AUDIENCE: RESEARCH COMMUNITY MANAGEMENT
Many of your questions will not be solved by defining your technical stack - arguably some of the most difficult issues relate to policy. Regardless of what software you choose, those responsible for your research community will need to be able to show that the following considerations, among others, have been addressed:
- How are members identified, verified and removed from the collaboration?
- Are all services within the AAI implementing security patches?
- What will happen when there is a security incident?
- Who has access to user data?
AARC’s Policy guidelines are a compilation of best practices and recommendations that help research and e-Infrastructures to implement scalable and cost-effective policy and operational frameworks for their AARC BPA compliant AAIs. These documents aim to ensure three core capabilities for Research Infrastructures: Operational Security, Trustworthy Membership Management and Data Protection.
The set of necessary policies has been reviewed in AARC-I082 following several years of experience of running the AARC BPA in practice. This document addresses trust across the entire chain of AAI components and aims to remove difficulties in tracing back any information to its original source. Establishing trust becomes more challenging when it is not possible to see which link in the ‘chain’ asserts which information and how trustworthy that link is.
Practical steps for adopting AARC’s policy recommendations
- Define a unique name for your collaboration (we recommend a DNS name to avoid collisions)
- Identify a governance body to make policy decisions
- Define the purpose of your collaboration (this will be used for your AUP)
- We strongly suggest
- Identifying your primary assets
- Completing a risk assessment
- Defining your rules of participation and the escalation procedure in case of non-compliance
- Identifying any additional legal and regulatory compliance necessary
- Define the following documents and seek endorsement from your governance body
Document
AARC Template
Example (where no template is recommended)
Attribute Authority Operational Security Policy
Acceptable Use Policy
Incident response procedure
Membership management
Privacy Policy
Security Operational Baseline
- Review the AEGIS endorsed policy guidelines required for AARC compliance and ensure their technical implementation such as
- Identify your assurance requirements following AARC-G031
- Identify suitable token lifetimes following AARC-G081
- Ensure that the policies are presented to and accepted by the relevant audiences (e.g. service operators, end users)
- Publish your documents and responsible parties at a suitable location
Recommendation
The steps above will be elaborated in a future version of the AARC Policy Development Kit to be released in January. We strongly suggest leveraging this work for the following reasons:
- Save time - the templates have been well researched and adopted in production AAIs by many research communities
- Speak for the AAI - all components should be bound by a common set of policies to allow you to make accurate statements on security and data protection for the entire infrastructure
- Enable access for researchers - some research communities require evidence of the adoption of policies by researchers’ Identity Providers in order for them to be granted access
- Limit interoperability inconveniences to end users - by adopting common policies, such as the Acceptable Use Policy, together we can decrease the number of clicks required by end users to access services