Service Operations Security Policy

This is the Service operations security policy for LS AAI and the Services relying on it.

 

By running a Service, you agree to the conditions laid down in this document and other referenced documents, which may be subject to revision.

  1. You shall provide and maintain accurate contact information, including at least one Security Contact who shall support Sirtfi [R2] on behalf of the Service.

  2. You are held responsible for the safe and secure operation of the Service. Any information you provide regarding the suitability and properties of the Service should be accurate and maintained. The Service shall not be detrimental to the LS AAI nor to any of its Participants.

  3. You should follow IT security best practices including pro-actively applying updates or configuration changes related to security. You shall respond appropriately, and within the specified time period, on receipt of security notices from the LS AAI or any of its Participants. You must support the Sirtfi Framework (https://refeds.org/sirtfi) on behalf of your Service.

  4. You shall document your processing of personal data in a Privacy Statement that is displayed to the User and whose link is shared with the LS AAI. 

    1. You shall apply due diligence in maintaining the confidentiality of user credentials and of any data you hold where there is a reasonable expectation of privacy. 

    2. You shall collect and retain auditing information in compliance with policies and procedures (Terms of Use for Service Providers [ToU]), and must assist the LS AAI in security incident response.

    3. You shall use logged information, including personal data, only for administrative, operational, accounting, monitoring and security purposes. You shall apply due diligence in maintaining the confidentiality of logged information. 

  5. Provisioning of Services is at your own risk. Any software provided by the LS AAI is provided on an as-is basis, and subject to its own license conditions. There is no guarantee that any procedure applied by the LS AAI is correct or sufficient for any particular purpose. The LS AAI and other Participants are not liable for any loss or damage in connection with your participation in the LS AAI.

  6. You may control access to your Service for administrative, operational and security purposes and shall inform the affected users where appropriate.

  7. Your Service’s connection to the LS AAI may be controlled for administrative, operational and security purposes if you fail to comply with these conditions.

Upon retirement of a Service, the obligations specified in clauses 1, 4 and 5 shall not lapse for the retention period of 6 months agreed with the Infrastructure.

 

 Version 27 January 2022

Based on AARC Policy development kit (CC BY-NC-SA 4.0)

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 654248.