Security and Privacy Policy

Updated April 20, 2022

Security

This section describes and establishes the policies, procedures, and practices relating to confidentiality, integrity, and availability of CyVerse services, resources, equipment, and information while protecting the research and education activities in support of CyVerse. All the data, software tools, and other resources will be made freely and publicly available under creative commons or applicable open source terms.

CyVerse will primarily utilize the networking and computing infrastructure at The University of Arizona and our partner institutions, and the standards and policies set forth within this section will complement the policies set forth by these organizations. When there are any overlapping or conflicting policies set forth within this section, CyVerse will defer to the policy with the more stringent security requirements. In addition, state and federal laws may have jurisdiction, in which case CyVerse is required to abide by all state and federal laws relating to its applications, systems, and networks. Herein, CyVerse specifies and highlights policies that are particularly important to CyVerse but there is no intent to describe or account for every known or possible situation, circumstance, and process relating to security.

Reference to Additional Policies

Complementary institutional or organizational security policies can be found here:

Access Control

The CyVerse Cloud Native Services team is ultimately responsible for determining the appropriate level of access to ensure the confidentiality, integrity, and availability of CyVerse systems and resources to the community. This section presents a broad view about the organization’s stance on access control. However, due to the participatory, collaborative, and community-based nature of CyVerse, access will be determined on a project, team, and individual basis.

Individual Responsibility

Every CyVerse staff, researcher, community participant, and user is responsible for protecting the access to any information and systems that has been granted to him or her. If there is any suspicion of a breach of access, the Cloud Native Services team should be contacted immediately so that an appropriate investigation can be performed. Any CyVerse workstation and laptop should be password-protected.

Access Notification

A distinct and clear message will be displayed to users if an application, system, or network is restricted from the general public including the applicable Acceptable Usage Policy (AUP).

Authentication and Authorization

Authentication and authorization mechanisms will be used according to the needs of the application, system, and network. The CyVerse internal systems and infrastructure will be highly restrictive.

Working groups, collaborators, and development teams may employ temporary authentication and authorization schemes for the benefit of rapid development and prototyping. As applications and systems migrate under the professional services and Cloud Native Services team, these schemes may be standardized or removed, as appropriate, to ensure consistency for the community and general public.

Intellectual Property and Copyright

CyVerse will make every effort to comply with the intellectual property rights and copyrights of software, source code, data, documents, and other relevant materials. Participating researchers and community members must declare any intellectual property rights and copyrights to CyVerse in writing prior to its use within CyVerse. For further information, see the CyVerse Intellectual Property Policy.

General Data Protection Regulation (GDPR) Compliance

Users may not upload any personal data that is protected by the General Data Protection Regulation (EU) 2016/679 (GDPR) which is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas regardless of its location and the data subjects' citizenship—that is, processing the personal information of data subjects inside the EEA. For user account creation, CyVerse collects minimal required and optional personal data, including: 

  • Name
  • Email address
  • Country/Region
  • Optionally provided:
    • Institution/Company affiliation
    • Occupation
    • Research area
    • Funding
    • ORCiD (a unique digital identifier for researchers)
    • Gender
    • Ethnicity

In addition to CyVerse collecting personal data, there are other third-party applications in our cyberinfrastructure that are used in conjunction with your personal data. To date, these applications include: 

  • Intercom, for user support and engagement
  • Google Analytics, for site usability and performance

Users have the right to be forgotten. Users have the right to see what personally identifiable data CyVerse has. To request your personal data be deleted, to see what personally identifiable data is being stored in CyVerse, or to address any other issue regarding data privacy at CyVerse (including access, rectification, objection, and restriction), email support@cyverse.org.

Awareness and Training

CyVerse will provide security documentation for all end-users as needed. Any public security-related documentation, including this Security Policy, will be posted on the CyVerse website. If necessary, working groups, collaborators, and development teams will be provided with more detailed security documentation and training, depending on the nature of the applications, systems, and networking that will be used for their projects. Operations and Infrastructure documentation and training may be provided to staff and researchers who will be directly accessing core infrastructure services.

Audit and Accountability

The Cloud Native Services team will be ultimately responsible for managing the security audits of CyVerse.

Responsible Organizations

The distributed nature of cyberinfrastructure will necessitate that all CyVerse assets subscribe and adhere to the local policies along with those set forth by the CyVerse security requirements. The organization responsible for the security of the CyVerse asset will include institutional and departmental security organization(s) where the asset is housed and managed. If the asset is a shared resource or CyVerse projects are utilizing time and resource allocation at other locations, the standards set forth by the local organization responsible for security will be adhered to; ultimately CyVerse will be responsible for security of its assets and will work cooperatively with local security organizations to share relevant information.

Acceptable Use

All CyVerse assets and personnel will adhere to the Acceptable Usage Policy (AUP) set forth by the local organization, e.g., AUP for computer and network use at University of Arizona. For services and resources available through CyVerse, AUP will be set based on the specific resource and service being provided and users will be required to comply with policies to gain access.

Servers

All CyVerse servers will record login and connection information including the remote host, timestamps, protocols, and user login information. If applicable application and server logs will be consolidated in a central logging system. Server logs will be maintained for a minimum of one year.

Applications

Any third-party applications, i.e., ones not developed by CyVerse, will have logging enabled as appropriate. Applications developed for the Discovery Environment (DE) requiring authentication or authorization should capture connection information including remote host, timestamps, and user login information, if applicable, and display relevant AUP.

