This section describes and establishes the policies, procedures, and practices relating to confidentiality, integrity, and availability of CyVerse services, resources, equipment, and information while protecting the research and education activities in support of this project. All the data, software tools, and other resources will be made freely and publicly available under creative commons or applicable open source terms.
CyVerse will primarily utilize the networking and computing infrastructure at The University of Arizona and partner institutions, and the standards and policies set forth within this document will complement the policies set forth by these organizations. When there are any overlapping or conflicting policies set forth within this document, CyVerse will defer to the policy with the more stringent security requirements. In addition, state and federal laws may have jurisdiction, in which case CyVerse will be required to abide to all state and federal laws relating to its applications, systems, and networks. Herein, CyVerse specifies and highlights policies that are particularly important to CyVerse but there is no intent to describe or account for every known situation, circumstance, and process relating to security.
References to additional policies
Complementary institutional or organizational security policies can be found here:
- University of Arizona: http://security.arizona.edu/policy
- University of Texas at Austin: Information Resources Use and Security Policy
- Cold Spring Harbor Laboratory: Available per request from Cold Spring Harbor Laboratory
- University of North Carolina, Wilmington: Information Technology policies
- University of California, Santa Barbara: IT Policies
- NSF XSEDE: XSEDE Security
The CyVerse Core Services team is ultimately responsible for determining the appropriate level of access to ensure the confidentiality, integrity, and availability of CyVerse systems and resources to the community. This section presents a broad view about the organization’s stance of access control. However, due to the participatory and community-based nature of CyVerse, access will be determined on a project, team, and individual basis.
Individual Responsibility. Every CyVerse staff, researcher, community participant, and user is responsible for protecting the access to any information and systems that has been granted to him or her. If there is any suspicion of a breach of access, the CI team should be contacted immediately so that an appropriate investigation can be performed. Any CyVerse workstation and laptop should be password protected.
Access Notification. A distinct and clear message will be displayed to users if an application, system, or network is restricted from the general public including the applicable Acceptable Usage Policy (AUP) Authentication and Authorization. Authentication and authorization mechanisms will be used according to the needs of the application, system, and network. The CyVerse internal systems and infrastructure will be highly restrictive.
Working groups, collaborators, and development teams may employ temporary authentication and authorization schemes for the benefit of rapid development and prototyping. As applications and systems migrate under the professional services and Core Services team, these schemes may be standardized or removed, as appropriate, to ensure consistency for the community and general public.
Intellectual Property and Copyright. CyVerse will make every effort to comply with the intellectual property rights and copyrights of software, source code, data, documents, and other relevant materials. Participating researchers and community members must declare any intellectual property rights and copyrights to CyVerse in writing prior to its use within CyVerse. For further information, see the CyVerse Intellectual Property Policy.
Awareness and training
CyVerse will provide security documentation for all end-users as needed. Any public security-related documentation, including this security policy, will be posted on the CyVerse website. If necessary, working groups, collaborators, and development teams will be provided with more detailed security documentation and training, depending on the nature of the applications, systems, and networking that will be used for their projects. Operations and Infrastructure documentation and training may be provided to staff and researchers who will be directly accessing core infrastructure services.
Audit and accountability
The Core Services team will be ultimately responsible for managing the security audits of CyVerse.
Responsible Organizations. The distributed nature of cyberinfrastructure will necessitate that all CyVerse assets subscribe and adhere to the local policies along with those set forth by the CyVerse security requirements. The organization responsible for the security for the CyVerse asset will include institutional and departmental security organization where the asset is housed and managed. If the asset is a shared resource or CyVerse projects are utilizing time and resource allocation at other locations, the standards set forth by the local organization responsible for security will be adhered to, ultimately CyVerse will be responsible for security of its assets and will work cooperatively with local security organizations to share relevant information.
Acceptable Use. All CyVerse assets and personnel will adhere to the Acceptable Usage Policy (AUP) set forth by the local organization, e.g., AUP for computer and network use at University of Arizona. For services and resources available through CyVerse, AUP will be set based on the specific resource and service being provided and users will be required to comply with policies to gain access.
Servers. All CyVerse servers will record login and connection information including the remote host, timestamps, protocols, and user login information. If applicable application and server logs will be consolidate in a central logging system. Server logs will be maintained for a minimum of one year.
