Policy Development Kit

Accessing, using, and operating services for research in today’s world, as a rule, is inherently distributed, where users access resources outside their home organisations. In this complex environment, the question of trust for users, resource providers, and infrastructures, becomes paramount.

A set of policy documents is necessary to regulate and facilitate this trust. These policies outline the operational measures undertaken by the infrastructure to properly provide services. The policies principally cover security measures, user management and data protection.

What is the Policy Development Kit?

This material is provided to support Research Infrastructures in adopting or enhancing a policy set that regulates the operation and use of an authentication and authorisation infrastructure in line with the AARC Blueprint Architecture. The policies are there to provide a starting point, so that Research Infrastructures do not have to re-invent the wheel!

  • A Moodle course is available to learn more about policies for the AARC Blueprint Architecture and videos from this course are also available on the AARC playlist on YouTube GÉANTtv.
  • Policy guidelines offer more detailed advice.
  • Policy templates provide a head start:
DocumentWho should complete the template?AudienceDescriptionLink
Top Level Infrastructure PolicyInfrastructure ManagementAll Infrastructure Participants (abides by)This policy template defines the roles of actors in the Research Infrastructure and binds the policy set togetherGoogle Doc
Incident Response ProcedureInfrastructure Management & Security ContactInfrastructure Security Contact, Services (abides by)This template procedure provides a step-by-step breakdown of actions to take following a security incident.Google Doc
Membership Management PolicyInfrastructure ManagementResearch Community (abides by)This policy template defines how Research Communities should manage their members, including registration and expiration. Google Doc
Acceptable Authentication AssuranceInfrastructure ManagementResearch Community, Services (abide by)This is a placeholder for the Infrastructure to determine rules for the acceptable assurance profiles of user credentials.Google Doc
Risk AssessmentInfrastructure Management, Services & Security ContactInfrastructure Management (completes)This table can be used as a starting point for identifying whether a full Data Protection Impact Assessment is required.Google Doc
Policy on the Processing of Personal DataInfrastructure Management & Data Protection ContactResearch Community, Services (abide by)This document defines the obligations on Infrastructure Participants when processing personal data.Google Doc
Privacy PolicyInfrastructure Management (for general policy) & Services (for service specific policies)Users (view)This can be used to document the data collected and processed by the Infrastructure and its participants. Each service in the infrastructure, as well as the infrastructure itself, should complete the template.Google Doc
Service Operations Security PolicyInfrastructure ManagementServices (abide by)This policy defines requirements for running a service within the Infrastructure.Google Doc
Acceptable Use PolicyInfrastructure Management (for baseline) & Research Communities (for community specific restrictions)Users (abide by)This is a template for the acceptable use policy that users must accept to use the Research Infrastructure. It should be augmented by the Research Community.Google Doc

Start with AARC: PDK video

More on AAI policy

  • The Sirtfi framework to identify trusted and operationally secure partners in a federated authentication and authorisation environment.
  • Snctfi – a ‘Scalable Negotiator for a Community Trust Framework in Federated Infrastructures’.