Update - Security Policies

Slides:



Advertisements
Similar presentations
All you always wanted to know about Assurances Office of Research Protections (ORP) U.S. Army Medical Research and Materiel Command (USAMRMC) Fort Detrick,
Advertisements

BUSINESS B2 Ethics.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
Presented by : PDG David Tong District 3310 DISTRICT ASSEMBLY TOPIC: DISTRICT INCORPORATION DISTRICT ASSEMBLY TOPIC: DISTRICT INCORPORATION Rotary International.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
P ERSONAL D ATA P ROCESSING I NTRODUCTION TO PROPOSED NEW DRAFT P OLICY ON THE P ROCESSING OF P ERSONAL D ATA I AN N EILSON – STFC RAL 13 January 2016.
State of Georgia Release Management Training
EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SPG future work EGI Technical Forum Lyon, 21 Sep 2011 David Kelsey, STFC/RAL.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
Grid Security Policy: EGEE to EGI David Kelsey (RAL) 16 Sep 2009 JSPG meeting, DFN Berlin david.kelsey at stfc.ac.uk.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.
Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health
SLAs with Software Provider. Scope “…declare the rights and responsibilities between EGI.eu and the Software Provider for a particular component.” Which.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
WISE Information Security for Collaborating E-Infrastructures
Introduction to AAI Services
Accountability & Structured Privacy Management
David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017
Non-Assurance Services
Updated ERO Enterprise Guide for Internal Controls
Policy and Best Practices … the Story So Far
Community Session - Next-Generation gTLD Registration Directory Service (RDS) to replace WHOIS
David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016
Policy and Best Practices … the Story So Far
CIIMS Proposal for TOP-003 Approach
General Data Protection Regulation (GDPR
General Data Protection Regulation
Incident Response for Federated Identities
Towards hamonized policies and best practices
Frameworks for harmonized policies and practices
Policy in harmony: our best practice
Towards hamonized policies and best practices
Policy and Best Practice … in practice
The GDPR & Schools - An Introduction -
Updates to Expedited Review Procedures
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Updated (VO) Community Security Policies
AARC Blueprint Architecture and Pilots
Supporting communities with harmonized policy
Cyber security Policy development and implementation
Welcome!.
TGu Requirements Change Motion
Appropriate Access InCommon Identity Assurance Profiles
Alignment of Part 4B with ISAE 3000
Baseline Expectations for Trust in Federation
Federated Incident Response
Getting Ready For GDPR Simon Marks Director
Presentation transcript:

Update - Security Policies David Groep (Nikhef) EGI OMB 24 November 2016

Refreshing the security policy suite Finalised earlier this year Formal adoption – Oct 2016: LTOS AUP, LTOS Security policy, VMI Endorsement and operations (V4), Revised AUP (V2) Personal Data Protection Policy OMB meeting: presented March 2016 Almost ready – and now used as basis for EGI CheckIn Privacy privacy template appendix should evolve taking this into account https://documents.egi.eu/document/2732 Acceptable Authentication Assurance Approved OMB: July and Sep 2016 https://documents.egi.eu/document/2930 Awaiting formal approval and adoption EGI OMB Security Policies

EGI OMB Security Policies Security Policy Suite to be revised before end of EGI-ENGAGE EGI OMB Security Policies

Top-Level Security Policy Current version (doc #86) is ‘well matured’, dating July 2010, and wording does not immediately indicate its relevance to new infrastructure concepts (although it obvious does apply) Reword in technology-agnostic way Minimal changes, as the previous policy worked well Keeps subsidiarity principle that characterizes our current security model Clarify applicability to each constituency ( “participants”) Points to common processes as much as possible Use existing policies from our suite to assign responsibilities and give mandates EGI OMB Security Policies

EGI OMB Security Policies Structure Introduction and Definitions Roles and Responsibilities The Management The e-Infrastructure Security Officer and the CSIRT User Community Management Users Resource Centre Management Physical Security Network Security Exceptions to Compliance Sanctions EGI OMB Security Policies