Applications that result from the community collaborations will eventually be migrated to the Cloud Native Services team for community access. During the migration process, the team will evaluate the security of these applications and perform penetration testing. If applicable, the data and any data collection process will be also evaluated to ensure that there are no privacy or confidentiality, copyright, and patent issues.

Audit

Ongoing traffic pattern analysis and intrusion detection systems (IDS) will be employed to perform host-based intrusion detections (HIDS) and network-based intrusion detection (NIDS). Cursory audits of the server logs will occur on a periodic basis. If a situation warrants immediate attention, such as a potential security breach, then the Cloud Native Services team will perform a more detailed audit.

Incident Response

The Cloud Native Services team will investigate any reports of security breaches within CyVerse. If the investigation results in a credible claim, the team will take necessary action to remove or isolate the threat. The team will make a best effort to minimize any downtime. In the event that a downtime must occur for a significant duration, then appropriate notifications will be sent and posted to the website per CyVerse's Service Level Agreement.

All security-related incidents should be reported to CyVerse Security at security@cyverse.org

For active threats, urgent and secure communication, call 1-520-621-0011.

Incident Reporting

As part of the incident response, the Cloud Native Services team will update all responsible authorities on the occurrence of the incident and actions being taken to mitigate the situations through designated channels. This will include institutional providers and participating authorities, funding agencies, and law enforcement agencies, e.g., University of Arizona “information security and incident reporting and response” system.

Occurrence of all incidents will be logged by the Cloud Native Services team for evaluation and audit.​

Maintenance

Maintenance of applications and operating systems is expected to happen periodically. The Cloud Native Services team will be responsible for managing the maintenance process for CyVerse and executing the maintenance for the core infrastructure systems. If any server requires a hardware or system update and results in a system reboot, loss of connectivity, or negatively impacts users, then the team will plan for scheduled downtime for the servers in question. The Cloud Native Services team will make a best effort to minimize the impact and notify the affected users of the scheduled downtime.

End-users are expected to periodically check for updates on their laptop's and workstation's operating systems (i.e., Windows updates and Mac OS updates). If an end-user is not familiar with updating their operating system, the Cloud Native Services team can provide training on these tasks.

Physical Protection

CyVerse servers are located in secure, limited-access, and monitored data centers. Workstations and laptops should be physically secured to an immovable or difficult-to-move object whenever possible. To secure a physical system, a special cable with a locking mechanism should be used, such as a Kensington lock.

Loss or theft of physical CyVerse asset(s) will require contacting law enforcement (following CyVerse incident reporting procedures).

Planning

CyVerse will formally reevaluate and document all security, business continuity, and backup and recovery plans at least every three months, including this Security Policy document. Operationally, the reevaluation process may occur more frequently, and policies may be modified in response to addition in internal requirements, the external environment, or risk assessments.

Risk Assessment

A formal risk assessment process for the servers, workstations, laptops, and network equipment will occur every three months. This will also include participation in risk assessment procedures and security scans conducted by institutional providers. Excluding XSEDE or HPC-related systems, CyVerse undergoes periodic security scans.

System and Information Integrity

To ensure business continuity and information integrity, CyVerse will adhere to its disaster preparedness and recovery policies.

Privacy

This section is subject to the user's compliance with CyVerse's Acceptable Use Policy (AUP) and Service Level Agreement (SLA).

Email and Form Information

CyVerse does not obtain personal information about you when you visit our websites or through other online services unless you provide us that information voluntarily. If an individual sends an email message with a question or comment or fills out a web-based form, and either form or communication contains personally identifying information, that information will only be used to directly respond to the requester, unless otherwise stated specifically. The request for information may be redirected to other parts of CyVerse that may be in a better position to respond to the request. Any personal information you provide will not be released to outside parties unless we are legally required to do so in connection with legal proceedings, law enforcement investigations, or state law. Recipients of the CyVerse newsletter (The Node) can change their newsletter subscription or unsubscribe from future newsletters here. This email address is being protected from spambots and you must enable JavaScript to view it with your request.

System-generated Information

In addition to information actively provided by individuals using CyVerse websites, computational resources, and other online services, CyVerse may record information such as, but not limited to: 

  • Internet address of the computer being used
  • Web pages requested
  • Referring web page
  • Browser used
  • Date, time, and duration of activity
  • Passwords and accounts accessed
  • Volume of data storage and transfer CPU, network bandwidth consumption
  • Applications utilized and duration of usage

CyVerse uses this information to monitor, preserve, and enhance the functioning and integrity of the system. Information is collected for analysis and statistical purposes, and is used to help diagnose problems with the server and to carry out other administrative tasks, such as assessing what information or feature is of most interest, determining technical design specifications, and identifying system performance and/or problem areas. This information is not used in any way that would reveal individual personal information to external constituencies except as described above.

Cookies

Cookies are short pieces of information used by web browsers to remember information provided by the user, such as passwords and preferences from past visits. Additional information on cookies is available at the cookiecentral website and in the publication from the Department of Energy Computer Incident Advisory Center. Some CyVerse websites use cookies to store service information, and some web-based services require cookies for access. Any information that CyVerse may store in cookies is used exclusively for internal purposes only. If you have additional questions about online privacy or security, please email the University of Arizona Information Security Office at security@arizona.edu or call (520) 621-6700; visit here more information

Create Account

An Open Science Workspace for Collaborative Data-driven Discovery