update on security policy
play

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security - PowerPoint PPT Presentation

May 21, 2023 •121 likes •408 views

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010, Taipei david.kelsey at stfc.ac.uk Overview Why do we need security policies? Joint Security Policy Group (JSPG) Some history

  1. Update on Security Policy David Kelsey (RAL) 
 7 Mar 2010 
 Security Workshop @ ISGC 2010, Taipei david.kelsey at stfc.ac.uk

  2. Overview • Why do we need security policies? • Joint Security Policy Group (JSPG) – Some history – Interoperability • Overview of JSPG policies – Current status and recent work • The transition to EGI Kelsey, Security Policy 7 Mar 2010 2

  3. Why do we need security policies? • Management of IT security – Management of risk, balanced with availability of services • Perform a risk analysis – Need a Security Plan • to mitigate and manage the risks • Security Plan includes various “Controls” – Technical – Operational – Management • Security Policy is part of Management Controls (written documents) Kelsey, Security Policy 7 Mar 2010 3

  4. Trust is important • Trust is a relationship of reliance. A trusted party is presumed to seek to fulfill policies, ethical codes, law and their previous promises. (wikipedia) • Trust is a prediction of reliance on an action, based on what a party knows about the other party. Trust is a statement about what is otherwise unknown -- for example, because it is far away, cannot be verified, or is in the future. Kelsey, Security Policy 7 Mar 2010 4

  5. Joint Security Policy Group • This started as a WLCG activity in 2003 • In 2004, EGEE phase 1 started – JSPG remit expanded to cover both projects – Strong participation by OSG, NDGF, … • Revised mandate (2008) – http://www.jspg.org/ – prepares and maintains security policies for its primary stakeholders (EGEE and WLCG) – also able to provide policy advice on any security matter • Policies approved and adopted by Grid management • Now taking forward into EGI era (more later) Kelsey, Security Policy 7 Mar 2010 5

  6. Policy Interoperability • Wherever possible, JSPG aims to – prepare simple and general policies – applicable to the primary stakeholders, but – also of use to other Grid infrastructures (NGI's etc) • The adoption of common policies by multiple Grids eases the problems of interoperability (and scaling) • Users, VOs and Sites all accept the same policies during their (single) registration (with Grid or VO) • Other participants then know that their actions are already bound by the policies – No need for additional negotiation, registration or Kelsey, Security Policy 7 Mar 2010 6 agreement

  7. Overview of JSPG Policies Kelsey, Security Policy 7 Mar 2010 7

  8. Grid Security Policy • The main policy document • https://edms.cern.ch/document/ 428008/ • “…policy regulating those activities of Grid participants related to the security of Grid services and Grid resources.” Kelsey, Security Policy 7 Mar 2010 8

  9. Grid Security Policy (2) • Objectives – gives authority for actions • may be carried out by certain individuals and bodies – places responsibilities on all participants • Scope – This policy applies to all participants – Every site participating in the Grid autonomously owns and follows their own local security policies – This policy augments local policies by setting out additional Grid-specific requirements. Kelsey, Security Policy 7 Mar 2010 9

  10. Grid Security Policy (3) • Additional Policy documents – Appendix 1 defines additional policy documents – These must exist for a proper implementation of this policy • Roles and Responsibilities: Participants – Grid Management – Grid Security O ffj cer & Grid Security Operations – Virtual Organisation Management – Users – Site Management – Resource Administrators Kelsey, Security Policy 7 Mar 2010 10

  11. Grid Security Policy (4) • Limits to Compliance – Grid policies designed to be applied uniformly across all sites and VOs – exceptions may be made when required – must be justified in a document submitted to the Grid Security O ffj cer for authorisation – In exceptional circumstances it may be necessary for emergency action – the exception should be minimised, documented, time- limited and authorised at the highest level of the management commensurate with taking the emergency action promptly, and the details notified to the Grid Security O ffj cer at the earliest opportunity Kelsey, Security Policy 7 Mar 2010 11

  12. Grid Security Policy (5) • Sanctions – Sites or resource administrators who fail to comply may lose the right to have that service instance recognised by the Grid – Users who fail to comply may lose their right of access to and/or collaboration with the Grid • may be reported to their home institute • Or to appropriate law enforcement agencies – VOs which fail to comply may lose their right of access to and/or collaboration with the Grid • Including all their users Kelsey, Security Policy 7 Mar 2010 12

