Updated June 30, 2020
This section describes and establishes the policies, procedures, and practices relating to confidentiality, integrity, and availability of CyVerse services, resources, equipment, and information while protecting the research and education activities in support of this project. All the data, software tools, and other resources will be made freely and publicly available under creative commons or applicable open source terms.
CyVerse will primarily utilize the networking and computing infrastructure at The University of Arizona and our partner institutions, and the standards and policies set forth within this document will complement the policies set forth by these organizations. When there are any overlapping or conflicting policies set forth within this document, CyVerse will defer to the policy with the more stringent security requirements. In addition, state and federal laws may have jurisdiction, in which case CyVerse will be required to abide by all state and federal laws relating to its applications, systems, and networks. Herein, CyVerse specifies and highlights policies that are particularly important to CyVerse but there is no intent to describe or account for every known situation, circumstance, and process relating to security.
Reference to Additional Policies
Complementary institutional or organizational security policies can be found here:
Cold Spring Harbor Laboratory: Available by request to Cold Spring Harbor Laboratory
University of California, Santa Barbara: IT Policies
NSF XSEDE: XSEDE Security
General Data Protection Regulation: https://eugdpr.org
The CyVerse Cloud Native team is ultimately responsible for determining the appropriate level of access to ensure the confidentiality, integrity, and availability of CyVerse systems and resources to the community. This section presents a broad view about the organization’s stance of access control. However, due to the participatory and community-based nature of CyVerse, access will be determined on a project, team, and individual basis.
Every CyVerse staff, researcher, community participant, and user is responsible for protecting the access to any information and systems that has been granted to him or her. If there is any suspicion of a breach of access, the CI team should be contacted immediately so that an appropriate investigation can be performed. Any CyVerse workstation and laptop should be password-protected.
A distinct and clear message will be displayed to users if an application, system, or network is restricted from the general public including the applicable Acceptable Usage Policy (AUP) Authentication and Authorization. Authentication and authorization mechanisms will be used according to the needs of the application, system, and network. The CyVerse internal systems and infrastructure will be highly restrictive.
Working groups, collaborators, and development teams may employ temporary authentication and authorization schemes for the benefit of rapid development and prototyping. As applications and systems migrate under the professional services and Cloud Native Services team, these schemes may be standardized or removed, as appropriate, to ensure consistency for the community and general public.
Intellectual Property and Copyright
CyVerse will make every effort to comply with the intellectual property rights and copyrights of software, source code, data, documents, and other relevant materials. Participating researchers and community members must declare any intellectual property rights and copyrights to CyVerse in writing prior to its use within CyVerse. For further information, see the CyVerse Intellectual Property Policy.
General Data Protection Regulation (GDPR) Compliance
Users may not upload any personal data that is protected by the General Data Protection Regulation (EU) 2016/679 (GDPR) which is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas regardless of its location and the data subjects' citizenship—that is processing the personal information of data subjects inside the EEA. For user account creation, CyVerse collects minimal required and optional personal data, including:
In addition to CyVerse collecting personal data, there are other third-party applications in our cyberinfrastructure that are used in conjunction with your personal data. To date, these applications include:
Intercom, for user support and engagement
Google Analytics, for site usability and performance
Users have the right to be forgotten. Users have the right to see what personally identifiable data CyVerse has. To request your personal data be deleted, to see what personally identifiable data is being stored in CyVerse, or to address any other issue regarding data privacy at CyVerse (including access, rectification, objection, and restriction), email email@example.com.
Awareness and Training
CyVerse will provide security documentation for all end-users as needed. Any public security-related documentation, including this Security Policy, will be posted on the CyVerse website. If necessary, working groups, collaborators, and development teams will be provided with more detailed security documentation and training, depending on the nature of the applications, systems, and networking that will be used for their projects. Operations and Infrastructure documentation and training may be provided to staff and researchers who will be directly accessing core infrastructure services.
Audit and Accountability
The Cloud Native Services team will be ultimately responsible for managing the security audits of CyVerse.
The distributed nature of cyberinfrastructure will necessitate that all CyVerse assets subscribe and adhere to the local policies along with those set forth by the CyVerse security requirements. The organization responsible for the security for the CyVerse asset will include institutional and departmental security organization where the asset is housed and managed. If the asset is a shared resource or CyVerse projects are utilizing time and resource allocation at other locations, the standards set forth by the local organization responsible for security will be adhered to; ultimately CyVerse will be responsible for security of its assets and will work cooperatively with local security organizations to share relevant information.
