|
|
| (82 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| = TITLE: The IT Infrastructure Security Policy = | | {{TOC_right}} |
| <div style="margin: 12pt 0cm 3pt 21.55pt;">'''<font size="6"><span><font size="5">1</font><span> </span></span><font size="5">Introduction and Definitions</font></font>'''</div><div style="margin: 2pt 0cm;">To fulfil its mission, it is necessary for the ''IT Infrastructure'' to protect its assets. This document presents the policy regulating those activities of ''participants'' related to the security of the ''IT Infrastructure''.</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''1.1''<span> </span></span>''Definitions''</font>'''</div><div style="margin: 2pt 0cm;">The word ''Grid, ''when italicised in this document, means any project or operational infrastructure which uses grid technologies and decides to adopt this policy.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">The other italicised words used in this document are defined as follows:</div>
| | |
| | = The *new draft* e-Infrastructure Security Policy = |
| | |
| | This is a DRAFT document being revised by EGI SPG. It is not final and has not been approved or adopted. The currently adopted top-level security policy document is available at [https://documents.egi.eu/document/86 https://documents.egi.eu/document/86]. |
| | |
| | This policy is one of a set of documents that together define the Security Policy ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). This individual document must be considered in conjunction with all the policy documents in the set. |
| | |
| | = Introduction and Definitions = |
| | |
| | To fulfil its mission, it is necessary for the ''e-Infrastructure'' to protect its assets. This document presents the policy regulating those activities of ''participants'' related to the security of the ''e-Infrastructure''. |
| | |
| | == Definitions == |
| | |
| | The phrase ''e-Infrastructure'' when italicised in this document, means all of the people and organisations, hardware, software, networks, facilities, etc. that are required to develop, test, deliver, monitor, control or support IT ''services''. |
| | |
| | The other italicised words used in this document are defined as follows: |
| | |
| *''Policy'' is interpreted to include rules, responsibilities and procedures specified in this document together with all those in other documents which are required to exist by stipulations in this document. | | *''Policy'' is interpreted to include rules, responsibilities and procedures specified in this document together with all those in other documents which are required to exist by stipulations in this document. |
| *A ''participant ''is any entity providing, using, managing, operating, supporting or coordinating one or more ''Grid service(s)''. | | *A ''participant ''is any entity providing, using, managing, operating, supporting or coordinating one or more IT ''service(s)''. |
| *A ''service ''is any computing or software system, based on grid technologies, which provides access to, information about or controls ''resources''. | | *A ''service ''is any computing or software system, which provides access to, information about or controls ''resources''. |
| | | *A ''resource'' is the ''equipment'' and ''software'' required to run a ''service ''on the ''e-Infrastructure'', and any ''data'' held on the ''service''. |
| *A ''resource ''is the ''equipment'' and ''software'' required to run a ''service ''on the''Grid'', and any ''data'' <br>held on the ''service''. | |
| *Included in the definition of ''equipment'' are processors and associated disks, tapes and other peripherals, storage systems and storage media, networking components and interconnecting media. | | *Included in the definition of ''equipment'' are processors and associated disks, tapes and other peripherals, storage systems and storage media, networking components and interconnecting media. |
| *Included in the definition of''software'' are operating systems, utilities, compilers and other general purpose applications, any software required to operate any ''equipment'', software and middleware released and/or distributed by the ''Grid'' and any software required to support any application associated with ''Virtual Organisations ''or other authorized ''users''. | | *Included in the definition of ''software'' are operating systems, utilities, compilers and other general purpose applications, any software required to operate any ''equipment'', software and middleware released and/or distributed by the ''e-Infrastructure'' and any software required to support any application associated with ''User Communities'' or other authorised ''users''. |
| *Included in the definition of ''data'' are data required to operate any equipment defined as a ''resource'', data required to operate any ''service'', data intended to be processed or produced by any software defined as a ''resource'', and any application data. | | *Included in the definition of ''data'' are data required to operate any equipment defined as a ''resource'', data required to operate any ''service'', data intended to be processed or produced by any software defined as a ''resource'', and any application data. |
| *''The IT Organisation'' is the collection of the various boards, committees, groups and individuals mandated to oversee and control the ''IT Infrastructure''. | | *The'' Management'' is the collection of the various boards, committees, groups and individuals mandated to oversee and control the ''e-Infrastructure''. |
| *A ''user'' is an individual who has been given authority to access and use ''Grid resources''. | | *A ''User'' is an individual who has been given authority to access and use ''e-Infrastructure resources''. |
| | *A ''User Community'' is a grouping of ''Users'' and optionally ''resources'', usually not bound to a single institution, who, by reason of their common membership and in sharing a common goal, are given authority to use a set of ''resources''. |
| | *Included in the definition of a ''User Community'' are cases where ''resources'' are offered to individual ''Users'' who are not members of an explicitly organised ''User Community''. |
