comments on SCI 0.95 paper - 2 March 2013 (Bob Cowles) You have clearly put in a LOT of work on the document and it enumerated the issues well. ------------------------ (1) The governing principles are missing some mention of active monitoring to detect and reduce the impact of a security incident. (2) [OS2] Patch application needs also needs to be verified. (3) [OS4] The requirement should be for an ongoing program, not just having the "capability" to detect possible intrusions. (4) [OS5], [OS6] I would claim you need to substitute "authorised" [sic] for "authenticated". The goal being to keep their access consistent with their authorization. (5) [OS6], [OS7] It would be better to have a "documented process" rather than a "capability" (6) [IR3] What is meant here by "capability"? Does this mean "have a speakerphone for conference calls" or "have clearance from management and legal to collaborate with and share intrusion information with external entities"? (7) [IR4] I can't read this and immediately understand what it means -- too complex. (8) [TRx] There is no requirement for protecting the integrity of the logged information nor documenting the controls as to how that is achieved. (9) I don't think 5.1 makes sense. An individual user can't be expected to read and comply with the AUPs of all potential service providers. What we implemented with the grid agreements was that there was a general AUP such that the user agreed to only perform work within the scope of the Collection (e. g. VO) and that the service providers would accept the AUP+VO.Purpose as placing satisfactory limits on what the user is allowed. A collection may want an AUP for how the collection is managed, but that is not clear what is meant here. (10) [PRRx] Aren't there requirements for availability of the offered service or resource? ------------------------------------ General comments -- (A) Aren't there some cases where we don't need that each level have all the agreements but that it is sufficient if we can add up the controls, agreement, policies from the user through to the resource provider and the issue is covered, that is sufficient? (B) M users x N Collections x P providers is clearly an impossible situation. (oh, there are also independent auditors). This clearly requires some consistency be placed on policies, procedures, and practices. --------------------------------- Minor typos --- TR text - second paragraph. last line -- contains American spelling of "authorize", "authorise" is used elsewhere. Requirements in TR section say the infrastructure must "provide" rather than "have". What is the reason for using a different word? Same for section 5.1; other subsections use "have". There is inconsistent use of the terms "service providers" and "service operators" and they are sometimes included with "resource providers" (sometimes capitalized) and sometimes not. [PRC3-6], [PRR1-5] Inconsistent capitalization (and spacing) of the first word of the item. There is a hanging bullet in the Legal section.