- Created by Baptiste Grenier, last modified on 2024 Aug 05
These pages contain ISM Policies and ISM Procedures relating to Information Security Management.
Policies
| Title | Policy status | Approval status | Approved version and date | Statement |
|---|---|---|---|---|
| Grid Policy on the Handling of User-Level Job Accounting | FINALISED | APPROVED | v2.0 | This document presents the minimum requirements and policy framework for the handling of user-level accounting data created, stored, transmitted, processed and analysed as a result of the execution of jobs on the Grid. |
| Security Policy Glossary of Terms | FINALISED | APPROVED | v1.0 | This document provides a common reference for the meaning of various terms used in the context of the EGI Security Policy Group documents. As well as defining terms, this glossary also limits the scope of meaning of terms used in the security policy documents. |
| Security Policy for the Endorsement and Operation of Virtual Machine Images | FINALISED | APPROVED | v4 | This document describes the security-related policy requirements for the generation, distribution and operations of virtual machine (VM) images, as part of a trusted computing environment of the IT infrastructure. The aim is to enable VM images to be generated according to best practices and to be both trusted and operated elsewhere. |
| Policy on e-infrastructure Multi-User Pilot Jobs | FINALISED | APPROVED | v2 | Security policy for operation of multi-user pilot jobs. |
| VO Portal Policy | FINALISED | APPROVED | v2 | This security policy applies to all Portals operated by Virtual Organisations that participate in the e-Infrastructure. It defines the conditions that apply to each of four different portal classes. |
| Community Membership Management Policy | FINALISED | APPROVED | v1 | This policy is designed to establish trust between a Community and other Communities, Infrastructures, and the R&E federations. |
| Community Operations Security Policy | FINALISED | APPROVED | v1 | The purpose of this policy is to ensure that the Community’s use of the Infrastructure is appropriate, and that the Infrastructure and Communities will respond together to accidental or malicious use that is excessive, harmful to others, or not for appropriate purposes. |
| Acceptable Use Policy and Conditions of Use | FINALISED | APPROVED | v3 | The conditions of use described in the AUP have to be accepted by all Users during their registration as a user of the Infrastructure. |
| Policy on the Processing of Personal Data | FINALISED | APPROVED | v2 | This policy ensures that data collected as a result of the use of the Infrastructure is processed fairly and lawfully by Infrastructure participants. |
| Security Incident Response Policy | FINALISED | APPROVED | v2 | Policy on handling security incidents. |
| Policy on Acceptable Authentication Assurance | FINALISED | APPROVED | v1 | This policy defines the approved authentication assurance sources. |
| Security Traceability and Logging Policy | FINALISED | APPROVED | v2 | Security policy requirements for traceability and logging. |
| Service Operations Security Policy | FINALISED | APPROVED | v4 | This security policy presents the conditions that apply to anyone running a Service on the Infrastructure, or to anyone providing a Service that is part of the Infrastructure. |
| e-infrastructure Security Policy | FINALISED | APPROVED | v2 | Policy regulating those activities of e-Infrastructure participants related to the security of e-Infrastructure services and resources. |
Procedures
| Title | Procedure status | Approval status | Approved version and date | Statement |
|---|---|---|---|---|
| SEC01 EGI CSIRT Security Incident Handling Procedure | FINAL | APPROVED |
| This procedure is aimed at minimising the impact of security incidents by encouraging post-mortem analysis and promoting cooperation between Resource Centres. |
| SEC02 Software Vulnerability Issue Handling | FINALISED | APPROVED | EGI ACE version 0.10 | The purpose of the EGI Software Vulnerability group is "To minimize the risk of security incidents due to software vulnerabilities" This document describes how Software vulnerabilities reported are handled. |
| SEC05 Security Resource Centre Certification Procedure | FINALISED | APPROVED |
| Security Resource Centre Certification Procedure applies to Resource Centres under certification process and re-certification of suspended Resource Centres (sites). This step of the security certification procedure checks that the resources under certification do not contain known CRITICAL software vulnerabilities. |
| WI07 Security Vulnerability handling | FINALISED | APPROVED | v.2 | Work instruction to follow Security Vulnerability handling RT tickets |
| SEC03 EGI-CSIRT Critical Vulnerability Handling | FINALISED | APPROVED |
| The scope of this procedure is to maintain a properly patched infrastructure and make sure that CRITICAL Vulnerabilities are handled adequately by all involved entities. |
| SEC04 EGI CSIRT Operational Procedure for Compromised Certificates and Central Security Emergency suspension | DRAFT | APPROVAL REQUIRED | This procedure describes what should be done by the EGI CSIRT in the event of a compromised identity certificate, including long lived certificates and proxies. This applies to robot certificates and service certificates as well as user certificates. This also includes what is done when certificates are linked to security incidents. This procedure also addresses usage of Central Security Emergency suspension. The implications of a CA compromise are also briefly described. |
- No labels