All CyVerse assets and personnel will adhere to the Acceptable Usage Policy (AUP) set forth by the local organization, e.g., AUP for computer and network use at University of Arizona. For services and resources available through CyVerse, AUP will be set based on the specific resource and service being provided and users will be required to comply with policies to gain access.
All CyVerse servers will record login and connection information including the remote host, timestamps, protocols, and user login information. If applicable application and server logs will be consolidate in a central logging system. Server logs will be maintained for a minimum of one year.
Any third-party applications, i.e., ones not developed by CyVerse, will have logging enabled as appropriate. Applications developed for the Discovery Environment (DE) requiring authentication or authorization should capture connection information including remote host, timestamps, and user login information, if applicable, and display relevant AUP.
Applications that result from the community collaborations will eventually be migrated to the Cloud Native Services team for community access. During the migration process, the team will evaluate the security of these applications and perform penetration testing. If applicable, the data and any data collection process will be also evaluated to ensure that there are no privacy or confidentiality, copyright, and patent issues.
Ongoing traffic pattern analysis and intrusion detection systems (IDS) will be employed to perform host-based intrusion detections (HIDS) and network based intrusion detection (NIDS). Cursory audits of the server logs will occur on a periodic basis. If a situation warrants immediate attention, such as a potential security breach, then the Cloud Native Services team will perform a more detailed audit.
The Cloud Native Services team will investigate any reports of security breaches within CyVerse. If the investigation results in a credible claim, the team will take necessary action to remove or isolate the threat. The team will make a best effort to minimize any downtime. In the event that a downtime must occur for a significant duration, then appropriate notifications will be sent and posted to the website.
All security-related incidents should be reported to CyVerse Security at firstname.lastname@example.org
For active threats, urgent and secure communication call 1-520-621-0011.
As part of the incident response, the Cloud Native Services team will update all responsible authorities on the occurrence of the incident and actions being taken to mitigate the situations through designated channels. This will include institutional providers and participating authorities, funding agencies, and law enforcement agencies, e.g., University of Arizona “report a security incident” system.
Occurrence of all incidents will be logged by the Cloud Native Services team for evaluation and audit.
Maintenance of applications and operating systems is expected to happen periodically. The Cloud Native Services team will be responsible for managing the maintenance process for CyVerse and executing the maintenance for the core infrastructure systems. If any server requires a hardware or system update and results in a system reboot, loss of connectivity, or negatively impacts users, then the team will plan for scheduled downtime for the servers in question. The Cloud Native Services team will make a best effort to minimize the impact and notify the affected users of the scheduled downtime.
End-users of laptops and workstations are expected to periodically check for updates on their operating systems (i.e., Windows updates and Mac OS updates). If an end-user is not familiar with updating their operating system, the Cloud Native Services team can provide training on these tasks.
CyVerse servers are located in secure, limited-access, and monitored data centers. Workstations and laptops should be physically secured to an immovable or difficult-to-move object whenever possible. To secure a physical system, a special cable with a locking mechanism should be used, such as a Kensington lock.
Loss or theft of physical CyVerse asset(s) will require contacting law enforcement (following CyVerse incident reporting procedures).
CyVerse will formally reevaluate and document all security, business continuity, and backup and recovery plans at least every three months, including this security policy document. Operationally, the reevaluation process may occur more frequently, and policies may be modified in response to addition in internal requirements, the external environment, or risk assessments.
A formal risk assessment process for the servers, workstations, laptops, and network equipment will occur every three months. This will also include participation in risk assessment procedures and security scans conducted by institutional providers. Excluding XSEDE or HPC-related systems, CyVerse undergoes periodic security scans using Qualys.
System and Information Integrity
To ensure business continuity and information integrity, CyVerse will adhere to its disaster preparedness and recovery policies.
Email and Form Information
In addition to information actively provided by individuals using CyVerse websites, computational resources, and other online services, CyVerse may record information such as, but not limited to, the following types of information each time these access points are used:
Internet address of the computer being used
Web pages requested
Referring web page
Date, time, and duration of activity
Passwords and accounts accessed
Volume of data storage and transfer CPU, network bandwidth consumption
Applications utilized and duration of usage
CyVerse uses this information to monitor, preserve, and enhance the functioning and integrity of the system. Information is collected for analysis and statistical purposes, and is used to help diagnose problems with the server and to carry out other administrative tasks, such as assessing what information is of most interest, determining technical design specifications, and identifying system performance and/or problem areas. This information is not used in any way that would reveal individual personal information to external constituencies except as described above.