View Source

Aim:

We have had a lot of feedback that the Policy Development Kit (which came from the AARC project) is good but doesn't necessarily fit use cases. People have to make significant modifications. We would like to pull in the feedback from these first-hand implementation experiences and produce an improved set of templated policies.

In particular, some communities are looking for something very easy to pick up and define requirements on participating services (e.g. CS3MESH). Our first objective is to update the Security Operations Policy (and possibly the top level policy that ties participants together).

Meetings:

Discussed during EUGridPMA October 2021
October 4th 2021
Friday 22nd (morning) 10:00 CEST
At the WISE/SIG-ISM Meeting October 26/27 https://events.geant.org/event/742/ and Slides
November 15th 15:00 CET
November 29th 15:00 CET
December 13th 15:00 CET

Resources:

The final work from the AARC Project is at https://aarc-community.org/policies/policy-development-kit/ this has been slightly updated with time

We have a (unmaintained) Moodle course at https://e-academy.geant.org/moodle/course/view.php?id=16

Existing Security Operations Policy Options:

PDK version https://docs.google.com/document/d/1_cNMF3l3YVPqBBH0MPqx9DLAL1t3Z33_fJcjln8Xk48/edit#heading=h.idp93lqbm8kt
The PDK was used to produce a Service Operations Security Policy for EOSC-hub which was then also adopted by EGI. Some wording was changed from the initial PDK to the EOSC-hub version, including the reference to Sirtfi was removed from point 4 and "Privacy Statement" was changed to "Privacy Notice"
- The EOSC-hub/EGI policy from June 2020 onwards is available at: https://documents.egi.eu/document/3601
The EOSC Security Baseline may serve as a best option for loosely coupled federations https://docs.google.com/document/d/1a8TQAfOnB0CADo_n5nn7-DQX6jV7Iz-2i90hBAzMgGY/edit#heading=h.eyau1431a74f (plan to adopt almost as is)
- Based on Iris https://www.iris.ac.uk/wp-content/uploads/2021/05/IRIS-Service-Operations-Security-Policy.pdf (though that one removed Sirtfi and only referred to it in footnotes. Wanted self contained). Advantage is long list of references.
- Less prescriptive
Elixir
- This is our Service operations security policy:
  https://docs.google.com/document/d/1TKczGc_9U-i3XTT3pVqy8EpHyMrTZ9m9rMFFwhlFMtg/edit?usp=sharing
- You may be interested also in our ToU for service providers which was missing from AARC PDK and was developed by ourselves:
  https://docs.google.com/document/d/10DBkPr_zWpFJPWTav8SMw61IVExIU0349pUkBl9cLjw/edit# It has the same license as the AARC PDK (CC-BY-SA-NC)
- See page 14 - 15 for feedback from life sciences https://zenodo.org/record/4559400#.YWRFLC8RpQI
Trusted CI https://www.trustedci.org/guide-overview?rq=MISPP
HIFIS (previously HDF) https://hifis.net/doc/helmholtz-aai/security-response/

Working Documents:

Google doc with new version of Service Operations Security Policy https://docs.google.com/document/d/1oO2OsBG99Wf3ecvjU28qma4ubyzpBJgMIB93eRpz6Ck/edit#heading=h.idp93lqbm8kt

WISE Meeting October 27th

Time	Item
10m	PDK introduction Working Group plug
10m	Evolution of Security Operations Policy Different users already David and EOSC Baseline (refer to yesterday) Comparison table
10m	Q&A e.g. feedback from CS3MESH
30m	Work on Security Operations Policy (not the baseline) and incorporate feedback Comments in doc very welcome in advance

Actions:

Hannah: Ask ELIXIR if they used the Security Operations Policy
Hannah: Ask Uros/Marcus about HDF use
Ian: share Iris and PDK Policy comparison (Updated 11/11/2021 - Added Sirtfi column to doc)

Hannah: Create PDK section on WISE website
Hannah: Revise comments on Service Operations Security Policy
?: Diagram of policies, how they fit together and how they support SCI

This was drawn a while ago. Does not address SCI or exactly fit requirements but may provide basis for improvement.