Generalized Operations Policy
As a result of the January 2011 SPG meeting, there is an item to work on a re-write and generalization of the Site Operations Policy document (see https://www.egi.eu/indico/event/263):
Rewrite site operations policy as a general services security policy a. Include service operation security policy (real and virtual) b. Resource, providers, VM managers, etc c. Exclude operations items to be considered by OMB
It is an evolution from the current version (https://documents.egi.eu/document/75).
This security policy is now being reviewed under EGI SPG "Phase 2 - External Review". The draft may be found at https://documents.egi.eu/document/669.
New Draft Text
Service Operations Security Policy
By running a Service on the Infrastructure, by providing a service that is part of the Infrastructure, or retaining state that is related to the Infrastructure, either provided as an independent service or hosted in a Resource Centre, You agree to the conditions laid down in this document and other referenced documents, which may be revised from time to time.
- You shall provide and maintain accurate contact information to the Infrastructure and any Resource Centres involved, including but not limited to at least one Security Contact who shall respond to enquiries in a timely fashion.
- You shall comply with all security policies and procedures of the Infrastructure and any Resources Centres involved in operating Your service.
- You are held responsible by the Infrastructure and by any Resource Centres involved for the safe and secure operation of the Service. You shall not mislead Users regarding the suitability of a Service for their needs, nor mislead the Infrastructure or any Resource Centres involved about your Service. The Service shall not be detrimental to the Infrastructure and any Resource Centres involved.
- You should follow IT security best practices that include pro-actively applying software patches, updates or configuration changes related to security. When notified by the Infrastructure or any Resource Centres involved of software patches, updates or configuration changes required for security, You shall apply these to your services within the specified time period.
- You shall collect and retain sufficient auditing information as defined in the Tracability and Logging Policy and procedures, and must assist the Infrastructure and any Resource Centres involved in security incident response.
- You shall use logged information, including information provided to you by Users, other Resource Centres, Service operations or by the Infrastructure, only for administrative, operational, accounting, monitoring and security purposes. You shall apply due diligence in maintaining the confidentiality of logged information.
- Your provisioning of Services shall not in itself create any intellectual property rights in software, information and data provided to your Service or in data generated by your Service.
- Provisioning of Services is at your own risk. Any software provided by the Infrastructure is provided on an as-is basis only, and subject to its own license conditions. There is no guarantee that any procedure applied by the Infrastructure is correct or sufficient for any particular purpose. The Infrastructure and other Resource Centres are not liable for any loss or damage in connection with your participation in the Infrastructure.
- You may control access to Your Service for administrative, operational and security purposes and shall inform the affected users if you limit or suspend their access. You shall comply with all relevant incident response procedures regarding the notification of security incidents.
- The Infrastructure and any Resources Centres involved may control your access to the Infrastructure or Resource Centres for administrative, operational and security purposes if you fail to comply with these conditions.
- Disputes resulting from your participation in the Infrastructure will be resolved according to the Infrastructure escalation procedures.