| | *''The User Community Management'' is the collection of various individuals and groups mandated to oversee and control a ''User Community''. |
| | *A ''Resource Centre'' is an entity having administrative control of ''resources'' provided to the ''e-Infrastructure''. This may be at one physical location or spread across multiple physical locations. |
| | *''Resource Centre Management'' is the collection of various individuals and groups mandated to oversee and control a ''Resource Centre''. |
| | |
| | Other terms are defined in the [https://wiki.egi.eu/wiki/Glossary_V2 [Glossary]]. |
| | |
| | In this document the key words `must', `must not', `required', `shall', `shall not', `recommended', `may', and `optional' are to be interpreted as described in RFC 2119. |
| | |
| | == Objectives == |
| | |
| | This ''policy'' gives authority for actions which may be carried out by designated individuals and organisations and places responsibilities on all ''participants''. |
| | |
| | == Scope == |
| | |
| | This ''policy'' applies to all ''participants''. Every ''Resource Centre'' participating in the ''e-Infrastructure'' autonomously follows their local policies with respect to the ''services'' and ''resources'' they own, including those which are part of the ''e-Infrastructure''. This ''policy'' augments local policies by setting out additional ''e-Infrastructure''-specific requirements. |
| | |
| | == Additional Policy Documents == |
| | |
| | Additional policy documents required for a proper implementation of this ''policy'' may be found at a location specific to the ''e-Infrastructure'' ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). |
| | |
| | == Approval and Maintenance == |
| | |
| | This ''policy'' is prepared and maintained by the Security Policy Group, approved by ''Management'' and thereby endorsed and adopted by the ''e-Infrastructure'' as a whole. This ''policy'' will be revised by the Security Policy Group as required and resubmitted for formal approval and adoption whenever significant changes are needed. The most recently approved version of this document is available at ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). |
| | |
| | = Roles and Responsibilities = |
| | |
| | This section defines the roles and responsibilities of ''participants''. |
| | |
| | == The Management == |
| | |
| | The ''Management'' provides, through the adoption of this ''policy'' and through its representations on the various management bodies of the ''e-Infrastructure'', the overall authority for the decisions and actions resulting from this ''policy'' including procedures for the resolution of disputes. |
| | |
| | The ''Management'' provides the capabilities for meeting its responsibilities with respect to this policy. |
| | |
| | The ''Management'' is responsible for ensuring compliance of its participants and can represent them towards third parties with respect to this ''policy''. |
| | |
| | == The e-Infrastructure Security Officer and the CSIRT == |
| | |
| | The ''Management'' must appoint a Security Officer who leads and coordinates the operational security capability (CSIRT). The Security Officer may, in consultation with the CSIRT, ''Management'' and other appropriate persons, require actions by ''participants'' as are deemed necessary to protect the ''e-Infrastructure'' from or contain the spread of IT security incidents. The Security Officer also handles requests for exceptions to this ''policy'' as described in section [[#Exceptions_to_Compliance|Exceptions to Compliance]]. |
| | |
| | == User Community Management == |
| | |
| | The ''User Community Management'' must designate a Security contact point (person or team) that is willing and able to collaborate with affected ''participants'' in the management of security incidents. |
| | |
| | The ''User Community Management'' should abide by the ''e-Infrastructure'' policies in the areas of Acceptable Use, User Registration and Membership Management and all other applicable policies ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). Exceptions to this must be handled as in section [[#Exceptions_to_Compliance|Exceptions to Compliance]]. They must ensure that only individuals who have agreed to abide by the ''e-Infrastructure'' AUP ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]) and the User Community AUP are registered as members of the ''User Community''. |
| | |
| | ''User Community Management'' and ''Users'' that provide and/or operate ''resources'' or ''services'' must abide by the Service Operations Security Policy , the Traceability and Logging Policy and all other applicable policies ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). |
| | |
| | For services requiring authentication of entities the ''User Community Management'' must abide by the policy on Acceptable Authentication Assurance ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). |
| | |
| | ''User Community Management'' is responsible for promptly investigating reports of ''Users'' failing to comply with the policies and for taking appropriate action to limit the risk to the ''e-Infrastructure'' and ensure compliance in the future, as defined in section [[#Sanctions|Sanctions]]. |
| | |
| | == Users == |
| | |
| | ''Users'' must accept and agree to abide by the ''e-Infrastructure'' Acceptable Use Policy ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]) and the User Community AUP when they register or renew their registration with a ''User Community''. |
| | |
| | ''Users'' must use ''services'' and ''resources'' only in pursuit of the legitimate purposes of their ''User Community''. They must respect the autonomy and privacy of the host ''Resource Centres'' on whose ''resources'' it may run. They must not attempt to circumvent any restrictions on access to ''resources'' and ''services''. ''Users'' must show responsibility, consideration and respect towards other ''participants'' in the demands they place on the ''e-Infrastructure''. |
| | |
| | ''Users'' that provide and/or operate ''resources'' or ''services'' must abide by the Service Operations Security Policy and all other applicable policies ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). |
| | |
