Home

Security and Privacy Policy

Security

This section describes and establishes the policies, procedures, and practices relating to confidentiality, integrity, and availability of CyVerse services, resources, equipment, and information while protecting the research and education activities in support of this project. All the data, software tools, and other resources will be made freely and publicly available under creative commons or applicable open source terms.

CyVerse will primarily utilize the networking and computing infrastructure at The University of Arizona and partner institutions, and the standards and policies set forth within this document will complement the policies set forth by these organizations. When there are any overlapping or conflicting policies set forth within this document, CyVerse will defer to the policy with the more stringent security requirements. In addition, state and federal laws may have jurisdiction, in which case CyVerse will be required to abide to all state and federal laws relating to its applications, systems, and networks. Herein, CyVerse specifies and highlights policies that are particularly important to CyVerse but there is no intent to describe or account for every known situation, circumstance, and process relating to security.

References to additional policies

Complementary institutional or organizational security policies can be found here:

Access control

The CyVerse Core Services team is ultimately responsible for determining the appropriate level of access to ensure the confidentiality, integrity, and availability of CyVerse systems and resources to the community. This section presents a broad view about the organization’s stance of access control. However, due to the participatory and community-based nature of CyVerse, access will be determined on a project, team, and individual basis.

Individual Responsibility. Every CyVerse staff, researcher, community participant, and user is responsible for protecting the access to any information and systems that has been granted to him or her. If there is any suspicion of a breach of access, the CI team should be contacted immediately so that an appropriate investigation can be performed. Any CyVerse workstation and laptop should be password protected.

Access Notification. A distinct and clear message will be displayed to users if an application, system, or network is restricted from the general public including the applicable Acceptable Usage Policy (AUP) Authentication and Authorization. Authentication and authorization mechanisms will be used according to the needs of the application, system, and network. The CyVerse internal systems and infrastructure will be highly restrictive.

Working groups, collaborators, and development teams may employ temporary authentication and authorization schemes for the benefit of rapid development and prototyping. As applications and systems migrate under the professional services and Core Services team, these schemes may be standardized or removed, as appropriate, to ensure consistency for the community and general public.

Intellectual Property and Copyright. CyVerse will make every effort to comply with the intellectual property rights and copyrights of software, source code, data, documents, and other relevant materials. Participating researchers and community members must declare any intellectual property rights and copyrights to CyVerse in writing prior to its use within CyVerse.  For further information, see the CyVerse Intellectual Property Policy.

Awareness and training

CyVerse will provide security documentation for all end-users as needed. Any public security-related documentation, including this security policy, will be posted on the CyVerse website. If necessary, working groups, collaborators, and development teams will be provided with more detailed security documentation and training, depending on the nature of the applications, systems, and networking that will be used for their projects. Operations and Infrastructure documentation and training may be provided to staff and researchers who will be directly accessing core infrastructure services.

Audit and accountability

The Core Services team will be ultimately responsible for managing the security audits of CyVerse.

Responsible Organizations. The distributed nature of cyberinfrastructure will necessitate that all CyVerse assets subscribe and adhere to the local policies along with those set forth by the CyVerse security requirements. The organization responsible for the security for the CyVerse asset will include institutional and departmental security organization where the asset is housed and managed. If the asset is a shared resource or CyVerse projects are utilizing time and resource allocation at other locations, the standards set forth by the local organization responsible for security will be adhered to, ultimately CyVerse will be responsible for security of its assets and will work cooperatively with local security organizations to share relevant information.

Acceptable Use. All CyVerse assets and personnel will adhere to the Acceptable Usage Policy (AUP) set forth by the local organization, e.g., AUP for computer and network use at University of Arizona. For services and resources available through CyVerse, AUP will be set based on the specific resource and service being provided and users will be required to comply with policies to gain access.

Servers. All CyVerse servers will record login and connection information including the remote host, timestamps, protocols, and user login information. If applicable application and server logs will be consolidate in a central logging system. Server logs will be maintained for a minimum of one year.

Applications. Any third-party applications, ones not developed by CyVerse, will have logging enabled as appropriate. Applications developed for the Discovery Environment (DE) requiring authentication or authorization should capture connection information including remote host, timestamps, and user login information, if applicable, and display relevant AUP.

Applications that result from the community collaborations will eventually be migrated to the Core Infrastructure Team for community access. During the migration process, the CI team will evaluate the security of these applications and perform penetration testing. If applicable, the data and any data collection process will be also evaluated to ensure that there are no privacy or confidentiality, copyright, and patent issues.

Audit. Ongoing traffic pattern analysis and intrusion detection systems (IDS) will be employed to perform host based intrusion detections (HIDS) and network based intrusion detection (NIDS). Cursory audits of the server logs will occur on a periodic basis. If a situation warrants immediate attention, such as a potential security breach, then the CI team will perform a more detailed audit.

