			NOT Similar to EGI Service Operations, there is some overlap with the Top Level Policy. Try and include in overall policy	Service Eligibility	Template
Risk Assessment (DPIA)	Data Privacy Statement	??		NOT A POLICY but could inform policy decisions	??	??

Example Policy Sets

CTSC Policies	Relevant for AARC?
Acceptable Use Policy Template	Yes
Access Control Policy Template	Yes
Asset Management Policy Template
Asset-Specific Access and Privilege Specification Template
Disaster Recovery Policy Template	No
Incident Response Policy and Procedures Template	Yes
Information Asset Inventory Template	No
Information Classification Policy Template	No
Information Security Training and Awareness Policy Template	No
Master Information Security Policy & Procedures Template	Yes
Password Policy Template	No
Physical Security Policy Template	Yes

EGI Policy	Relevant for AARC?
Access Platform AUP and Conditions of Use (aka. Platform for the long tail of science)	No
EGI Access Platform Security Policy (aka. Platform for the long tail of science)	No
EGI Glossary V2	No
Grid Policy on the Handling of User-Level Job Accounting Data	No
Policy on e-Infrastructure Multi-User Pilot Jobs (Updated 14 Nov 2016)	No
Security Policy for the Endorsement and Operation of Virtual Machine Images (Updated 10 Oct 2016)	No
Security Policy Glossary of Terms	Perhaps
Security Traceability and Logging Policy (Updated 14 Nov 2016)	Perhaps
Service Operations Security Policy (Updated 1 June 2013)	Perhaps
Virtual Organisation Registration Security Policy	Perhaps
VO Operations Policy	Perhaps
VO Portal Policy (Updated 14 Nov 2016)	Perhaps
Acceptable Use Policy and Conditions of Use (Updated 10 Oct 2016)	Yes
e-Infrastructure Security Policy (Updated 1 Feb 2017)	Yes
Policy on Acceptable Authentication Assurance (Updated 1 Feb 2017)	Yes
Policy on the Processing of Personal Data (New policy from 1 Feb 2017)	Yes
Virtual Organisation Membership Management Policy	Yes
Security Incident Response Policy (Updated 14 Nov 2016)	Yes for procedure

Differences with EGI Policies?

Cannot assume a CSIRT for each Infrastructure
Assume there is one AUP
Resource Centres are not relevant
There are not necessarily multiple User Communities