| | For services requiring authentication of entities the ''Users'' must abide by the policy on Acceptable Authentication Assurance ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). |
| | |
| | ''Users'' may be held responsible for all actions taken using their credentials, whether carried out personally or not. |
| | |
| | No intentional sharing of user credentials is permitted. |
| | |
| | == Resource Centre Management == |
| | |
| | The ''Resource Centre Management'' must designate a Security contact point (person or team) that is willing and able to collaborate with affected ''participants'' in the management of security incidents and to take prompt action as necessary to safeguard ''services'' and ''resources'' during an incident. |
| | |
| | ''Resource Centres'' must abide by the Service Operations Security Policy, the Traceability and Logging Policy and all other applicable policies ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). |
| | |
| | ''Resource Centres'' acknowledge that participating in the ''e-Infrastructure'' and allowing related inbound and outbound network traffic increases their IT security risk. ''Resource Centres'' are responsible for accepting or mitigating this risk. |
| | |
| | ''Resource Centres'' must deploy effective security controls to protect the confidentiality, integrity and availability of their ''services'' and ''resources''. |
| | |
| | For services requiring authentication of entities the ''Resource Centre'' must abide by the policy on Acceptable Authentication Assurance ([https://wiki.egi.eu/wiki/SPG:Documents wiki.egi.eu/wiki/SPG:Documents]). |
| | |
| | = Physical Security = |
| | |
| | All the requirements for the physical security of ''resources'' are expected to be adequately covered by each ''Resource Centre’s'' local security policies and practices. These should, as a minimum, reduce the risks from intruders, fire, flood, power failure, equipment failure and environmental hazards. Stronger physical security may be required for equipment used to provide certain critical ''services'' such as User Community membership services or credential repositories. The technical details of such additional requirements are contained in the procedures for operating and approving such ''services''. |
| | |
| | = Network Security = |
| | |
| | All the requirements for the networking security of ''resources'' are expected to be adequately covered by each ''Resource Centre’s'' local security policies and practices. |
| | |
| | To support specific ''User Community'' workflows it may be necessary to permit inbound or outbound network traffic. It is the responsibility of the ''Resource Centre'' to accept or mitigate the risks associated with such traffic. |
| | |
| | = Exceptions to Compliance = |
| | |
| | Wherever possible, ''e-Infrastructure'' policies and procedures are designed to apply uniformly to all ''participants''. If this is not possible, for example due to legal or contractual obligations, exceptions may be made. Such exceptions should be time-limited and must be documented and authorised by the ''e-Infrastructure'' Security Officer and, if required, approved at the appropriate level of management. |
| | |
| | In exceptional circumstances it may be necessary for ''participants'' to take emergency action in response to some unforeseen situation which may violate some aspect of this ''policy'' for the greater good of pursuing or preserving legitimate ''e-Infrastructure'' objectives. If such a ''policy'' violation is necessary, the exception should be minimised, documented, time-limited and authorised at the highest level of the ''management'' commensurate with taking the emergency action promptly, and the details notified to the ''e-Infrastructure'' Security Officer at the earliest opportunity. |
| | |
| | = Sanctions = |
|
| |
|
| *<span style="color: windowtext;">A ''Virtual Organisation (or VO)'' is</span><span style="color: rgb(0, 0, 127);"> a</span><span style="color: windowtext;"> grouping of ''users ''and optionally ''resources'', often not bound to a single institution, who, by reason of their common membership and in sharing a common goal, are given authority to use a set of ''resources''.</span>
| | ''Resource Centres'' that fail to comply with this ''policy'' in respect of a ''service'' they are operating may lose the right to have their ''services'' recognised by the ''e-Infrastructure'' until compliance has been satisfactorily demonstrated again. |
| *<span style="color: windowtext;">Included in the definition of a ''VO'' are cases where ''Grid resources'' are offered to individual ''users'' who are not members of a formal ''VO''. These ''users'' are, however, often associated with an applicationcommunity, and these communities, or even a single ''user'', are treated in this document as though they are a ''VO''.</span>
| |
|
| |
|
| *''<span style="color: windowtext;">VO management</span>''<span style="color: windowtext;"> is the collection of various individuals and groups mandated to oversee and control a ''VO''. </span>
| | ''User Communities'' who fail to comply with this ''policy'' may lose their right of access to and collaboration with the ''e-Infrastructure'' and may lose the right to have their ''services'' recognised by the ''e-Infrastructure'' until compliance has been satisfactorily demonstrated again. |
|
| |
|
| *<span style="color: windowtext;">A ''site'' is an entity having administrative control of ''resources'' provided to the ''Grid''. This may be at one physical location or spread across multiple physical locations. </span>
| | ''Users'' who fail to comply with this ''policy'' may lose their right of access to the ''e-Infrastructure'', and may have their activities reported to their ''User Community'' or their home organisation. |
|
| |
|
| *''<span style="color: windowtext;">Site management</span>''<span style="color: windowtext;"> is the collection of various individuals and groups mandated to oversee and control a ''site''.</span>
| | Any activities thought to be illegal may be reported to appropriate law enforcement agencies. |
| *A ''resource administrator'' is the person responsible for installing, operating, maintaining and supporting one or more ''resource(s)'' at a ''site''.