Applications. Any third-party applications, ones not developed by CyVerse, will have logging enabled as appropriate. Applications developed for the Discovery Environment (DE) requiring authentication or authorization should capture connection information including remote host, timestamps, and user login information, if applicable, and display relevant AUP.
Applications that result from the community collaborations will eventually be migrated to the Core Infrastructure Team for community access. During the migration process, the CI team will evaluate the security of these applications and perform penetration testing. If applicable, the data and any data collection process will be also evaluated to ensure that there are no privacy or confidentiality, copyright, and patent issues.
Audit. Ongoing traffic pattern analysis and intrusion detection systems (IDS) will be employed to perform host based intrusion detections (HIDS) and network based intrusion detection (NIDS). Cursory audits of the server logs will occur on a periodic basis. If a situation warrants immediate attention, such as a potential security breach, then the CI team will perform a more detailed audit.
Incident Response. The Core Infrastructure team will investigate any reports of security breaches within CyVerse. If the investigation results in a credible claim, the Core Infrastructure team will take necessary action to remove or isolate the threat. The Core Infrastructure team will make a best effort to minimize any downtime. In the event that a downtime must occur for a significant duration, then appropriate notifications will be sent and posted to the website.
All security-related incidents should be reported to CyVerse Security at firstname.lastname@example.org.
For active threats, urgent and secure communication call 1-520-621-0011.
Incident Reporting. As part of the incident response, the CI team will update all responsible authorities on the occurrence of the incident and actions being taken to mitigate the situations through designated channels. This will include institutional providers and participating authorities, funding agencies, and law enforcement agencies, e.g., University of Arizona “report a security incident” system.
Occurrence of all incidents will be logged by the CI team for evaluation and audit.
Maintenance. Maintenance of applications and operating systems is expected to happen periodically. The Core Services team will be responsible for managing the maintenance process for CyVerse and executing the maintenance for the core infrastructure systems. If any server requires a hardware or system update and results in a system reboot, loss of connectivity, or negatively impacts users, then the Core Services team will plan for scheduled downtime for the servers in question. The Core Services team will make a best effort to minimize the impact and notify the affected users of the scheduled downtime.
End-users of laptops and workstations are expected to periodically check for updates on their operating systems (i.e., Windows updates and Mac OS updates). If an end-user is not familiar with updating the operating system, the Core Services team can provide training on these tasks.
Physical Protection. CyVerse servers are located in secure, limited-access, and monitored data centers. Workstations and laptops should be physically secured to an immovable or difficult-to-move object whenever possible. To secure a physical system, a special cable with a locking mechanism should be used, such as a Kensington lock.
Loss or theft of physical CyVerse asset(s) will require contacting law enforcement (follow CyVerse incident reporting procedures).
Planning. CyVerse will formally reevaluate and document all security, business continuity, and backup and recovery plans at least every three months, including this security policy document. Operationally, the reevaluation process may occur more frequently, and policies may be modified in response to addition in internal requirements, the external environment, or risk assessments.
Risk Assessment. A formal risk assessment process for the servers, workstations, laptops, and network equipment will occur every three months. This will also include participation in risk assessment procedures and security scans conducted by institutional providers. Excluding XSEDE or HPC related systems, CyVerse undergoes periodic security scans using Qualys.
System and Information Integrity. To ensure business continuity and information integrity, CyVerse will adhere to its disaster preparedness and recovery policies.
Email and form information
In addition to information actively provided by individuals using CyVerse websites, computational resources, and other online services, CyVerse may record information such as, but not limited to, the following types of information each time these access points are used:
- Internet address of the computer being used
- Web pages requested
- Referring web page
- Browser used
- Date, time, and duration of activity
- Passwords and accounts accessed
- Volume of data storage and transfer CPU, network bandwidth consumption
- Applications utilized and duration of usage
CyVerse uses this information to monitor, preserve, and enhance the functioning and integrity of the system. Information is collected for analysis and statistical purposes, and is used to help diagnose problems with the server and to carry out other administrative tasks, such as assessing what information is of most interest, determining technical design specifications, and identifying system performance and/or problem areas. This information is not used in any way that would reveal personal information to external constituencies except as described above.