Add to collection(s) Add to saved
  1. Business
  2. Management

Document 13316640

advertisement 
Uk e-Science Technical Report Series
UKeS-2004-04
ISSN 1751-5971
Security Policy Version 1.4
UK e-Science Programme Security Policy
1. Introduction
This document constitutes the security policy for the UK e-Science Programme. The
Programme is a complex entity with many stakeholders: the Research Councils, industrial
partners and the Department of Trade and Industry who fund much of the research; the
Funding Councils, the Joint Information Systems Committee and UKERNA who together
fund and manage much of the infrastructure; and not least the principal investigators, the
project staff and the institutions in which they work.
Consequently no single party can be said to hold overall responsibility for the policy; in fact
one of the main functions of the policy is to identify who is responsible for which aspects of
security and to establish how the overall policy will be administered. Currently the body
which best represents the collective interests of the various stakeholders is the e-Science
Steering Committee, and the policy has been endorsed by that committee. It is issued on the
authority of the Director of the e-Science Core Programme.
2. Purpose
The purpose of this policy is to promote best practice in Information Security within the
context of the UK e-Science Programme. Specifically, it aims to encourage the adoption of
project-specific processes that lead to desirable outcomes in confidentiality, integrity, and
availability. The intention of this policy is to foster a culture in which there is mutual
support and sharing of information relating to security, for the greater benefit of the
programme as a whole: it is specifically not designed to place excessive or unreasonable
burdens on project staff.
The Programme is committed to establishing and maintaining appropriate standards of
security for the information assets of its projects and collaborations and to enable and support
projects in safeguarding their own assets.
e-Science projects and Grid technologies have special infrastructure requirements and
resources which means that there are increased known security risks and yet to be identified
risks. Additionally the highly distributed nature of e-Science means that the existing
responsibilities, mechanisms and lines of communication do not cover the activities of the
projects in their entirety. It is also recognised that since new Grid technologies may give rise
to additional, unforeseen vulnerabilities, the precise security needs of some projects will be a
matter of discovery over the project lifetime.
Projects must therefore adopt secure processes appropriate to the risks they face, that reflect
best practice to protect both their own assets (people, equipment, data), and the wider
collection of educational and research facilities to which they gain access.
3. Review
The Policy will be reviewed, for relevance and effectiveness, on an annual basis, but may be
supplemented by the issue of new additional policy and practice documents at any time. The
latest version of the Policy and its supporting documentation will always be available via the
National e-Science Centre web site, see http://www.nesc.ac.uk/technical_papers/uk.html.
UKeS-2004-04
Security Policy Version 1.4
4. Scope
The Policy covers any activity impacting on the assets of the e-Science Programme:
infrastructure, code-base, datasets, and its good name. Specifically it applies to all projects,
personnel and facilities funded via an e-Science programme grant, and to all core facilities in
the UK academic and research community recognised as contributing services to the
programme. It also deals with their protection against external threats.
5. Responsibilities
Ultimate responsibility for this Policy rests with the Director General of the Research
Councils, but effective management responsibility is exercised on the Director General's
authority by the UK e-Science Core Programme Directorate.
The Directorate is supported by a Grid Operations Security Team who will review the
security of the e-Science Programme, including this policy and its supporting documentation,
and make recommendations to the Directorate on any policy actions or initiatives that are
needed.
Although in a strict sense the grant holding institution carries the legal responsibility for a
given project, for practical purposes a project's Principal Investigator (PI) will be held
accountable for its security. The PI must identify through the project’s organisational
structure other persons with security-related roles, and should nominate a point of liaison for
operational matters, ensuring that cover for this rôle is provided in case of holiday or sickness
of the regular technical contact.
Security incidents should be reported to the Grid Security Operations Team. In most cases,
contact will be through a host institution's local CERT.
6. Practices
Projects must adopt processes that lead to secure solutions commensurate with the risks they
face. When a project is proposed, its case for support must explain how this will be
achieved. The e-Science programme will provide suitable training in this area. Proposals
should anticipate, where possible, the training and consultancy needs of the project.
Grant-awarding panels may call upon specialist referees to evaluate the security features of a
project proposal. On the advice of those referees or otherwise, they may decide to attach
security-related requirements to a grant offer. These may include
·
Funding for relevant training for project staff, to enable secure processes to be
adopted, and secure features designed from the outset of the project;
·
A requirement to undertake a detailed threat and risk analysis in the early stages of
the project;
·
A requirement to produce a detailed draft project security policy in advance, perhaps
with an external review of that policy;
·
Specific points at which a project security audit will be required, and funding to
facilitate that audit;
·
Specific conditions relating to access to facilities, data sets, etc.;
UKeS-2004-04
Security Policy Version 1.4
·
Requirements to keep up-to-date with ongoing developments in particular security
technologies;
·
Sanctions to be applied if these requirements are not followed.
All funded projects will require a security policy, informed by a risk analysis. A security
policy for a project will usually describe how the following will be taken into account:
·
Policies and guidance from the e-Science programme, including this policy;
·
Legal obligations, such as health and safety, and data protection;
·
Ethical frameworks that constrain the project or the use of any associated capability;
·
Specific concerns or risks arising from the nature of the project, including those of
industrial partners and international collaborators;
·
Established and evolving security practice in Grid-based environments;
·
Actions to be taken upon detection of a breach of policy, whether by project staff or
administrators, or by external persons.
Project security policies should be appropriate to the academic/research community and the
specifics of the research project.
Industrial partners and international collaborators are similarly encouraged to adopt best
practice, and are obliged to follow this policy when accessing assets of the e-Science
programme.
In due course projects may be audited. The project security policy and its associated risk
analysis will be the basis of the audit. The audit will look for evidence that risks have been
adequately addressed in the policy and that processes are in place to support the security
policy.
7. Sanctions
Notwithstanding the intention to be supportive to projects where security is concerned, this
policy provides for sanctions in the event that a project wilfully or through negligence puts
its own and others' security at risk; e.g. in the event that a project fails to follow the security
requirements set out in its offer letter, and/or to adopt appropriate security processes relative
to the risks that it faces. The sanctions will generally match the nature of the failure, and may
range from denial of access to shared e-Science facilities to withholding of grant resource.
The Directorate will recommend the appropriate sanction or sanctions, although sanctions if
confirmed will be applied by the relevant authority (e.g. funding body or facility operator).
The addition of e-Science sanctions does not alter the existing right of the JANET-CERT or
the local institution's IT Services to apply sanctions of their own, if the wider community is
put at risk by the actions of an e-Science project.
UKeS-2004-04
Security Policy Version 1.4
8. Further Information
Further information and guidance will be developed to support this policy and assist projects
and project staff in applying it. All such advice will be made available via the National eScience Centre web site, http://www.nesc.ac.uk/.
Last updated 15 April 2004 by Alan Robiette, <a.robiette@jisc.ac.uk>
Related documents
ccpe-esciencequarterly
ccpe-esciencequarterly
File
File
e-Science Applications: Network-requirements Questionnaire
e-Science Applications: Network-requirements Questionnaire
NERC e-Science Meeting www.nesc.ac.uk 26
NERC e-Science Meeting www.nesc.ac.uk 26
Arts and Humanities e-Science in the UK
Arts and Humanities e-Science in the UK
UK e-Science OGC Technical Committee Edinburgh
UK e-Science OGC Technical Committee Edinburgh
Document13300239 13300239
Document13300239 13300239
Download
advertisement