| |
| <div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''1.2''<span> </span></span>''Objectives''</font>'''</div><div style="margin: 2pt 0cm;">This ''policy'' gives authority for actions which may be carried out by certain individuals and bodies and places responsibilities on all ''participants''.</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''1.3''<span> </span></span>''Scope''</font>'''</div><div style="margin: 2pt 0cm;">This ''policy''applies to all ''participants''.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">Every ''site'' participating in the ''Grid'' autonomously owns and follows their own local security policies with respect to the system administration and networking of all the ''resources'' they own, including ''resources'' which are part of the ''Grid''. This ''policy'' augments local policies by setting out additional ''Grid''-specific requirements.</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''1.4''<span> </span></span>''Additional Policy Documents''</font>'''</div><div style="margin: 0cm 0cm 12pt;"><span style="font-size: 11pt;">Appendix 1 defines additional policy documents which must exist for a proper implementation of this ''policy''. These documents are referred to in section 2. </span></div><div style="margin: 0cm 0cm 12pt;"><span style="font-size: 11pt;">An accompanying document for each ''Grid'' adopting this ''policy'' must define the ''Grid-''specific locations and version numbers of their approved and adopted additional policy documents.</span></div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''1.5''<span> </span></span>''Ownership and Maintenance''</font>'''</div><div style="margin: 2pt 0cm;">This ''policy'' is prepared and maintained by the Security Policy Group, approved by ''management'' and thereby endorsed and adopted by the ''Grid'' as a whole. </div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">This ''policy'' will be revised by the Security Policy Group as required and resubmitted for formal approval and adoption whenever significant changes are needed. </div><div style="margin: 2pt 0cm;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">The most recently approved version of this document is available at [https://documents.egi.eu/document/86 <font color="#0000ff">https://documents.egi.eu/document/86</font>]</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 12pt 0cm 3pt 21.55pt;">'''<font size="6"><span><font size="5">2</font><span> </span></span><font size="5">Roles and Responsibilities</font></font>'''</div><div style="margin: 2pt 0cm;">This section defines the roles and responsibilities of ''participants''.</div><div style="margin: 2pt 0cm;"></div><div style="margin: 2pt 0cm;">Participants must be uniquely identifiable and the binding of identifiers to participants must be persistent, i.e. no name recycling.</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''2.1''<span> </span>''<span>The IT Organisation</span>''</span></font>'''</div><div style="margin: 2pt 0cm;">The''IT Organisation ''provides, through the adoption of this ''policy'' and through its representations on the various approving bodies of the ''IT Infrastructure'', the overall authority for the decisions and actions resulting from this ''policy ''including procedures for the resolution of disputes.</div>
| |
| = '''<font size="5"><span>''2.1.1''<span> </span>''<span> The IT </span>''</span>''Security Officer and the CSIRT''</font>''' =
| |
| <div style="margin: 2pt 0cm;">The''IT Organisation ''must appoint a IT Security Officer who leads and/or coordinates the ''CSIRT'' providing the operational security capability.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">The IT Security Officer may, in consultation with the CSIRT, IT Organisation and other appropriate persons, require actions by ''participants'' as are deemed necessary to protect ''resources'' from or contain the spread of IT security incidents. The IT Security Officer also handles requests for exceptions to this ''policy'' as described in section 5</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">The responsibilities of Grid Security Operations include:</div>
| |
| *The maintenance of contact details of security personnel at each participating ''site'' and the facilitation of ''Grid''-related communications between them.
| |
| *Handling of operational security problems as they arise.
| |
| *Providing incident response teams who will act according to the Security Incident Response Policy [6].
| |
| <div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''2.2 Resource Infrastructure Provider Management''</span></font>'''</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span</span></font>'''</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''i.e. a Resource Centre Federation''</span></font>'''</div><div style="margin: 12pt 0cm 3pt 28.8pt;"><font size="5"><span>A resource centre federation is resonspible for ensuring compliance of all its resource centre members and provides the capabilities for meeting the responsibilities for its members with respect to this policy and can represent its members towards the IT Organisation.</span></font></div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span</span></font>'''</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''2.3''<span> </span></span>''Virtual Organisation Management''</font>'''</div><div style="margin: 2pt 0cm;">The responsibilities of the ''VO management'' include:</div><div style="margin: 2pt 0cm;">2.3.0 Appoint a Security Officer or ensure that they have a security incident response capability</div><div style="margin: 12pt 0cm 3pt 36pt;">'''<font size="4"><span>2.3.1<span> </span></span>VO Security Policies</font>'''</div><div style="margin: 2pt 0cm;">''VOs'' are required to abide by the Virtual Organisation Operations Policy [9] and the Virtual Organisation Registration Security Policy [2]. They must have a VO Acceptable Use Policy (AUP) and ensure that only individuals who have agreed to abide by the Grid AUP [1] and the VO AUP are registered as members of the ''VO''.</div><div style="margin: 12pt 0cm 3pt 36pt;">'''<font size="4"><span>2.3.2<span> </span></span>User Registration and VO Membership Service</font>'''</div><div style="margin: 2pt 0cm;">The ''user'' registration procedure of the ''VO'' is required to be consistent with the Virtual Organisation Membership Management Policy [8]. Approval to join the ''VO'' must be restricted to individuals who are recognised as having legitimate rights to membership and who agree to be bound by the AUPs. A VO membership service must be provided with appropriate interfaces to generate authentication, authorization and other identity mapping data for the services running on the ''sites''. ''VO''s are required to maintain the accuracy of the information held and published about their members, and to promptly remove individuals who lose their right to such membership.