The security activity, led by Don Petravick, has been developing a role-based security program for OSG. The program is split into "Core" (paid by or contributed to OSG) and "non-Core"(site/VO owned and maintained). Roles are identified within each, and security responsibilites vary by role. The adopted security philosophy ensures that computer security, like safety, is not an arbitrary set of prescriptive rules imposed from the outside, but rather a part and parcel of all OSG activities.  

Read More

Don's presentation on Security Awareness is intended to serve as the OSG security reference document while a training program is being developed. This document outlines the goals, methodology, risks, responsibilities and other aspects of OSG security.  

A few notable points from the presentation:  

• Every non-trivial computing system has secruity risks. Our goal is acceptable risk.
• Not everything is finished; we have an approved plan and are implementing controls.
• OSG cannot bear responsibility for a VO or site.
• VOs stand accountable for the actions of their users.
• Providers of OSG resources must abide by the OSG service AUP.
• The creation of a software AUP is under discussion; it would create security expectations on our suppliers.
• There is mandatory incident reporting to security at opensciencegrid dot org, and the OSG response is complementary to the site response.    

Please review this important presentation. We must work together to secure grid computing.