Incident Response. The Core Infrastructure team will investigate any reports of security breaches within CyVerse. If the investigation results in a credible claim, the Core Infrastructure team will take necessary action to remove or isolate the threat. The Core Infrastructure team will make a best effort to minimize any downtime. In the event that a downtime must occur for a significant duration, then appropriate notifications will be sent and posted to the website.

All security-related incidents should be reported to CyVerse Security at security@cyverse.org.

For active threats, urgent and secure communication call 1-520-621-0011.

Incident Reporting. As part of the incident response, the CI team will update all responsible authorities on the occurrence of the incident and actions being taken to mitigate the situations through designated channels. This will include institutional providers and participating authorities, funding agencies, and law enforcement agencies, e.g., University of Arizona “report a security incident” system.

Occurrence of all incidents will be logged by the CI team for evaluation and audit.

Maintenance. Maintenance of applications and operating systems is expected to happen periodically. The Core Services team will be responsible for managing the maintenance process for CyVerse and executing the maintenance for the core infrastructure systems. If any server requires a hardware or system update and results in a system reboot, loss of connectivity, or negatively impacts users, then the Core Services team will plan for scheduled downtime for the servers in question. The Core Services team will make a best effort to minimize the impact and notify the affected users of the scheduled downtime.

End-users of laptops and workstations are expected to periodically check for updates on their operating systems (i.e., Windows updates and Mac OS updates). If an end-user is not familiar with updating the operating system, the Core Services team can provide training on these tasks.

Physical Protection. CyVerse servers are located in secure, limited-access, and monitored data centers. Workstations and laptops should be physically secured to an immovable or difficult-to-move object whenever possible. To secure a physical system, a special cable with a locking mechanism should be used, such as a Kensington lock.

Loss or theft of physical CyVerse asset(s) will require contacting law enforcement (follow CyVerse incident reporting procedures).

Planning. CyVerse will formally reevaluate and document all security, business continuity, and backup and recovery plans at least every three months, including this security policy document. Operationally, the reevaluation process may occur more frequently, and policies may be modified in response to addition in internal requirements, the external environment, or risk assessments.

Risk Assessment. A formal risk assessment process for the servers, workstations, laptops, and network equipment will occur every three months. This will also include participation in risk assessment procedures and security scans conducted by institutional providers. Excluding XSEDE or HPC related systems, CyVerse undergoes periodic security scans using Qualys.

System and Information Integrity. To ensure business continuity and information integrity, CyVerse will adhere to its disaster preparedness and recovery policies.

Privacy

This section is subject to the user's compliance with CyVerse's Acceptable Use Policy (AUP) and Service Level Agreement (SLA).

Email and form information

CyVerse does not obtain personal information about you when you visit our websites or through other online services unless you provide us that information voluntarily. If an individual sends an email message with a question or comment or fills out a web-based form, and either form or communication contains personally identifying information, that information will only be used to directly respond to the requester, unless otherwise stated specifically. The request for information may be redirected to other parts of CyVerse that may be in a better position to respond to the request. Any personal information you provide will not be released to outside parties unless we are legally required to do so in connection with legal proceedings, law enforcement investigations, or state law. Recipients of the CyVerse newsletter can change their newsletter subscription or unsubscribe from future newsletters here. This email address is being protected from spambots and you need JavaScript enabled to view it with the request.

System-generated information

In addition to information actively provided by individuals using CyVerse websites, computational resources, and other online services, CyVerse may record information such as, but not limited to, the following types of information each time these access points are used:

  • Internet address of the computer being used
  • Web pages requested
  • Referring web page
  • Browser used
  • Date, time, and duration of activity
  • Passwords and accounts accessed
  • Volume of data storage and transfer CPU, network bandwidth consumption
  • Applications utilized and duration of usage

CyVerse uses this information to monitor, preserve, and enhance the functioning and integrity of the system. Information is collected for analysis and statistical purposes, and is used to help diagnose problems with the server and to carry out other administrative tasks, such as assessing what information is of most interest, determining technical design specifications, and identifying system performance and/or problem areas. This information is not used in any way that would reveal personal information to external constituencies except as described above.

Cookies

Cookies are short pieces of information used by web browsers to remember information provided by the user, such as passwords and preferences from past visits. Additional information on cookies is available at the cookiecentral website and in the publication from the Department of Energy Computer Incident Advisory Center. Some CyVerse websites use cookies to store service information, and some web-based services require cookies for access. Any information that CyVerse may store in cookies is used exclusively for internal purposes only. If you have additional questions about online privacy or security, you can email the Business Continuity and Information Security (BCIS) office (bcis@u.arizona.edu), contact them by phone at +1 (520) 621-4482, or send an inquiry by mail to: Business Continuity and Information Security, 1077 N. Highland Ave., Tucson, AZ 85721 USA.