</div><div style="margin: 12pt 0cm 3pt 36pt;">'''<font size="4"><span>2.3.3<span> </span></span>VO-specific Resources and Services</font>'''</div><div style="margin: 2pt 0cm;">''VO''s are responsible for ensuring that their ''software'' does not pose security threats, that access to their databases is secure and is sufficiently monitored, that their stored ''data ''are compliant with legal requirements, and that VO-specific ''services'' are properly monitored and do not compromise ''sites'' or ''resources''. Need to refer to Service Operations policy... ALso VO Portal policy ... Also their client actions towards other participants.</div><div style="margin: 12pt 0cm 3pt 36pt;">'''<font size="4"><span>2.3.4<span> </span></span>Applying Sanctions to Users</font>'''</div><div style="margin: 2pt 0cm;">''VOs'' are responsible for promptly investigating reports of ''users'' failing to comply with the AUPs and for taking appropriate action to ensure compliance in the future, as defined in section 6.</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''2.4''<span> </span></span>''Users''</font>'''</div><div style="margin: 2pt 0cm;">All ''users'' must be members of one of the registered ''VOs'' or application communities.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">The responsibilities of ''users'' include:</div><div style="margin: 12pt 0cm 3pt 36pt;">'''<font size="4"><span>2.4.1<span> </span></span>Acceptable Use</font>'''</div><div style="margin: 2pt 0cm;">''Users'' must accept and agree to abide by the Grid Acceptable Use Policy [1] and the VO AUP when they register or renew their registration with a ''VO''. </div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">''Users'' must be aware that their work may utilise shared resources and may therefore affect the work of others. They must show responsibility, consideration and respect towards other ''users'' in the demands they place on the ''Grid''.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">''Users'' must have a suitable authentication credential issued as approved by the ''Grid''. They must ensure that others cannot use their credentials to masquerade as them or usurp their access rights. ''Users'' may be held responsible for all actions taken using their credentials, whether carried out personally or not. No intentional sharing of credentials for ''Grid'' purposes is permitted.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">''Users'' must be aware that their jobs will often use ''resources ''owned by others. They must observe any restrictions on access to ''resources'' that they encounter and must not attempt to circumvent such restrictions.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">Application software written or selected by ''users'' for execution on ''resources'' must be directed exclusively to the legitimate purposes of their ''VO''. Such software must respect the autonomy and privacy of the host ''sites'' on whose ''resources'' it may run.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''2.5''<span> </span></span>''<span><span>Resource Centre</span></span> '''</font>'''<font size="5">''Management''</font</div>
| |
| '''<div style="margin: 2pt 0cm;">The responsibilities of the ''Site management'' include:</div><div style="margin: 12pt 0cm 3pt 36pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 36pt;"><font size="4"><span>2.5.1<span> </span></span>Site Operations Policy</font</div>
| |
| '''<div style="margin: 2pt 0cm;">''Sites'' hosting ''resources ''are required to provide reliable and well managed ''services'' and abide by the Grid Site Operations Policy [3]. ''Sites'' must abide by the Site Registration Security Policy [7] and the Grid Security Traceability and Logging Policy [5].</div><div style="margin: 12pt 0cm 3pt 36pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 36pt;"><font size="4"><span>2.5.2<span> </span></span>Mitigating Risks</font</div>
| |
| '''<div style="margin: 2pt 0cm;">''Sites'' acknowledge that participating in the ''Grid'' increases the risk from security incidents, to both</div><div style="margin: 2pt 0cm;">''Grid'' and non-''Grid'' hosts on each site. ''Sites'' are responsible for mitigating this risk.</div><div style="margin: 12pt 0cm 3pt 36pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 36pt;"><font size="4"><span>2.5.3<span> </span></span>Incident Response</font</div>
| |
| '''<div style="margin: 2pt 0cm;">''Sites ''accept the duty to cooperate with Grid Security Operations and others in investigating and resolving security incidents, and to take responsible action as necessary to safeguard ''resources'' during an incident in accordance with the Security Incident Response Policy [6]. </div><div style="margin: 12pt 0cm 3pt 36pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 36pt;"><font size="4"><span>2.5.4<span> </span></span>Access Control</font</div>
| |
| '''<div style="margin: 2pt 0cm;">Access to all ''resources'' is controlled by a common grid security infrastructure which includes both authentication and authorization components. The global components of this infrastructure, e.g. as specified in the Approval of Certification Authorities [4], must be deployed by all ''sites'' and ''resources''. The deployment of additional local security measures is permitted should the local security policies of the site or resource administration require this.</div><div style="margin: 12pt 0cm 3pt 36pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 36pt;"><font size="4"><span>2.5.5<span> </span></span>Notification of Legal Compliance Issues</font</div>
| |
| '''<div style="margin: 2pt 0cm;">If exceptions or extensions to this ''policy'' are required because of local legislation, the ''site'' must inform the Grid Security Officer(see section 5).</div><div style="margin: 12pt 0cm 3pt 28.8pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 28.8pt;"><font size="5"><span>''2.6''<span> </span></span>''Resource Centre Administrators''</font</div>
| |
| '''<div style="margin: 2pt 0cm;">In addition to their local site policy ''resource centre administrators'' must ensure their implementations of ''services'' comply with this ''policy''. </div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">The responsibilities of ''resource centre administrators'' include:</div><div style="margin: 12pt 0cm 3pt 36pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 36pt;"><font size="4"><span>2.6.1<span> </span></span>Notifying Site Personnel</font</div>
| |
| '''<div style="margin: 2pt 0cm;">''Resource administrators'' are responsible for ensuring that their ''site ''is registered with the ''Grid'' and that all appropriate personnel concerned with security or system management at their ''site'' are notified of and accept the requirements of this ''policy'' before offering any ''services''.</div><div style="margin: 12pt 0cm 3pt 36pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 36pt;"><font size="4"><span>2.6.2<span> </span></span>Resource Administration</font</div>
| |
| '''<div style="margin: 2pt 0cm;">The ''resource administrators'' are responsible for the installation and maintenance of ''resources'' assigned to them, including the ongoing security and integrity.</div><div style="margin: 12pt 0cm 3pt 21.55pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 21.55pt;"><font size="6"><span><font size="5">3</font><span> </span></span><font size="5">Physical Security</font></font</div>