Example: User Community Management The User Community Management must designate a Security contact point […] The User Community Management should abide by the e-Infrastructure policies in the areas of Acceptable Use, User Registration and Membership Management and all other applicable policies. Exceptions to this must be handled as in section Exceptions to Compliance. They must ensure that only individuals who have agreed to abide by the e-Infrastructure AUP and the User Community AUP are registered as members of the User Community. User Community Management and Users that provide and/or operate resources or services must abide by the Service Operations Security Policy, the Traceability and Logging Policy and all other applicable policies. For services requiring authentication of entities the User Community Management must abide by the policy on Acceptable Authentication Assurance. User Community Management is responsible for promptly investigating reports of Users failing to comply with the policies and for taking appropriate action to limit the risk to the e-Infrastructure and ensure compliance in the future, as defined in section Sanctions. EGI OMB Security Policies

Exceptions to compliance Wherever possible, e-Infrastructure policies and procedures are designed to apply uniformly to all participants. If this is not possible, for example due to legal or contractual obligations, exceptions may be made. Such exceptions should be time-limited and must be documented and authorised by the e-Infrastructure Security Officer and, if required, approved at the appropriate level of management. … EGI OMB Security Policies

EGI CheckIn – Data Privacy Policy Builds on the – previously OMB-endorsed – Data Protection policy and the Privacy Template Having a privacy policy is a necessary prerequisite For running a service handling personal data For registering the service in eduGAIN with the GEANT DP CoCo “Code of Conduct” trust mark To have all users be well informed on how we process their personal data in the portal and in EGI services EGI OMB Security Policies

A data privacy policy answers questions! What Personal Data do We process? Purposes of Processing? Stored where? Accessed by whom? Retained for how long? If so: how is your data shared with others? Name and Contact details of Data Processor Name and Contact details of the EGI CheckIn Service Data Protection Officer EGI OMB Security Policies

But: EGI CheckIn in a just a front! EGI CheckIn itself conveyed attributes to others that the entire purpose of it  All services that connect to CheckIn, must be part of the same policy framework Data protection model for sharing is inspired by the GDPR “Binding Corporate Rules” (BCR) model, that leverages our comprehensive policy set Only entities that comply with all the policies, and where we have viable enforcement mechanisms, may have access to the data EGI OMB Security Policies

EGI OMB Security Policies 10.4 Policy By their activity in the Infrastructure, Participants: Declare that they have read, understood and will abide by the Principles of Personal Data Processing as set out below. Declare their acknowledgment that failure to abide by these Principles may result in exclusion from the Infrastructure, and that if such failure is thought to be the result of an unlawful act or results in unlawful information disclosure, they may be reported to the relevant legal authorities. EGI OMB Security Policies

A first step: getting this to work … ASAP! The draft data privacy policy for EGI CheckIn https://wiki.egi.eu/wiki/SPG:Drafts:Data_Privacy_EGI_CheckIn Addresses all basic 8 questions Has the service-specific “EGI Policy on the Processing of Personal Data” Is really needed, real soon, like, “yesterday” Can be evolved by updating EGI CheckIn website unless we make user-impacting changes EGI OMB Security Policies

EGI OMB Security Policies Future work items User-community related security policies Today there are three policies for “VOs”: registration, membership management, and the AUP – which is too many, are to vague, and inadvertently suggests some technology. But they are tech-agnostic! Policy documents govern relationships, and communities relate with their constituent users, for which we can provide a reference templates (it says “should abide” in the top-level policy, i.e. uses a “comply or explain” model) with the infrastructure, for which we are authoritative (“must abide”) SPG will propose revised community policies before the end of ENGAGE Continue collaboration with other Infrastructures via WISE and SCIV2-WG Policy and trust issues To identify potential further gaps and inconsistencies EGI OMB Security Policies

EGI OMB Security Policies Requests to the OMB To endorse the new top-level security policy https://wiki.egi.eu/wiki/SPG:Drafts:Security_Policy To endorse the first version of the AAI CheckIn Data Privacy Policy – so that it can be used as of now for informing the users on the processing https://wiki.egi.eu/wiki/SPG:Drafts:Data_Privacy_EGI_CheckIn To (re-)confirm the CSIRT ToR https://documents.egi.eu/secure/ShowDocument?docid=385&version=11 EGI OMB Security Policies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.