Difference between revisions of "Talk:SPG:Drafts:Security Policy"
(Created page with '= Original Version 1 of the policy document = <div style="margin: 12pt 0cm 3pt 21.55pt;">'''<font size="6"><span><font size="5">1</font><span> </span></span><font size="…') |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Original Version 1 of the policy document = | = Discussion on the new draft version (November 2016 onwards) = | ||
== Comments from Hannah Short (CERN) on 7 Nov 2016 == | |||
The content looks good, I certainly agree with removing grid terminology and moving the AUP outside. A few minor niggles with the structure: | |||
* Roles and Responsibilities | |||
A separate User Community Security Contact role section would aid clarity, same for Resource Centre | |||
A lot of the definitions double as roles&resps, would it be enough to remove these duplicates and say “other terms are defined in roles & responsibilities”? I would remove those with “* Management” from definitions but leave as a role | |||
'''Answer from DaveK''': Thanks. I see what you are getting at but I am not sure, SPG should discuss. | |||
* Network Security | |||
You define a responsibility of the Resource Centre that isn’t included in the Roles & Resps section above. | |||
'''Answer from DaveK''': Thanks. New wording for one of the Resource Centre Management responsibilities: Resource Centres acknowledge that participating in the e-Infrastructure and allowing related inbound and outbound network traffic increases their IT security risk. Resource Centres are responsible for accepting or mitigating this risk. | |||
* Exceptions to Compliance | |||
“ details notified to the Security Officer” which Security Officer? There are 3 defined in the policy | |||
'''Answer from DaveK''': Thanks. Now says ''e-Infrastructure'' Security Officer. | |||
* Sanctions | |||
User Community not in Italics | |||
“Any activities thought to be illegal may be reported to appropriate law enforcement agencies.” Does this not leave us in a difficult position? I would rather replace “may” with “will”, but I see the issues with both ways. I imagine you discussed this. | |||
'''Answer from DaveK''': Thanks. Fixed the missing italics. Regarding illegal may or will, this has been discussed a long time ago and we prefer to leave as "may". For one it may not be "us" who does the reporting. | |||
== More comments? == | |||
== Original Version 1 of the policy document == | |||
<div style="margin: 12pt 0cm 3pt 21.55pt;">'''<font size="6"><span><font size="5">1</font><span> </span></span><font size="5">Introduction and Definitions</font></font>'''</div><div style="margin: 2pt 0cm;">To fulfil its mission, it is necessary for the ''Grid'' to protect its ''resources''. This document presents the policy regulating those activities of ''Grid participants'' related to the security of ''Grid services'' and ''Grid resources''.</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''1.1''<span> </span></span>''Definitions''</font>'''</div><div style="margin: 2pt 0cm;">The word ''Grid, ''when italicised in this document, means any project or operational infrastructure which uses grid technologies and decides to adopt this policy.</div><div style="margin: 2pt 0cm;"></div><div style="margin: 2pt 0cm;">The other italicised words used in this document are defined as follows:</div> | <div style="margin: 12pt 0cm 3pt 21.55pt;">'''<font size="6"><span><font size="5">1</font><span> </span></span><font size="5">Introduction and Definitions</font></font>'''</div><div style="margin: 2pt 0cm;">To fulfil its mission, it is necessary for the ''Grid'' to protect its ''resources''. This document presents the policy regulating those activities of ''Grid participants'' related to the security of ''Grid services'' and ''Grid resources''.</div><div style="margin: 12pt 0cm 3pt 28.8pt;">'''<font size="5"><span>''1.1''<span> </span></span>''Definitions''</font>'''</div><div style="margin: 2pt 0cm;">The word ''Grid, ''when italicised in this document, means any project or operational infrastructure which uses grid technologies and decides to adopt this policy.</div><div style="margin: 2pt 0cm;"></div><div style="margin: 2pt 0cm;">The other italicised words used in this document are defined as follows:</div> |
Latest revision as of 10:20, 15 November 2016
Discussion on the new draft version (November 2016 onwards)
Comments from Hannah Short (CERN) on 7 Nov 2016
The content looks good, I certainly agree with removing grid terminology and moving the AUP outside. A few minor niggles with the structure:
- Roles and Responsibilities
A separate User Community Security Contact role section would aid clarity, same for Resource Centre A lot of the definitions double as roles&resps, would it be enough to remove these duplicates and say “other terms are defined in roles & responsibilities”? I would remove those with “* Management” from definitions but leave as a role
Answer from DaveK: Thanks. I see what you are getting at but I am not sure, SPG should discuss.