  13. JSPG Security Policies Security Incident Certification Traceability and 
 Response Authorities Logging Security Site & VO Grid & VO Policy Policies AUPs Pilot Jobs and 
 Accounting Data 
 VO Portals Privacy Kelsey, Security Policy 7 Mar 2010 13

  14. Recent JSPG work • JSPG membership expanded to include more NGIs (-> EGI era) – revise all policy documents to make simpler and more general Policies approved and adopted during the last year… • Virtual Organisation Registration Security Policy https://edms.cern.ch/document/573348/8 • Virtual Organisation Membership Management Policy https://edms.cern.ch/document/428034/3 • Grid Policy on the Handling of User-Level Job Accounting Data https://edms.cern.ch/document/855382/5 • VO Portal Policy https://edms.cern.ch/document/972973/6 • Security Incident Response Policy https://edms.cern.ch/document/428035/7 Kelsey, Security Policy 7 Mar 2010 14

  15. Revision to Grid AUP • http://www.jspg.org/wiki/ Grid_Acceptable_Use_Policy – Version 4.1 • Old policy document (V3.1 28 Oct 2005) – one of the early successes of JSPG – a simple common policy for use on several di fg erent interoperating Grids – AUP has to be accepted by all users during their (re)registration with their VO – Important for interoperation between Grids Kelsey, Security Policy 7 Mar 2010 15

  16. Grid AUP (2) • Many Grids and other computing infrastructures, e.g. DEISA, have since used this AUP • but needed to make small modifications • main aim of this revision – take these modifications into account – produce a new version to meet the needs of Grids using the policy Kelsey, Security Policy 7 Mar 2010 16

  17. Revision to Site Registration • http://www.jspg.org/wiki/ Site_Registration_Security_Policy – Version 3.1 • Old policy document (V2.0 16 Mar 2006) – contains many detailed registration procedures • These are too EGEE-specific • JSPG decided to remove these – change the focus of the document to be purely related to security policy issues – similar to the recently approved "Virtual Organisation Registration Security Policy“ • new document is now much shorter and simpler Kelsey, Security Policy 7 Mar 2010 17

  18. From EGEE to EGI Kelsey, Security Policy 7 Mar 2010 18

  19. Problems with current Policies • The complete revision during EGEE-III has been successful, however… • Still many di fg erent documents – Overlaps and inconsistencies • Includes operational issues as well as security-related issues • Participants find it di ffj cult to know which policy applies to them • Many policies are rather EGEE-specific Kelsey, Security Policy 7 Mar 2010 19

  20. Policy framework for EGI 
 - defining policy standards • A framework to enable interoperation of collaborating Grids – aimed at managing cross-Grid operational security risks • Identify policy components needed for trust between Grids • Not necessarily imposing a single policy for all – But Grids can use template policies if they wish • Presents the current set of JSPG policies – Taking high-level view to identify those components which are necessary • Other components are either too EGEE-specific or are operational rather than related to security – separate them Kelsey, Security Policy 7 Mar 2010 20

  21. Framework (2) • Specifies the issues that need to be addressed in a Grid's security policy • At this stage does not define minimum standards or requirements – Standards should come later Kelsey, Security Policy 7 Mar 2010 21

  22. Policy Framework: Participants Infrastructur Users Providers e Includes Includes • Grid users • Grid Sites Includes • VOs • Resource • Grid • Application Providers Operations Communities • Service • Security O ffj cer Providers, e.g. • Sec Operations VO running services 7 Mar 2010

  23. Policy Components Infrastructur Users Providers e Includes Includes • AUP • Traceability Includes • Traceability • Incident • Incident • VO Response Response Management • Access control • Vulnerability • Data protection • Registration Handling • Incident • etc • Patching response • Data protection • Registration • Registration • etc • etc 7 Mar 2010

  24. Security Policy Framework Infrastructur Users Providers e Incident Response 1 2 3 Traceability 4 5 6 Data Protection 7 8 9 etc etc etc 7 Mar 2010

Recommend

Security Classification Policy Implementation in Policing Update Helen Edwards Head of

Security Classification Policy Implementation in Policing Update Helen Edwards Head of

Security Classification Policy Implementation in Policing Update Helen Edwards Head of Information Management March 2013 1 New Security Classifications From April 2014, the Government security classifications are changing.

