Security and Incident Response Policy

Defines the security governance model of the D4Science infrastructure, including roles, protection measures, monitoring, incident response procedures, and alignment with GDPR and NIS2 principles.

This is the final version 1.1 of the Security and Incident Response Policy, which entered into force on 1 April 2026.

Purpose and Scope

The D4Science infrastructure supports a wide range of scientific activities and communities, providing access to shared resources, data, and computational services. Ensuring the security of the infrastructure is therefore essential to protect both the platform itself and the research activities it enables.

This Security and Incident Response Policy defines the principles, governance model, and procedures adopted to safeguard the infrastructure against security threats and to ensure a coordinated response to incidents.

The policy aims to protect the confidentiality, integrity, and availability of systems and data, ensure a consistent and proactive approach to cybersecurity risks, define responsibilities for security management, and establish procedures for incident detection and response.

This policy applies to all infrastructure components, services, and users interacting with D4Science. It contributes to compliance with the General Data Protection Regulation (GDPR), the principles of the NIS2 Directive, and applicable national and institutional security frameworks.

Relationship with the Policy Framework

This document forms part of the D4Science Policy Framework. It should be read in conjunction with the Terms of Use and other governance documents to understand the full set of rules and protections applicable to the infrastructure.

Security Governance

Security within the D4Science infrastructure is managed through a structured governance model that assigns clear responsibilities to specific roles. This model ensures that security is not treated as an isolated function, but as an integral part of infrastructure operation, maintenance, and evolution.

Infrastructure Roles

Infrastructure Operator: Operated by the Consiglio Nazionale delle Ricerche (CNR) through ISTI. The D4Science Working Group is responsible for the overall operation, including the implementation of security measures, operational controls, and service continuity practices.

Information Security Manager: Plays a central role in coordinating security activities. Responsible for defining security policies, monitoring the security posture, and ensuring practices evolve in line with emerging threats, reflecting the accountability principles of the NIS2 Directive.

System Administrators: Formally appointed personnel responsible for technical operation and security. Responsibilities include implementing technical security controls, monitoring activity/logs, maintaining authentication systems, and ensuring backup and recovery procedures.

Technical Support Personnel: Assist system administrators in maintaining services and responding to issues. They may perform maintenance, monitor behavior, and contribute to incident resolution under supervision.

Security Principles

The security model of D4Science is based on a set of core principles that guide operational and technical decisions:

  • Confidentiality: ensuring that information is accessible only to authorized users.
  • Integrity: ensuring that systems and data are protected against unauthorized modification.
  • Availability: ensuring that services remain accessible and reliable.
  • Traceability: ensuring that relevant actions can be monitored and audited.

These principles are aligned with recognized best practices and with the risk-based approach promoted by the NIS2 Directive.

Access Security, Logging and Monitoring

Access is controlled through the Identity and Access Management (IAM) system, supporting federated identities and multi-factor authentication. Authorization is enforced through Virtual Research Environments, which define the security context.

Monitoring and logging are essential to ensure secure operation. D4Science maintains logs that record authentication events, system access, and administrative operations. Authentication logs include user identifiers and timestamps and are retained for at least six months.

Infrastructure Protection, Backup and Recovery

Technical and organizational measures include network protection (firewalls), monitoring/alerting, software updates, and patching. To ensure resilience and continuity, data are periodically backed up and procedures are in place to restore services in the event of failures or disruptions.

Security Incident Management

Security incidents include unauthorized access attempts, compromised credentials, malicious software, or abnormal service behavior. Incidents are detected via automated monitoring, log analysis, or user reports.

When an incident is detected, the infrastructure operator will assess its severity, contain its impact, investigate its cause, and restore affected services. In some cases, services may be temporarily restricted or suspended to protect users and communities.

User Responsibilities

Security is a shared responsibility. Users must protect their credentials, avoid sharing authentication tokens, and report suspicious activity. Users must not attempt to bypass security mechanisms or interfere with infrastructure monitoring.

Compliance, Continuous Improvement and Updates

Security practices are regularly reviewed to ensure compliance with legal requirements and security standards. This policy may be updated to reflect changes in infrastructure services or regulatory requirements; updated versions will be published through official D4Science channels.

Contact and Support

Security concerns and incident reports should be submitted promptly through our support portal to ensure effective investigation and response:

https://support.d4science.org

© D4Science Infrastructure - ISTI-CNR, Pisa.