- Created by Baptiste Grenier on 2022 Apr 15
As a an Internal Service Provider, the following Policies and Procedures are relevant to you.
Policies
| Title | Approval status | Owner | Statement |
|---|---|---|---|
| Release Policy | APPROVED | The goal of Release Management is to plan and oversee the implementation of approved Changes into production. | |
| Change management policy | APPROVED | Matthew Viljoen | Policy for applicability of change management |
| Security Policy Glossary of Terms | APPROVED | This document provides a common reference for the meaning of various terms used in the context of the EGI Security Policy Group documents. As well as defining terms, this glossary also limits the scope of meaning of terms used in the security policy documents. | |
| Policy on the Processing of Personal Data | APPROVED | David Kelsey | This policy ensures that data collected as a result of the use of the Infrastructure is processed fairly and lawfully by Infrastructure participants. |
| Security Incident Response Policy | APPROVED | Policy on handling security incidents. | |
| Policy on Acceptable Authentication Assurance | APPROVED | This policy defines the approved authentication assurance sources. | |
| Security Traceability and Logging Policy | APPROVED | Security policy requirements for traceability and logging. | |
| Service Operations Security Policy | APPROVED | This security policy presents the conditions that apply to anyone running a Service on the Infrastructure, or to anyone providing a Service that is part of the Infrastructure. | |
| e-infrastructure Security Policy | APPROVED | David Kelsey | Policy regulating those activities of e-Infrastructure participants related to the security of e-Infrastructure services and resources. |
Procedures
| Title | Approval status | Owner | Statement |
|---|---|---|---|
| SEC01 EGI CSIRT Security Incident Handling Procedure | APPROVED | Computing Security Incident Response Team (CSIRT) | This procedure is aimed at minimising the impact of security incidents by encouraging post-mortem analysis and promoting cooperation between Resource Centres. |
| CHM1 Manage changes including emergency changes | APPROVED
| Matthew Viljoen | Procedure how a change should be registered, approved, and reviewed after implementation but before deployment. |
| PROC09 Resource Centre Registration and Certification | APPROVED | Alessandro Paolini | A procedure describing the steps for registering and certifying new Resource Centres (sites) in the EGI infrastructure. The certification steps can also be used to re-certify suspended Resource Centres (sites). |
| ISRM7 Creation of a new support unit in the Helpdesk GGUS | APPROVED | Creating a new support unit in the EGI Helpdesk service (GGUS). | |
| SEC02 Software Vulnerability Issue Handling | APPROVED | The purpose of the EGI Software Vulnerability group is "To minimize the risk of security incidents due to software vulnerabilities" This document describes how Software vulnerabilities reported are handled. | |
| PROC21 Resource Centre suspension | APPROVED | Alessandro Paolini | The document describes the process for suspending a Resource Centre in the EGI infrastructure |
| ISRM1 Record, Classify, Prioritize, Escalate, Resolve, Close an incident or service request | Procedure describing how an incident or service request should be recorded, classified , prioritized, escalated, resolved, closed | ||
| RDM3 Lightweight release process | APPROVED | This lightweight procedure applies to individual low risk/impact change and provides steps for service updates and releases of the centrally-provided production services. | |
| CHM3 Evaluate and Approve Change Management Operated by Other Organisations | APPROVED | Procedure documenting the management of Federated Change Management within the EGI Federation | |
| CHM2 Maintain the list, descriptions and step-by-step workflows for well-known and recurring changes | APPROVED
| Matthew Viljoen | Procedure how standard changes list should be maintained |
| SEC04 EGI CSIRT Operational Procedure for Compromised Certificates and Central Security Emergency suspension | APPROVAL REQUIRED | Computing Security Incident Response Team (CSIRT) | This procedure describes what should be done by the EGI CSIRT in the event of a compromised identity certificate, including long lived certificates and proxies. This applies to robot certificates and service certificates as well as user certificates. This also includes what is done when certificates are linked to security incidents. This procedure also addresses usage of Central Security Emergency suspension. The implications of a CA compromise are also briefly described. |
| RDM2 Regular release process | APPROVED | This procedure applies to regular releases of the centrally-provided production services that need to be fully built, tested and deployed. This may be either:
| |
| RDM1 Emergency release process | APPROVED
| An emergency release consists in the releasing of one product, or a set of products, with the targeted goal of solving a specific problem that affects the EGI infrastructure. To qualify for an emergency release the problem should be classified in at least one of the following categories:
Emergency releases are deployed by the services providers and apply to the services listed in the EGI Service Portfolios that are owned by the EGI Foundation. | |
| PROC15 Resource Center renaming | APPROVED | Alessandro Paolini | A procedure for changing name of a Resource Centre. |
| PROC11 Resource Centre Decommissioning | APPROVED | Matthew Viljoen | A procedure describing the steps to decommission Resource Centres in the EGI infrastructure. |
| ISRM2 Perform a major incident review | APPROVED | Procedure defining a major incident review |
- No labels