173 views • 13 slides
Security Policy Update Mike Stanfield OSG Security Team OSG Council Face-to-Face October 11 th ,

Security Policy Update Mike Stanfield OSG Security Team OSG Council Face-to-Face October 11 th ,

Security Policy Update Mike Stanfield OSG Security Team OSG Council Face-to-Face October 11 th , 2019 OSG Security Team Security Team Members: Susan Sons, CACR Indiana University Adrian Crenshaw, CACR Indiana University Josh Drake,

113 views • 10 slides
CSE 484 / CSE M 584 Computer Security: SQL, Wireshark, and Policy TA: Thomas Crosley

CSE 484 / CSE M 584 Computer Security: SQL, Wireshark, and Policy TA: Thomas Crosley

CSE 484 / CSE M 584 Computer Security: SQL, Wireshark, and Policy TA: Thomas Crosley tcrosley@cs SQL Review Structured Query Language (SQL) used to communicate with databases Standard SQL commands SELECT, INSERT, UPDATE, DELETE, DROP

771 views • 12 slides
AIST POLICY UPDATE 29 July 2020 SPEAKER: David Haynes, Senior Policy Manager, AIST Policy

AIST POLICY UPDATE 29 July 2020 SPEAKER: David Haynes, Senior Policy Manager, AIST Policy

AIST POLICY UPDATE 29 July 2020 SPEAKER: David Haynes, Senior Policy Manager, AIST Policy Update AGENDA CoVid measures Regulator update Policy landscape Joint letter APRA/ASIC Retirement Income Review Insurance in Super Code Royal

298 views • 18 slides
Update - Security Policies David Groep (Nikhef) EGI OMB 24 November 2016 www.egi.eu EGI-Engage

Update - Security Policies David Groep (Nikhef) EGI OMB 24 November 2016 www.egi.eu EGI-Engage

Update - Security Policies David Groep (Nikhef) EGI OMB 24 November 2016 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Refreshing the security policy suite

399 views • 15 slides
Pre-ICANN68 Policy Update Webinar 18 June 2020 | 1 Welcome to the Pre-ICANN68 Policy Update

Pre-ICANN68 Policy Update Webinar 18 June 2020 | 1 Welcome to the Pre-ICANN68 Policy Update

Pre-ICANN68 Policy Update Webinar 18 June 2020 | 1 Welcome to the Pre-ICANN68 Policy Update Webinar This is a text box caption to describe David Olive the photo to the left. Senior Vice President, Policy Development Support | 2

751 views • 41 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
ICANN Policy Update - Singapore Policy Department, June 2011 Goals for this session Update

ICANN Policy Update - Singapore Policy Department, June 2011 Goals for this session Update

ICANN Policy Update - Singapore Policy Department, June 2011 Goals for this session Update you on current Policy work and encourage you to participate Review policy issues to be discussed at the ICANN Singapore Meeting Inform you of

998 views • 80 slides
Document Hierarchy of Information Security Corporate Security Policy Policy General commitment

Document Hierarchy of Information Security Corporate Security Policy Policy General commitment

Document Hierarchy of Information Security Corporate Security Policy Policy General commitment to Information Security General commitment to Information Security Installation of CorpSec Enabling CSO Installing Information Security Standard

355 views • 8 slides
CI P Cyber Security Update CI P Cyber Security Update John Lim John Lim Consolidated Edison Co.

CI P Cyber Security Update CI P Cyber Security Update John Lim John Lim Consolidated Edison Co.

CI P Cyber Security Update CI P Cyber Security Update John Lim John Lim Consolidated Edison Co. of New York, Inc. December 1, 2010 1 Disclaim er Materials presented or discussed here are the presenters own and do not necessarily

451 views • 15 slides
Pre-ICANN57 Policy Update Webinar 20 October 2016 | 10 UTC & 19 UTC Welcome to the

Pre-ICANN57 Policy Update Webinar 20 October 2016 | 10 UTC & 19 UTC Welcome to the

Pre-ICANN57 Policy Update Webinar 20 October 2016 | 10 UTC & 19 UTC Welcome to the Pre-ICANN57 Policy Update Webinar David Olive Senior Vice President, Policy Development Support General Manager, ICANN Regional Headquarters Hub in

965 views • 78 slides
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis & Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

878 views • 31 slides
Policy Development Process & Policy Update Newcomers Session - 11 Sep 2020 ORGANISED

Policy Development Process & Policy Update Newcomers Session - 11 Sep 2020 ORGANISED

