Information Security Guide

Confidence in the meaning, disposition, and provenance of information is at the heart of scientific research and discovery. Our confidence originates from our trust in the processes used to conduct experiments, analyze results, and create knowledge. The processes we define to support reproducible discovery are the foundation of information security in the research domain.

Modern science is increasingly an expression of ideas in the virtual spaces of the computational platforms that surround us. The computer is our most versatile scientific instrument. The computer allows us to explore any abstraction we can envision and to build pathways to our discoveries. They help us by supporting development of a reproducible process. Good process lets us explore our virtual worlds with confidence. It underlies our trust in the experiments we conducted and the results we obtained from our virtual worlds.

At UAB, we are building a Research Computing System (RCS) that supplies researchers with HPC, storage, web, and virtual infrastructure to facilitate investigation, develop research applications, and enable collaboration. This system is being designed to promote and support processes that ensure confidence in the experiments conducted and results obtained using this system. In other words, we are building a scientific instrument to support the virtual expressions of modern science.

The information security guide will document the function of the Research Computing System to engender trust in the information recorded on and derived from the conduct of science on this platform.

Background
To facilitate dialogs about the Research Computing System and its development across a wide variety of groups and interests, this document will leverage definitions and standards for information security being developed by NIST. According to NIST, information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. This term is defined in (FIPS-199), the primary standards document that all participants in this dialog should be familiar with. FIPS-199 identifies "information types" and "information systems" as the two primary classes used to document information security requirements. Additionally, it defines three areas of information security "confidentiality, integrity, and availability" that are used to guide the implementation of appropriate process. FIPS-199 is a short document, and the heart of the matter is covered in the first 6 pages. The remaining content is an appendix defining the referenced terms.

RCS is an Information System
A basic statement of the operating principles for the Research Computing system could be written as follows:

It is important to note that this statement only describes how the system operates. It does not dictate any restriction to the access of information. For example, this wiki, visible to the world, is in full harmony with that operation. The "access control list" for the wiki includes "world readable".
 * The Research Computing System provides controlled access to data and applications maintained on the system. Every data and application resource has an access control list which specifies allowed interactions with the resource. All requests to access data and applications are verified against the resource access control list to assure all allowed interactions are permitted.
 * A person is granted access to the Research Computing System according to their affiliations with the University. Individuals are assigned a unique identity to account for their use of the system and the resources which they maintain on the system.   Valid credentials must be presented to modify resources maintained on the system. Individuals may be associated with groups which reflect their affiliations with the University or with other individuals using the system. Group membership can be used to expand or constrain access to data and application resources maintained on the system.
 * A person is granted access to the Research Computing System according to their affiliations with the University. Individuals are assigned a unique identity to account for their use of the system and the resources which they maintain on the system.   Valid credentials must be presented to modify resources maintained on the system. Individuals may be associated with groups which reflect their affiliations with the University or with other individuals using the system. Group membership can be used to expand or constrain access to data and application resources maintained on the system.