- Network Security
You define a responsibility of the Resource Centre that isn’t included in the Roles & Resps section above.
Answer from DaveK: Thanks. New wording for one of the Resource Centre Management responsibilities: Resource Centres acknowledge that participating in the e-Infrastructure and allowing related inbound and outbound network traffic increases their IT security risk. Resource Centres are responsible for accepting or mitigating this risk.
- Exceptions to Compliance
“ details notified to the Security Officer” which Security Officer? There are 3 defined in the policy
Answer from DaveK: Thanks. Now says e-Infrastructure Security Officer.
- Sanctions
User Community not in Italics “Any activities thought to be illegal may be reported to appropriate law enforcement agencies.” Does this not leave us in a difficult position? I would rather replace “may” with “will”, but I see the issues with both ways. I imagine you discussed this.
Answer from DaveK: Thanks. Fixed the missing italics. Regarding illegal may or will, this has been discussed a long time ago and we prefer to leave as "may". For one it may not be "us" who does the reporting.
More comments?
Original Version 1 of the policy document
- Policy is interpreted to include rules, responsibilities and procedures specified in this document together with all those in other documents which are required to exist by stipulations in this document.
- Aparticipant is any entity providing, using, managing, operating, supporting or coordinating one or more Grid service(s).
- Aservice is any computing or software system, based on grid technologies, which provides access to, information about or controls resources.
- A resource is the equipment and software required to run a service on theGrid, and any data
held on the service. - Included in the definition of equipment are processors and associated disks, tapes and other peripherals, storage systems and storage media, networking components and interconnecting media.
- Included in the definition ofsoftware are operating systems, utilities, compilers and other general purpose applications, any software required to operate any equipment, software and middleware released and/or distributed by the Grid and any software required to support any application associated with Virtual Organisations or other authorized users.
- Included in the definition of data are data required to operate any equipment defined as a resource, data required to operate any service, data intended to be processed or produced by any software defined as a resource, and any application data.
- Management is the collection of the various boards, committees, groups and individuals mandated to oversee and control the Grid.
- A user is an individual who has been given authority to access and use Grid resources.
- A Virtual Organisation (or VO) is a grouping of users and optionally resources, often not bound to a single institution, who, by reason of their common membership and in sharing a common goal, are given authority to use a set of resources.
- Included in the definition of a VO are cases where Grid resources are offered to individual users who are not members of a formal VO. These users are, however, often associated with an applicationcommunity, and these communities, or even a single user, are treated in this document as though they are a VO.
- VO management is the collection of various individuals and groups mandated to oversee and control a VO.
- A site is an entity having administrative control of resources provided to the Grid. This may be at one physical location or spread across multiple physical locations.
- Site management is the collection of various individuals and groups mandated to oversee and control a site.
- A resource administrator is the person responsible for installing, operating, maintaining and supporting one or more resource(s) at a site.
- The maintenance of contact details of security personnel at each participating site and the facilitation of Grid-related communications between them.
- Handling of operational security problems as they arise.
- Providing incident response teams who will act according to the Security Incident Response Policy [6].
- Handling requests for exceptions to this policy as described in section 5.
<span style="text-transform: uppercase; font-size: 16pt;" />
https://documents.egi.eu/document/79