Policy Development Process & Policy Update Newcomers Session - 11 Sep 2020 ORGANISED BY Policy Development Process & Policy Update Madhvi Gokool 11 SEPTEMBER 2020 Why should you care? Public IP Number Resources are The

566 views • 23 slides
Finance, Costing, & Audit Policy Update Co-Chairs: Michelle Bulls, NIH Office of Policy for

Finance, Costing, & Audit Policy Update Co-Chairs: Michelle Bulls, NIH Office of Policy for

Finance, Costing, & Audit Policy Update Co-Chairs: Michelle Bulls, NIH Office of Policy for Extramural Research Administration Jim Luther, Duke University January 10, 2020 Plenary Update GOALS To reduce administrative burden for

128 views • 12 slides
and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska

and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska

Anti-Hunger Policy and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska Federal Policy and Advocacy State Policy and Advocacy SNAP FINI Grant Useful Reports Policy

852 views • 12 slides
ICANN Policy Update Webinar Policy Department, 22 November 2010 Introduction David Olive 1

ICANN Policy Update Webinar Policy Department, 22 November 2010 Introduction David Olive 1

ICANN Policy Update Webinar Policy Department, 22 November 2010 Introduction David Olive 1 Goals for this session Update you on current Policy work and encourage you to participate Review issues to be discussed at the ICANN Meeting in

929 views • 65 slides
ICANN Policy Update Webinar Policy Department, 4 October 2012 Introduction David Olive 2

ICANN Policy Update Webinar Policy Department, 4 October 2012 Introduction David Olive 2

ICANN Policy Update Webinar Policy Department, 4 October 2012 Introduction David Olive 2 Goals for this session Update you on current Policy work and encourage you to participate Review issues to be discussed at the ICANN Meeting in

1.4k views • 110 slides
OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update Helmut Ammer Helmut

OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update Helmut Ammer Helmut

OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update Helmut Ammer Helmut Ammer CSSC Mnchen CSSC Mnchen 1F06 1F06 25. DECUS Mnchen Symposium Bonn 2002 1 berblick berblick berblick OpenVMS Security

754 views • 31 slides
Transit Service Policy Update Review of Policy Changes Transit Service Policy What is the

Transit Service Policy Update Review of Policy Changes Transit Service Policy What is the

Transit Service Policy Update Review of Policy Changes Transit Service Policy What is the Transit Service Policy? Key policy document that establishes: A formal process for evaluating existing services A methodology and process for

152 views • 14 slides
US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific,

US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific,

US/UK DTCT Security Policy Requirements Jakki Baker/Martin Oram Defence Security Scientific, Technical and Industrial Directorate of Business Resilience Defence Security Security Protection The DTCT requires the Parties to provide an

387 views • 9 slides
ICANN Policy Update Webinar Policy Department, March 2012 Introduction David Olive 2 Goals

ICANN Policy Update Webinar Policy Department, March 2012 Introduction David Olive 2 Goals

ICANN Policy Update Webinar Policy Department, March 2012 Introduction David Olive 2 Goals for this session Update you on current Policy work and encourage you to participate Review issues to be discussed at the ICANN Meeting in

1.27k views • 108 slides
ICANN Policy Update Webinar Policy Department, October 2011 Introduction David Olive 2 Goals

ICANN Policy Update Webinar Policy Department, October 2011 Introduction David Olive 2 Goals

ICANN Policy Update Webinar Policy Department, October 2011 Introduction David Olive 2 Goals for this session Update you on current Policy work and encourage you to participate Review issues to be discussed at the ICANN Meeting in

1.34k views • 97 slides
ICANN Policy Update Webinar Policy Department, 3 March 2011 Introduction David Olive 1 Goals

ICANN Policy Update Webinar Policy Department, 3 March 2011 Introduction David Olive 1 Goals

ICANN Policy Update Webinar Policy Department, 3 March 2011 Introduction David Olive 1 Goals for this session Update you on current Policy work and encourage you to participate Review issues to be discussed at the ICANN Meeting in San

1.08k views • 70 slides
Policy Update Marika Konings, Senior Policy Director Goals for this session Provide you with

Policy Update Marika Konings, Senior Policy Director Goals for this session Provide you with

Policy Update Marika Konings, Senior Policy Director Goals for this session Provide you with an overview of the main Policy Sessions taking place this week Encourage you to attend & participate Answer any questions you might have

496 views • 27 slides

More recommend