Your resources, your research data, and your collaborators are valuable, yet continuously targeted by miscreants. Protecting these requires that everyone works together to protect them damage, disruption, and unauthorised use. The security operational baseline sets the bar to entry in most federated infrastructures, not only for the AAI but also for the protection of resources, data, and users. By adhering to a simple common baseline, the collaboration becomes easier and the expectations of all parties are clear. You will find that adherence to the security operational baseline is a prerequisite to entry for many of the ecosystems you want to join.

If you are an e-Infrastructure or service provider


If you are an authentication source or collaboration


Twelve points to protect your resources and data

It is RECOMMENDED that all service providers follow these Baseline Requirements to achieve a sufficient level of security. These requirements augment but do not replace applicable security policies and obligations, nor any more specific security arrangements and service level agreements that may exist between participants. The baseline is specifically that: a set of minimal expectations between everyone in the infrastructure:

  1. comply with the SIRTFI1 security incident response framework for structured and coordinated incident response
  2. ensure that your Users agree to an Acceptable Use Policy (AUP) or Terms of Use, and that there is a means to contact each User.
  3. promptly inform Users and other affected parties if action is taken to protect their Service, or the Infrastructure, by controlling access to their Service, and do so only
    for administrative, operational or security purposes.
  4. honour the confidentiality requirements of information gained as a result of your Service’s participation in the Infrastructure.
  5. respect the legal and contractual rights of Users and others with regard to the personal data processed, and only use access personal data for administrative, operational, accounting, monitoring or security purposes.
  6. retain system generated information (logs) in order to allow the reconstruction of a coherent and complete view of activity as part of a security incident (the ‘who, what, where, when’, and ‘to whom’), for a minimum period of 180 days, to be used during the investigation of a security incident.
  7. follow, as a minimum, generally accepted IT security best practices and governance, such as pro-actively applying secure configurations and security updates, and taking appropriate action in relation to security vulnerability notifications, and agree to participate in drills or simulation exercises to test Infrastructure resilience as a whole.
  8. operate services and infrastructure in a manner which is not detrimental to the security of the Infrastructure nor to any of its Participants or Users.
  9. collaborate in a timely fashion with others, specifically those with which there is a direct trust relationship, in the reporting and resolution of security events or incidents related to their participation in the infrastructure and those affecting the infrastructure as a whole.
  10. honour the obligations on security collaboration and log retention (clauses 1, 6, and 9 above) for the period of 180 days after their Service is retired from the Infrastructure, including the retention of logs when physical or virtual environments are decommissioned.
  11. not hold Users or other Infrastructure participants liable for any loss or damage incurred as a result of the delivery or use of the Service in the Infrastructure, except to the extent specified by law or any licence or service level agreement.
  12. maintain an  suppliers that ensures that engagement of such parties does not result in violation of this Security Baseline.

Resources