Policy Framework

From JSPGwiki

A Security Policy Framework for Collaborating Grids.

Discussion at JSPG meeting - 8 Dec 2009 (CERN)

Policy items:

1. Registration
2. Incident Response
3. Traceability
4. Personal Data Protection
5. Monitoring & auditing (policy compliance)
6. Vulnerability management - Patching (sub-component)
7. Choice of security software (authn technology for example)
8. IPR
9. Liability
10. Access Control
11. Operational Responsiveness
12. Behaviour/Good citizenship (operational quality?)
13. Protection of user/application data
14. Legal compliance
15. Change management, risk assessment
16. Best practice

---

What follows below was discussed at the JSPG face to face meeting on 16/17 Sep 2009. Major changes were made there. This wiki page therefore needs updating. Work to be done!

Collaborating Grids should implement a security policy framework aimed at managing cross-Grid operational security risks by addressing all of the following areas:

Table of contents

1 Operational Security 1.1 Incident Response 2 User Responsibilities 3 Site/Resource Provider/Service Provider Responsibilities 4 Data Protection 5 Exclusions

Operational Security

A collaborating Grid must provide the following components:

• A process to register sites and record contact information for at least one manager and a security contact
• A documented and publicly available process to manage vulnerabilities in any software distributed to its participants. This must include the vulnerability reporting and disclosure process.
• A documented escalation procedure to ensure that any participating sites posing a significant and immediate threat for the rest of the infrastructure is temporarily suspended
• A Grid Security Officer to enforce the regulation of security policies. He/she has powers to require actions as deemed necessary to protect resources from or contain the spread of an incident.
• A process that ensures that security patches are applied in a timely manner
• A documented escalation procedure to handle non-compliant sites.

Incident Response

A collaborating Grid must provide the following components:

• A public webpage containing contact details to report and discuss security incidents
• An incident response procedure aimed at the sites. This document must be publicly available and must ensure that security incidents are handled and investigated in a timely manner, as well as appropriately resourced
• During the resolution process of a security incident, the grid collaborates in a timely manner with organisations in the same community, in particular with affected grid, site and NREN CSIRTs

User Responsibilities

A collaborating Grid must provide the following components:

• An Acceptable Use Policy (AUP) to which end users of its resources must agree to abide, describing the responsibilities of the user to aim at maintaining a secure environment, and to collaborate with grid security operations when needed
• Traceability and logging requirements to be used in identifying the source of security incidents and the identity of the individual(s) involved.
• A documented escalation procedure to ensure that any participating user posing a threat for the rest of the infrastructure, or not following its AUP, is temporarily suspended
• A process to manage the authorisation of individuals and/or groups (e.g. virtual organisations), including a description of the purpose and scope of their intended use of Grid resources. The process should cover at least the following: registration, removal, suspension, authorisation and the mechanism in place to contact any end user for administrative or security purposes

Site/Resource Provider/Service Provider Responsibilities

A collaborating Grid must provide the following components:

• A process to register sites and record and maintain contact information for at least one manager and a security contact
• A set of requirements and responsibilites on sites to meet the operational security and data handling components (see elsewhere), including at least
  • data protection/handling
  • patching of software
  • traceability and logging
  • security incident response
  • access control and Grid-wide authentication and authorisation (do we need to define interoperable security middleware somewhere?)

Data Protection

A collaborating Grid must provide the following components:

• A classification of data including at least public and confidential
• For confidential data, a process for handling this so that only authorised access is allowed
  • including confidendiality of logged information
• A process for handling data marked as confidential by a collaborating Grid
• A procedure for dealing with any exposure of confidential data
• A policy and procedures for the handling of personal data that comply with Data Protection laws both inside the Grid and in any collaborating Grid with which personal data is exchanged

Exclusions

We have considered and deliberately excluded: IPR, liability, software licensing, copyright.