Policy Development Kit
Accessing, using, and operating services for research in today’s world, as a rule, is inherently distributed, where users access resources outside their home organisations. In this complex environment, the question of trust for users, resource providers, and infrastructures, becomes paramount.
A set of policy documents is necessary to regulate and facilitate this trust. These policies outline the operational measures undertaken by the infrastructure to properly provide services. The policies principally cover security measures, user management and data protection.
What is the Policy Development Kit?
This material is provided to support Research Infrastructures in adopting or enhancing a policy set that regulates the operation and use of an authentication and authorisation infrastructure in line with the AARC Blueprint Architecture. The policies are there to provide a starting point, so that Research Infrastructures do not have to re-invent the wheel!
- A Moodle course is available to learn more about policies for the AARC Blueprint Architecture and videos from this course are also available on the AARC playlist on YouTube GÉANTtv.
- Policy guidelines offer more detailed advice.
- Policy templates provide a head start:
Document | Who should complete the template? | Audience | Description | Link |
---|---|---|---|---|
Top Level Infrastructure Policy | Infrastructure Management | All Infrastructure Participants (abides by) | This policy template defines the roles of actors in the Research Infrastructure and binds the policy set together | Google Doc |
Incident Response Procedure | Infrastructure Management & Security Contact | Infrastructure Security Contact, Services (abides by) | This template procedure provides a step-by-step breakdown of actions to take following a security incident. | Google Doc |
Membership Management Policy | Infrastructure Management | Research Community (abides by) | This policy template defines how Research Communities should manage their members, including registration and expiration. | Google Doc |
Acceptable Authentication Assurance | Infrastructure Management | Research Community, Services (abide by) | This is a placeholder for the Infrastructure to determine rules for the acceptable assurance profiles of user credentials. | Google Doc |
Risk Assessment | Infrastructure Management, Services & Security Contact | Infrastructure Management (completes) | This table can be used as a starting point for identifying whether a full Data Protection Impact Assessment is required. | Google Doc |
Policy on the Processing of Personal Data | Infrastructure Management & Data Protection Contact | Research Community, Services (abide by) | This document defines the obligations on Infrastructure Participants when processing personal data. | Google Doc |
Privacy Policy | Infrastructure Management (for general policy) & Services (for service specific policies) | Users (view) | This can be used to document the data collected and processed by the Infrastructure and its participants. Each service in the infrastructure, as well as the infrastructure itself, should complete the template. | Google Doc |
Service Operations Security Policy | Infrastructure Management | Services (abide by) | This policy defines requirements for running a service within the Infrastructure. | Google Doc |
Acceptable Use Policy | Infrastructure Management (for baseline) & Research Communities (for community specific restrictions) | Users (abide by) | This is a template for the acceptable use policy that users must accept to use the Research Infrastructure. It should be augmented by the Research Community. | Google Doc |
Start with AARC: PDK video
More on AAI policy
- The Sirtfi framework to identify trusted and operationally secure partners in a federated authentication and authorisation environment.
- Snctfi – a ‘Scalable Negotiator for a Community Trust Framework in Federated Infrastructures’.