Security Incident Response Policy

From JSPGwiki

Draft policy document - not yet approved or adopted.

This is version 3.2 - as agreed at the JSPG meeting on 26 June 2009. "Final Call"

The currently approved and adopted policy document is called "LCG/EGEE Incident Handling and Response Guide" (version 2.1, dated 15 June 2005) and may be found at https://edms.cern.ch/document/428035/4

Security Incident Response Policy

A security incident is the act of violating an explicit or implied security policy (for example, a local security policy or a grid security policy). Nothing in this policy is meant to restrict the flow of information from a site to incident response teams or other organizations to which the participant is required to report incidents.

The objective of this policy is to ensure that all incidents are investigated as fully as possible and that sites promptly report intrusions. In particular, security incidents are to be treated as serious matters and their investigation must be resourced appropriately.

Effective security incident response depends on the maintenance of grid security contact information as defined by the Grid (including the Site Registration Policy & Procedure (https://edms.cern.ch/document/503198/) and the Virtual Organisation Registration Security Policy (https://edms.cern.ch/document/573348/)).

The Grid will appoint an incident coordinator for each suspected incident, in order to promote the cooperation across the sites and collaboration with peer-grids, and assign a unique identifier to each incident, which is considered public information. The coordinator may share incident information as appropriate with other organisations, in particular peer Grids which have adopted this policy.

As a grid participant, you agree to the conditions laid down in this document and other referenced documents that may be revised from time to time.

1. You shall promptly report suspected security incidents to your local organization's incident response team.
2. You shall promptly report suspected security incidents (or your involvement therein) that have known or potential impact or relationship to grid resources, services, or identities, via the incident response channels defined by the Grid.
3. You shall follow the incident response procedure defined by the Grid.
4. You shall promptly respond to and investigate incident reports regarding resources, services, or identities for which you are responsible.
5. You shall perform appropriate investigations and forensics and share the results with the incident coordinator.
6. You shall aim at preserving the privacy of involved participants and identities, and ensure that information shared with you is not publicly archived or published at your end without prior agreement from both the sender and the incident coordinator appointed by the Grid for each incident. Public disclosure of information regarding security events should be handled through the site Public Relations contacts.