securitypolicy
Differences
This shows you the differences between two versions of the page.
|
securitypolicy [2011/09/08 18:34] elyoliveira angelegt |
securitypolicy [2012/10/30 10:27] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | |||
| ===== Security Policy ===== | ===== Security Policy ===== | ||
| - | This page defines the security policy adopted in the mySmartGrid project. Its goal is to ensure that mySmartGrid services achieve the levels of reliability and security expected by its users. | + | This document defines the security policy adopted in the mySmartGrid project. Its goal is to ensure that mySmartGrid services achieve the levels of reliability and security expected by their users. |
| + | |||
| + | It is organized in two sections. The first one classifies the computer systems used in the project, and explains their purposes. The second one identifies the roles played by team members and describes their respective responsibilities. | ||
| - | The first section classifies the computer systems used in the project, and explains their purposes. The second section identifies the roles played by team members and describes their respective responsibilities. Finally, the third section elicits general guidelines to be followed by all team members. | + | For the sake of simplicity and the benefit of the reader, the gender-specific pronouns and adjective //he//, //him//, and //his// are used throughout the document to refer gender-neutral nouns such as //user// and //team member//. |
| === Computer Systems === | === Computer Systems === | ||
| - | The computer systems currently used in the project are classified in the following types. | + | The computer systems currently used in the project compose the MSG network, which is a subset of the ITWM network. They are classified in the following types. |
| - | * **S1** - Physical Server - Hosting environment where other machines are deployed as virtual machines. | + | * **S1** - Physical Server - Hosting environment where other machines are deployed as virtual machines. It can not be accessed from outside the ITWM network. |
| * **S2** - Production Server - Virtual machine where production services run. | * **S2** - Production Server - Virtual machine where production services run. | ||
| - | * **S3** - Support Server - Virtual machine used by Flukso devices to open reverse SSH connections that enable remote support. | + | * **S3** - Support Server - Virtual machine used by Flukso devices to open reverse SSH connections that enable remote support. This machine is allowed to open connections only with the devices, via SSH tunneling. |
| - | * **S4** - Development Server - Virtual machine used for software development and testing purposes. | + | * **S4** - Development Server - Virtual machine used for software development and testing purposes. It can not be accessed from outside the ITWM network. |
| === Roles and Responsibilities === | === Roles and Responsibilities === | ||
| - | The following list identifies the major roles played by members of the mySmartGrid team, and describes their respective responsibilities. | ||
| * **Admin1** - Primary system administrator, responsible for maintaining and operating the servers //S1//, //S2//, and //S3//. His attributions are detailed in the following. | * **Admin1** - Primary system administrator, responsible for maintaining and operating the servers //S1//, //S2//, and //S3//. His attributions are detailed in the following. | ||
| * Software installations, configurations, and updates. | * Software installations, configurations, and updates. | ||
| * User management. | * User management. | ||
| - | * Certification management, including: | + | * Certificates management, including: |
| * creation, renewal, and revocation of certificates using the mySmartGrid Certification Authority (MSG-CA); | * creation, renewal, and revocation of certificates using the mySmartGrid Certification Authority (MSG-CA); | ||
| * request and replacement of certificates signed by external CAs. | * request and replacement of certificates signed by external CAs. | ||
| Line 33: | Line 33: | ||
| * Creation of virtual machines such as //S3// and //S4//. | * Creation of virtual machines such as //S3// and //S4//. | ||
| * Routinely change passwords (every 6 months, at least). | * Routinely change passwords (every 6 months, at least). | ||
| - | * Share passwords exclusively with //Admin2// and //Leader//. | + | * Share passwords exclusively with //Admin2// and //Coordinator//. |
| Line 39: | Line 39: | ||
| - | * **Leader** - Project leader, responsible for team coordination and for assuming //Admin1// responsibilities when both administrators are unreachable. He is also responsible for reassigning these roles to team members. | + | * **Coordinator** - Responsible for assigning roles to team members and assuming //Admin1// responsibilities when both administrators are unreachable. |
| Line 49: | Line 49: | ||
| * the administration of local services such as databases, monitoring, and the Drupal framework. | * the administration of local services such as databases, monitoring, and the Drupal framework. | ||
| - | A single person can play multiple roles, but each role can be played only by one person at a time, with the exception of //Developer//. The following table shows the current incumbents. | ||
| - | ^ Team Member ^ Admin1 ^ Admin2 ^ Leader ^ Developer ^ | + | * **Worker** - Any member of the mySmartGrid team, who works with the computer systems and data managed in the project. He is required to follow the guidelines listed bellow, except in special cases determined by the //Coordinator//. |
| - | | Ely de Oliveira | X | | | X | | + | * The computer systems must be exclusively used for activities related with the mySmartGrid project. |
| - | | Kai Krueger | | X | | | | + | * External users should not be given access to any computer system, except via user accounts on the web portal running on //S2//. |
| - | | Mathias Dalheimer | | | X | X | | + | * All data stored in these systems is confidential, and must not leave the ITWM network. |
| - | | Stephan Platz | | | | X | | + | * Passwords must be kept in safe locations within the ITWM network, such as encrypted keystores. They are never to be emailed or copied to external media devices. |
| - | | Simon Birbach | | | | X | | + | * //Admin1// must be immediately informed of any security flaw identified in the system, by sending an email to msg-support@itwm.fraunhofer.de. |
| - | === Guidelines === | + | A single person can play multiple roles, but each role can be played by only one person at a time, with the exception of //Developer// and //Worker//. The following table shows the current incumbents of the four most specific roles. |
| - | The following list presents guidelines to be followed by all team members, except in special cases determined by the project //Leader//. | + | ^ Team Member ^ Admin1 ^ Admin2 ^ Coordinator ^ Developer ^ |
| + | | Ely de Oliveira | X | | | X | | ||
| + | | Kai Krueger | | X | | | | ||
| + | | Mathias Dalheimer | | | X | X | | ||
| + | | Stephan Platz | | | | X | | ||
| + | | Simon Birbach | | | | X | | ||
| - | * The computer systems must be exclusively used for activities related with the mySmartGrid project. | ||
| - | * External users should not be given access to any computer systems, except via user accounts on the web portal running on //S2//. | ||
| - | * All data stored in these systems are confidential, and must not leave the ITWM/MSG network. | ||
| - | * Passwords must be kept in safe locations within the ITWM/MSG network, such as encrypted keystores. They are never to be emailed or copied to external media devices. | ||
securitypolicy.1315499658.txt.gz · Last modified: 2012/10/30 10:35 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
