ACCESS Cybersecurity Governance Council Charter
Version: v2.0, Author: Alex Withers, alexw1@illinois.edu, Accountable: Alex Withers, alexw1@illinois.edu, Reviewed: 9/08/2022, Approved: Approved by CGC 8/29/2022
Scope and Purpose
The Cybersecurity Governance Council (CGC) works in cooperation with the ACCESS Executive Council (EC) to provide the oversight of cybersecurity operations and the formation and dissemination of cybersecurity policies. These policies will encompass requirements, procedures, and guidelines for ACCESS services, infrastructure, and Resource Providers (RPs). Of these policies, the ACCESS Core Information Security Policy & Procedures document represents the core information security / cybersecurity policies for ACCESS, including programmatic commitments, roles and responsibilities, and references to other special purpose policies. The CGC also works to share cybersecurity information, discuss and disseminate new cybersecurity threats and vulnerabilities and exchange best practices.
Membership
Membership in the CGC will consist of a representative from each RP, each Service Track and a representative from the ACCESS Coordination Office (ACO). The CGC will be convened by the EC and chaired by the ACCESS Security Manager (ASM).
Voting Rights
Only the Service Track and ACO representatives (or their delegates) will have voting rights in the event of any vote being taken by the CGC. The Service Tracks and the ACO will each have one vote. A vote of the CGC will be facilitated by ASM. Other members of the CGC act in an advisory capacity.
Participation
Participation from all members is vital to realize the security goals of ACCESS for its users and participants. As such, all CGC members agree to:
Regularly participate in the regular CGC meetings,
Promptly respond to communications about ACCESS security incidents,
Facilitate the sharing of cybersecurity information relevant to ACCESS and,
Provide input to proposed drafts of ACCESS cybersecurity policies.
There are regular meetings, held at least bi-weekly, and run by the ASM. Regular attendance is expected, and RPs or Service Tracks whose representatives do not show the majority of the time will be asked to send new representation.
Goals
The CGC will be convened by the EC and chaired by the ACCESS Security Manager. The CGC will provide a mechanism for sharing cybersecurity information relevant to ACCESS, disseminating and discussing new threats and vulnerabilities, and exchanging best practices. The CGC also provides a crucial mechanism for ensuring a balanced approach to protecting the shared CI ecosystem and enabling researcher productivity. Information from the CGC will also be uploaded to the CONECT Information Sharing Platform.
The CGC will approve drafts of proposed ACCESS cybersecurity policies with input from the ACO and all Service Tracks and RPs to ensure that these policies are feasible and adequate for protecting ACCESS’s CI against the latest threats and vulnerabilities. Those policies that have the potential for wide impact on ACCESS must be presented to the EC for awareness and may require EC approval when appropriate.
Information Sharing and Reporting
As stated previously, the CGC will provide a mechanism for sharing cybersecurity information relevant to ACCESS. One mechanism for sharing will be the ACCESS Incident Response Trust Group (AIRTG). This will primarily be done through regular meetings of the AIRTG and through secure communication technology such as Slack, http://Keybase.io or encrypted email. Additional details on these mechanisms will be provided in the AIRTG Charter.
Another mechanism for sharing information will use more automated methods. Examples of such are:
Central log collection from ACCESS resources,
Participation in the ResearchSOC,
Proposing and facilitating the implementation of cybersecurity technology that digests and analyzes collected information to produce threat intelligence and alerts for sharing, and
Evaluating and participating in external threat intelligence clearing houses such as REN-ISAC and SAFER.
In addition to the sharing of information described above, the CGC will be responsible for sharing policies and procedures. The CGC will use the CONECT Information Sharing Platform for security policy, procedure, guidelines, and other similar documents.
The CGC will periodically, and as requested or otherwise appropriate, report cybersecurity information such as incidents, threats and compliance issues to the ACCESS External Advisory Board and Executive Committee. This report will also include ACCESS risk assessment reports when completed on an annual basis. Details on these reports and their frequency are detailed in the ACCESS Core Information Security Policy & Procedures.
Cybersecurity Operational Concerns
The dissemination and discussion of new threats and vulnerabilities, and exchanging best practices will be primarily done through the ACCESS Incident Response Trust Group (AIRTG). It is the responsibility of the CGC to ensure that these activities have a proper forum in which to occur and that the product of these discussions are properly disseminated across ACCESS when appropriate.
The CGC may need to form new policies or procedures or update existing ones based on the outcomes of these discussions.
Cybersecurity Policies and Procedures
The CGC will approve drafts of proposed ACCESS cybersecurity policies with input from the ACO and all Service Tracks and RPs to ensure that these policies are feasible and adequate for protecting ACCESS’s CI against the latest threats and vulnerabilities. ACCESS cybersecurity policies will be approved by vote and require unanimous approval from all members with voting rights. Those policies approved by the CGC will be presented to the EC to inform the EC of the new policy or changes to existing policies. Those new policies or changes that have broad direct impacts to the ACCESS project may require additional approval by the EC.