INCOMMON FEDERATION PARTICIPANT OPERATIONAL PRACTICES (POP)

 

1. Federation Participant Information

1.1    Introduction

The InCommon Participant Operational Practices information below is for the SciShield application, operated by RAFT, Inc.  The information is current as of July 29, 2022.

1.2     Identity Management and/or Privacy information

Information about SciShield's identity management practices and policies regarding personal information can be found on-line at https://www.scishield.com/incommon/pop

1.3     Contact information

The following person or office can answer questions about the Participant’s identity management system or resource access management policy or practice.

Questions regarding SciShield's identity management and security practices and policies should be addressed to security@scishield.com

General questions regarding the SciShield application can be addressed to our support help desk at support@scishield.com

To speak to someone in person, our helpdesk can be reached at 800-939-7238 x82 and can direct your call as needed.

 

2.  Identity Provider Information

N/A – SciShield is a Service Provider.

 

3.  Service Provider Information

3.1 What attribute information about an individual do you require in order to manage access to resources you make available to other Participants?  Describe separately for each service ProviderID that you have registered.

SciShield requires the user’s unique institutional identifier (in order to map to their LDAP/AD directory record) and the user's affiliations.  We also request given name, surname and e-mail.

3.2 What use do you make of attribute information that you receive in addition to basic access control decisions?  For example, do you aggregate session access records or records of specific information accessed based on attribute information, or make attribute information available to partner organizations, etc.?

The attribute information provided is used along with attribute information in the user’s institutional directory profile to build their SciShield user profile.  Data in SciShield is viewable only to authenticated and authorized individuals. For example, institutional compliance officers can view high level information about labs across the institution. Individual Principal Investigators in a laboratory can see relevant information only about their lab and lab members. Individual researchers can see only their information and specific information about their lab’s activities (depending on their role and job duties).

3.3 What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)?  For example, is this information encrypted?

SciShield and its associated infrastructure have been developed with security and privacy as primary goals. Some examples of specific actions taken to ensure the security of your data are listed below.

From an application level:

  • Access to the application is only granted to authenticated and authorized users. Anonymous access is forbidden.
  • All user input is sanitized and checked for injections, cross site scripting/request forgeries, PHP file include, and other common malicious attacks.
  • All access is forced over encrypted connections (HTTPS).
  • Each of our customers have their own database with access restricted to only their site.
  • All access to the application and actions are logged - email alerts are triggered when suspicious activity is detected.

From an infrastructure level:

  • Our database server is behind a firewall and not exposed to the outside world. It is only accessible to our web servers via our private network.
  • All incoming and outgoing connections from our servers are encrypted (with the exception of outgoing SMTP traffic).  All data is encrypted on disk.  Backups are fully encrypted in transit and at rest.
  • IDS systems are in place to check for network threats, drop malicious packets, close malicious connections, and log attacks for future review
  • We keep all of our server software patched and up-to-date and regularly scan our servers for vulnerabilities using industry accepted leading scanning services.
  • Our data center is physically secured with biometric access controls, and off-site video surveillance.

 

3.4 Describe the human and technical controls that are in place on the management of super-user and other privileged accounts that might have the authority to grant access to personally identifiable information?

RAFT has strict policies and rigorous controls in place to disallow, monitor and prevent unauthorized employee access to data and data misuse.

Password policies and tracking systems along with single sign-on tools, are in place for defining password requirements, tracking all access and usage, and to ensure proper security of root or admin level passwords where needed.

Background and credit checks are performed on all employees and applicants who reach the final round of interviews. All new employees are immediately trained and advised of all information security policies and procedures.  This is also an annual training that is performed and reviewed once a year.

On an ongoing basis, access to data, resources, and services is limited to those with an explicit need.  Furthermore, all access is logged and monitored.  Also reviewed annually with all employees are the sanctions and repercussions of violating policies, which include termination and even criminal charges.

On termination, a defined checklist is followed to ensure that all access is revoked and all data collected.  Bi-annually, all user accounts and access levels for all servers, services and data is reviewed and audited in order to review access levels and remove unneeded permissions or accounts.

 

3.5 If personally identifiable information is compromised, what actions do you take to notify potentially affected individuals?

In the event of a security breach notice would be provided in writing to all affected parties.  This notice would be provided immediately after we could determine the scope of the breach and restore the integrity of the system.  We would describe what happened, identify what information was compromised, and outline what we have done to prevent further unauthorized access.  We would also investigate current state regulations for additional information or contact numbers that must be included in this notice: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx,

 

4.    Other Information

4.1     Technical Standards, Versions and Interoperability

SciShield utilizes the standard Shibboleth 3.x release code base.

4.2     Other Considerations

No other considerations are required at this time.