| |
| '''<div style="margin: 2pt 0cm;">All the requirements for the physical security of ''resources'' are expected to be adequately covered by each ''site’s'' local security policies and practices. These should, as a minimum, reduce the risks from intruders, fire, flood, power failure, equipment failure and environmental hazards.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">Stronger physical security may be required for equipment used to provide certain critical ''services'' such as VO membership services or credential repositories. The technical details of such additional requirements are contained in the procedures for operating and approving such ''services''.</div><div style="margin: 12pt 0cm 3pt 21.55pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 21.55pt;"><font size="6"><span><font size="5">4</font><span> </span></span><font size="5">Network Security</font></font</div>
| |
| '''<div style="margin: 2pt 0cm;">All the requirements for the networking security of ''resources'' are expected to be adequately covered by each ''site’s'' local security policies and practices. These should, as a minimum, reduce the risks from intruders and failures of hardware or software by implementing appropriate firewall protection, by the timely application of all critical security-related software patches and updates, and by maintaining and observing clearly defined incident response procedures.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">It is ''Grid ''policy to minimise the security risk exposed by applications which need to communicate across the Internet; even so, the peripheral firewall on every participating ''site ''may be required to permit the transit of inbound and outbound packets to/from certain port numbers between a number of external and internal hosts in order to run or reach ''services''.</div><div style="margin: 12pt 0cm 3pt 21.55pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 21.55pt;"><font size="6"><span><font size="5">5</font><span> </span></span><font size="5">Limits to Compliance</font></font</div>
| |
| '''<div style="margin: 2pt 0cm;">Exceptions to compliance with this ''policy'' include, but are not limited to, the following:</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">Wherever possible, ''IT Infrastructure'' policies and procedures are designed so that they may be applied uniformly across all resource centre federations, resource centres'' ''and''VOs.'' If this is not possible, for example due to legal or contractual obligations, exceptions may be made. Such exceptions must be justified in a document submitted to the IT Security Officer for authorisation and, if required, approval at the appropriate level of management.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">In exceptional circumstances it may be necessary for ''participants'' to take emergency action in response to some unforeseen situation which may violate some aspect of this ''policy'' for the greater good of pursuing or preserving legitimate ''IT Infrastructure'' objectives. If such a ''policy'' violation is necessary, the exception should be minimised, documented, time-limited and authorised at the highest level of the ''management'' commensurate with taking the emergency action promptly, and the details notified to the IT Security Officer at the earliest opportunity.</div><div style="margin: 12pt 0cm 3pt 21.55pt;"></div>'''
| |
| <div style="margin: 12pt 0cm 3pt 21.55pt;"><font size="6"><span><font size="5">6</font><span> </span></span><font size="5">Sanctions</font></font</div>
| |
| '''<div style="margin: 2pt 0cm;">''Resource Infrastructure Providers - need a para''</div>'''
| |
|
| |
|
| <div style="margin: 2pt 0cm;"</div>
| | [[Category:Security_Policy_Group_(SPG)]] |
| <div style="margin: 2pt 0cm;">''Sites'' or ''resource administrators'' who fail to comply with this ''policy'' in respect of a ''service'' they are operating may lose the right to have that service instance recognised by the ''Grid'' until compliance has been satisfactorily demonstrated again.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">''Users'' who fail to comply with this ''policy'' may lose their right of access to and/or collaboration with the ''Grid'', and may have their activities reported to their home institute or, if those activities are thought to be illegal, to appropriate law enforcement agencies.</div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;">''VOs'' which fail to comply with this ''policy''','''''together with all the ''users'' whose rights with respect to the ''Grid'' derives from that ''VO'', may lose their right of access to and/or collaboration with the ''Grid''. </div><div style="margin: 2pt 0cm;"> </div><div style="margin: 2pt 0cm;"><strike>The issues of liability, dispute resolution and intellectual property rights, all of which may be ''Grid''-specific, should be addressed in the additional policy documents. </strike>(We propose to delete this sentence)</div><div style="margin: 2pt 0cm;"> </div>
| |
| '''<span style="text-transform: uppercase; font-size: 16pt;" />'''
| |
| <div style="margin: 12pt 0cm 3pt 21.55pt;">'''<font size="6"><span><font size="5">7</font><span> </span></span><font size="5">Appendix 1: Additional Policy Documents</font></font>'''</div><div style="margin: 2pt 0cm;">The current list of additional policy documents describing procedures, rules and other technical details required to implement this ''policy'' are presented here.</div><div style="margin: 2pt 0cm;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">The current versions may always be found in the EGI document database at<br>[https://documents.egi.eu/public/DocumentDatabase <font color="#0000ff">EGI Document Database</font>]<br><br></div><div style="margin: 2pt 0cm;">An accompanying document for each ''Grid'' adopting this ''policy'' must define the ''Grid-''specific locations and version numbers of their approved and adopted additional policy documents</div><div style="margin: 2pt 0cm;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">The additional policy documents with their web links are as follows:<br><br></div><div align="left" style="margin: 2pt 0cm; text-align: left;">[1] Grid Acceptable Use Policy, [https://documents.egi.eu/document/74 <font color="#0000ff">https://documents.egi.eu/document/74</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[2] Virtual Organisation Registration Security Policy, [https://documents.egi.eu/document/78 <font color="#0000ff">https://documents.egi.eu/document/78</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;"> [3] Grid Site Operations Policy, [https://documents.egi.eu/document/75 <font color="#0000ff">https://documents.egi.eu/document/75</font>] </div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[4] Approval of Certification Authorities, [https://documents.egi.eu/document/83 <font color="#0000ff">https://documents.egi.eu/document/83</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[5] Grid Security Traceability and Logging Policy, [https://documents.egi.eu/document/81 <font