Defines the security governance model of the D4Science infrastructure, including roles, protection measures, monitoring, incident response procedures, and alignment with GDPR and NIS2 principles.
1. Purpose and Scope
The D4Science infrastructure supports a wide range of scientific activities and communities, providing access to shared resources, data, and computational services. Ensuring the security of the infrastructure is therefore essential to protect both the platform itself and the research activities it enables.
This Security and Incident Response Policy defines the principles, governance model, and procedures adopted to safeguard the infrastructure against security threats and to ensure a coordinated response to incidents.
The policy aims to protect the confidentiality, integrity, and availability of systems and data, ensure a consistent and proactive approach to cybersecurity risks, define responsibilities for security management, and establish procedures for incident detection and response.
This policy applies to all infrastructure components, services, and users interacting with D4Science. It contributes to compliance with the General Data Protection Regulation (GDPR), the principles of the NIS2 Directive, and applicable national and institutional security frameworks.
2. Security Governance
Security within the D4Science infrastructure is managed through a structured governance model that assigns clear responsibilities to specific roles.
This model ensures that security is not treated as an isolated function, but as an integral part of infrastructure operation, maintenance, and evolution.
3. Infrastructure Operator
The infrastructure is operated by the Consiglio Nazionale delle Ricerche (CNR) through the Institute of Information Science and Technologies (ISTI).
The D4Science Working Group is responsible for the overall operation of the infrastructure, including the implementation of security measures, operational controls, and service continuity practices.
Security is therefore embedded in the day-to-day management of the infrastructure and in the way services are designed and maintained.
4. Information Security Manager
The Information Security Manager plays a central role in coordinating security activities within the infrastructure.
This role is responsible for defining and maintaining security policies, monitoring the security posture of the infrastructure, coordinating responses to security incidents, and ensuring that security practices evolve in line with emerging threats.
This governance function reflects the accountability and oversight principles promoted by the NIS2 Directive.
5. System Administrators
System administrators are formally appointed personnel responsible for the technical operation and security of infrastructure systems.
Their responsibilities include managing infrastructure components and services, implementing technical security controls, monitoring system activity and logs, maintaining authentication systems, and ensuring backup and recovery procedures.
Their work is governed by institutional rules and contributes directly to the secure and reliable operation of the infrastructure.
6. Technical Support Personnel
Technical support personnel assist system administrators in maintaining infrastructure services and responding to operational issues.
They may perform maintenance activities, monitor system behaviour, support backup and recovery procedures, and contribute to incident resolution under the supervision of authorized personnel.
This support function helps ensure continuity and responsiveness across the infrastructure.
7. Security Principles
The security model of D4Science is based on a set of core principles that guide operational and technical decisions.
These include confidentiality, ensuring that information is accessible only to authorized users; integrity, ensuring that systems and data are protected against unauthorized modification; availability, ensuring that services remain accessible and reliable; and traceability, ensuring that relevant actions can be monitored and audited.
These principles are aligned with recognized best practices and with the risk-based approach promoted by the NIS2 Directive, which emphasizes prevention, detection, response, and resilience.
8. Access Security
Access to D4Science services is controlled through the Identity and Access Management (IAM) system.
The IAM system supports federated identities, local accounts where permitted, and optional multi-factor authentication. Authorization is enforced through Virtual Research Environments, which define the security context in which users operate.
This model ensures that access is restricted to authorized users, permissions are managed at the community level, and services remain protected from unauthorized use.
9. System Logging and Monitoring
Monitoring and logging are essential to ensure the secure operation of the infrastructure and to support incident investigation and operational diagnostics.
D4Science maintains logs that record authentication events, system access, and administrative operations. These logs are used to detect anomalies, investigate incidents, and support the secure management of services.
Authentication logs include user identifiers and timestamps and are retained for at least six months, in accordance with security and regulatory requirements.
10. Infrastructure Protection Measures
D4Science implements a combination of technical and organizational measures to protect its systems and services.
These include network protection mechanisms such as firewalls, monitoring and alerting systems, authentication and access control mechanisms, software updates and patching, and backup and recovery procedures.
These controls are regularly reviewed to ensure that they remain effective against evolving threats and operational requirements.
11. Backup and Recovery
To ensure resilience and continuity, D4Science implements structured backup and recovery mechanisms.
Data stored within the infrastructure are periodically backed up, and procedures are in place to restore services in the event of failures, operational incidents, or other disruptions.
These capabilities are essential to maintaining trust in the infrastructure and to ensuring that services remain dependable for scientific communities.
12. Security Incident Management
Security incidents are events that may compromise the normal operation of the infrastructure or the security of its systems and data.
Such incidents may include unauthorized access attempts, compromised credentials, malicious software, exploitation of vulnerabilities, or abnormal service behaviour.
13. Incident Detection
Incidents may be detected through automated monitoring systems, analysis of operational logs, or reports submitted by users and administrators.
The ability to identify incidents promptly is a fundamental element of infrastructure resilience and supports the timely application of corrective measures.
14. Incident Reporting
Users and administrators are encouraged to report suspected incidents as soon as possible.
Reports should be submitted through the D4Science support portal: https://support.d4science.org
Timely reporting is essential to limit the impact of incidents and to support effective investigation and response.
15. Incident Response
When an incident is detected, the infrastructure operator will assess its severity, contain its impact, investigate its cause, and restore affected services where necessary.
In some cases, services may be temporarily restricted or suspended in order to ensure the security of the infrastructure and protect users and communities.
The incident response process aligns with the principles of the NIS2 Directive, emphasizing rapid response, risk mitigation, and service continuity.
16. User Responsibilities
Security is a shared responsibility. Users are expected to protect their credentials, avoid sharing authentication tokens, and report suspicious activity or behaviour that may affect the infrastructure.
Users must not attempt to bypass security mechanisms or interfere with infrastructure monitoring. Respecting these obligations is essential to maintaining a trustworthy and secure environment for all communities.
17. Compliance and Continuous Improvement
Security practices within D4Science are regularly reviewed to ensure compliance with applicable legal requirements, institutional policies, and recognized security standards.
This continuous improvement approach helps ensure that the infrastructure remains resilient over time and capable of adapting to new threats and changing operational needs.
18. Policy Updates
This policy may be updated to reflect changes in infrastructure services, security practices, regulatory requirements, or governance arrangements.
Updated versions will be published through official D4Science channels and will become applicable from the effective date indicated in the document.
19. Contact
Security concerns and incident reports should be submitted through: https://support.d4science.org
20. Policy Framework
This document forms part of the D4Science Policy Framework.