color="#0000ff">https://documents.egi.eu/document/81</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[6] Security Incident Response Policy, [https://documents.egi.eu/document/82 <font color="#0000ff">https://documents.egi.eu/document/82</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[7] Site Registration Security Policy, [https://documents.egi.eu/document/76 <font color="#0000ff">https://documents.egi.eu/document/76</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[8] Virtual Organisation Membership Management Policy,<br>[https://documents.egi.eu/document/79 <font color="#0000ff">https://documents.egi.eu/document/79</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[9] Virtual Organisation Operations Policy, [https://documents.egi.eu/document/77 <font color="#0000ff">https://documents.egi.eu/document/77</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[10] VO Portal Policy, [https://documents.egi.eu/document/80 <font color="#0000ff">https://documents.egi.eu/document/80</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[11] Policy on Grid Multi User Pilot Jobs, [https://documents.egi.eu/document/84 <font color="#0000ff">https://documents.egi.eu/document/84</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[12] Grid Policy on the Handling of User-Level Job Accounting Data, [https://documents.egi.eu/document/85 <font color="#0000ff">https://documents.egi.eu/document/85</font>]</div><div align="left" style="margin: 2pt 0cm; text-align: left;"> </div><div align="left" style="margin: 2pt 0cm; text-align: left;">[13] Security Policy Glossary of Terms, [https://documents.egi.eu/document/71 <font color="#0000ff">https://documents.egi.eu/document/71</font>]</div><div style="margin: 2pt 0cm;"> </div>
| |
The *new draft* e-Infrastructure Security Policy
This is a DRAFT document being revised by EGI SPG. It is not final and has not been approved or adopted. The currently adopted top-level security policy document is available at https://documents.egi.eu/document/86.
This policy is one of a set of documents that together define the Security Policy (wiki.egi.eu/wiki/SPG:Documents). This individual document must be considered in conjunction with all the policy documents in the set.
Introduction and Definitions
To fulfil its mission, it is necessary for the e-Infrastructure to protect its assets. This document presents the policy regulating those activities of participants related to the security of the e-Infrastructure.
Definitions
The phrase e-Infrastructure when italicised in this document, means all of the people and organisations, hardware, software, networks, facilities, etc. that are required to develop, test, deliver, monitor, control or support IT services.
The other italicised words used in this document are defined as follows:
- Policy is interpreted to include rules, responsibilities and procedures specified in this document together with all those in other documents which are required to exist by stipulations in this document.
- A participant is any entity providing, using, managing, operating, supporting or coordinating one or more IT service(s).
- A service is any computing or software system, which provides access to, information about or controls resources.
- A resource is the equipment and software required to run a service on the e-Infrastructure, and any data held on the service.
- Included in the definition of equipment are processors and associated disks, tapes and other peripherals, storage systems and storage media, networking components and interconnecting media.
- Included in the definition of software are operating systems, utilities, compilers and other general purpose applications, any software required to operate any equipment, software and middleware released and/or distributed by the e-Infrastructure and any software required to support any application associated with User Communities or other authorised users.
- Included in the definition of data are data required to operate any equipment defined as a resource, data required to operate any service, data intended to be processed or produced by any software defined as a resource, and any application data.
- The Management is the collection of the various boards, committees, groups and individuals mandated to oversee and control the e-Infrastructure.
- A User is an individual who has been given authority to access and use e-Infrastructure resources.
- A User Community is a grouping of Users and optionally resources, usually not bound to a single institution, who, by reason of their common membership and in sharing a common goal, are given authority to use a set of resources.
- Included in the definition of a User Community are cases where resources are offered to individual Users who are not members of an explicitly organised User Community.
- The User Community Management is the collection of various individuals and groups mandated to oversee and control a User Community.
- A Resource Centre is an entity having administrative control of resources provided to the e-Infrastructure. This may be at one physical location or spread across multiple physical locations.
- Resource Centre Management is the collection of various individuals and groups mandated to oversee and control a Resource Centre.
Other terms are defined in the [Glossary].
In this document the key words `must', `must not', `required', `shall', `shall not', `recommended', `may', and `optional' are to be interpreted as described in RFC 2119.
Objectives
This policy gives authority for actions which may be carried out by designated individuals and organisations and places responsibilities on all participants.
Scope
This policy applies to all participants. Every Resource Centre participating in the e-Infrastructure autonomously follows their local policies with respect to the services and resources they own, including those which are part of the e-Infrastructure. This policy augments local policies by setting out additional e-Infrastructure-specific requirements.
Additional Policy Documents
Additional policy documents required for a proper implementation of this policy may be found at a location specific to the e-Infrastructure (wiki.egi.eu/wiki/SPG:Documents).
Approval and Maintenance
This policy is prepared and maintained by the Security Policy Group, approved by Management and thereby endorsed and adopted by the e-Infrastructure as a whole. This policy will be revised by the Security Policy Group as required and resubmitted for formal approval and adoption whenever significant changes are needed. The most recently approved version of this document is available at (wiki.egi.eu/wiki/SPG:Documents).
Roles and Responsibilities
This section defines the roles and responsibilities of participants.
The Management
The Management provides, through the adoption of this policy and through its representations on the various management bodies of the e-Infrastructure, the overall authority for the decisions and actions resulting from this policy including procedures for the resolution of disputes.
The Management provides the capabilities for meeting its responsibilities with respect to this policy.
The Management is responsible for ensuring compliance of its participants and can represent them towards third parties with respect to this policy.
The e-Infrastructure Security Officer and the CSIRT
The Management must appoint a Security Officer who leads and coordinates the operational security capability (CSIRT). The Security Officer may, in consultation with the CSIRT, Management and other appropriate persons, require actions by participants as are deemed necessary to protect the e-Infrastructure from or contain the spread of IT security incidents. The Security Officer also handles requests for exceptions to this policy as described in section Exceptions to Compliance.
The User Community Management must designate a Security contact point (person or team) that is willing and able to collaborate with affected participants in the management of security incidents.
The User Community Management should abide by the e-Infrastructure policies in the areas of Acceptable Use, User Registration and Membership Management and all other applicable policies (wiki.egi.eu/wiki/SPG:Documents). Exceptions to this must be handled as in section Exceptions to Compliance. They must ensure that only individuals who have agreed to abide by the e-Infrastructure AUP (wiki.egi.eu/wiki/SPG:Documents) and the User Community AUP are registered as members of the User Community.
User Community Management and Users that provide and/or operate resources or services must abide by the Service Operations Security Policy , the Traceability and Logging Policy and all other applicable policies (wiki.egi.eu/wiki/SPG:Documents).
For services requiring authentication of entities the User Community Management must abide by the policy on Acceptable Authentication Assurance (wiki.egi.eu/wiki/SPG:Documents).
User Community Management is responsible for promptly investigating reports of Users failing to comply with the policies and for taking appropriate action to limit the risk to the e-Infrastructure and ensure compliance in the future, as defined in section Sanctions.
Users
Users must accept and agree to abide by the e-Infrastructure Acceptable Use Policy (wiki.egi.eu/wiki/SPG:Documents) and the User Community AUP when they register or renew their registration with a User Community.
Users must use services and resources only in pursuit of the legitimate purposes of their User Community. They must respect the autonomy and privacy of the host Resource Centres on whose resources it may run. They must not attempt to circumvent any restrictions on access to resources and services. Users must show responsibility, consideration and respect towards other participants in the demands they place on the e-Infrastructure.
Users that provide and/or operate resources or services must abide by the Service Operations Security Policy and all other applicable policies (wiki.egi.eu/wiki/SPG:Documents).
For services requiring authentication of entities the Users must abide by the policy on Acceptable Authentication Assurance (wiki.egi.eu/wiki/SPG:Documents).
Users may be held responsible for all actions taken using their credentials, whether carried out personally or not.
No intentional sharing of user credentials is permitted.
Resource Centre Management
The Resource Centre Management must designate a Security contact point (person or team) that is willing and able to collaborate with affected participants in the management of security incidents and to take prompt action as necessary to safeguard services and resources during an incident.
Resource Centres must abide by the Service Operations Security Policy, the Traceability and Logging Policy and all other applicable policies (wiki.egi.eu/wiki/SPG:Documents).
Resource Centres acknowledge that participating in the e-Infrastructure and allowing related inbound and outbound network traffic increases their IT security risk. Resource Centres are responsible for accepting or mitigating this risk.
Resource Centres must deploy effective security controls to protect the confidentiality, integrity and availability of their services and resources.
For services requiring authentication of entities the Resource Centre must abide by the policy on Acceptable Authentication Assurance (wiki.egi.eu/wiki/SPG:Documents).
Physical Security
All the requirements for the physical security of resources are expected to be adequately covered by each Resource Centre’s local security policies and practices. These should, as a minimum, reduce the risks from intruders, fire, flood, power failure, equipment failure and environmental hazards. Stronger physical security may be required for equipment used to provide certain critical services such as User Community membership services or credential repositories. The technical details of such additional requirements are contained in the procedures for operating and approving such services.
Network Security
All the requirements for the networking security of resources are expected to be adequately covered by each Resource Centre’s local security policies and practices.
To support specific User Community workflows it may be necessary to permit inbound or outbound network traffic. It is the responsibility of the Resource Centre to accept or mitigate the risks associated with such traffic.
Exceptions to Compliance
Wherever possible, e-Infrastructure policies and procedures are designed to apply uniformly to all participants. If this is not possible, for example due to legal or contractual obligations, exceptions may be made. Such exceptions should be time-limited and must be documented and authorised by the e-Infrastructure Security Officer and, if required, approved at the appropriate level of management.
In exceptional circumstances it may be necessary for participants to take emergency action in response to some unforeseen situation which may violate some aspect of this policy for the greater good of pursuing or preserving legitimate e-Infrastructure objectives. If such a policy violation is necessary, the exception should be minimised, documented, time-limited and authorised at the highest level of the management commensurate with taking the emergency action promptly, and the details notified to the e-Infrastructure Security Officer at the earliest opportunity.
Sanctions
Resource Centres that fail to comply with this policy in respect of a service they are operating may lose the right to have their services recognised by the e-Infrastructure until compliance has been satisfactorily demonstrated again.
User Communities who fail to comply with this policy may lose their right of access to and collaboration with the e-Infrastructure and may lose the right to have their services recognised by the e-Infrastructure until compliance has been satisfactorily demonstrated again.
Users who fail to comply with this policy may lose their right of access to the e-Infrastructure, and may have their activities reported to their User Community or their home organisation.
Any activities thought to be illegal may be reported to appropriate law enforcement agencies.
The wiki is deprecated and due to be decommissioned by the end of September 2022.