Data Security Policy

This webpage represents the Data Security Policy for the CompBioMed Centre of Excellence, and is separate yet complimentary to our Data Privacy Policy. The webpage is designed to make our users aware that their data and source codes are handled in a safe and secure manner when exploiting our services such as our parallelisation or scaling services that use CompBioMed’s High Performance Computing (HPC) infrastructure.

The CompBioMed HPC infrastructure includes CPU- and GPU-clusters, along with short to long term storage media which reside in all of our four HPC Centres, namely, in alphabetical order, BSC, EPCC, LRZ, and SURFsara. Given each Centre has its own Data Security Policy, we present each, in turn, below.

All EU CompBioMed partners, both Core and Associate, fully comply to EU GDPR.

How to contact us

Project manager:
Emily Lumley
UCL Department of Chemistry
20 Gordon Street
London WC1H 0AJ
Contact: e.lumley@ucl.ac.uk

Data Security Policies of the HPC Centres

The Barcelona Supercomputing Center provides security tools for its infrastructure to guarantee the security of the scientific data covering the whole lifecycle, the users access control, the security incident reporting.

The BSC policy is compliant with applicable, local privacy legislation, addressing its practices relating to the collection, use, disclosure, retention and disposal of scientific and personal data. The BSC monitors and enforces compliance with its own privacy policy with internal and external auditing. The privacy policy is applied to the secure transfer of incoming and outgoing data and is able to generate reports indicating the date, time and mode of transfer of such data.

BSC retains data in a secure manner, considering the European Policies and Guidelines related to secure retention of records.

Users seeking access to BSC data authenticate using credentials authorized against a database of accounts. Access and authorization procedure shall be established in the DMP of each project and should be followed and monitored.

In the event that there has been a breach or suspected breach of the security, that data has been stolen or lost, or a person has obtained unauthorized access to some data, or BSC has used, disclosed or disposed of data other than as contemplated, BSC shall at the first reasonable opportunity, follow the agreed procedure and take the steps that are reasonable in the circumstances to contain the breach and to contain the theft, loss or access by unauthorized persons. BSC provides a risk treatment procedure defining the measures for risk treatment and their applicability.

BSC prevents unauthorized access to data, software execution or installation access. The administrative, physical and technical measures adopted are according to industry standards.

 

EPCC delivers National HPC Services including ARCHER, the UK National Science Supercomputer funded by UKRI, which is used by more than 5000 researchers from across the UK and beyond. It also operates an increasingly high-profile portfolio of data services, including the National Safe Haven on behalf of NHS Scotland. This will expand further with the launch of the Edinburgh International Data Facility in 2020. Key to the success of EPCC in providing data services is trust from its customers that it provides best practice in information security and data handling. To reflect the importance that placed on information security, EPCC has invested the time and effort in passing and retaining ISO 27001 certification. This was first passed in 2018 and retained this in 2019, with a current certification valid until 2021. ISO 27001 is an internationally recognised standard in best practice in information security, and requires the creation of an Information Security Management System, and an annual external audit by an approved accreditation body to ensure compliance with the 114 security controls involved. The scope of certification for EPCC covers all the services we run with machines hosted at the ACF, our datacentre. To ensure a consistent process-based approach to the delivery of National Services, including ARCHER, EPCC has also obtained and retained ISO 9001 certification, the internationally recognised quality management standard. The application of the two standards ensures that EPCC has a framework and processes to deliver services safely and consistently and to facilitate continual service improvement.

 

Leibniz Supercomputing Centre (Leibniz-Rechenzentrum, LRZ) of the Bavarian Academy of Sciences and Humanities is the IT service provider for all Munich universities as well as a growing number of research organisations throughout Bavaria. In addition to this regional focus, LRZ also plays an important role as one of the members of the Gauss Centre for Supercomputing (GCS), delivering top-tier HPC services on the national and European level. LRZ e. g. operates SuperMUC-NG which provides a peak performance of 26.9 Petaflops and therefore counts to the most powerful supercomputers in the world. Throughout the entire computing process, the LRZ focuses closely on supporting our users so they can take optimal advantage of all the resources we have to offer.

The LRZ operates an integrated IT service and information security management system (I/SMS) according to the international standards ISO/IEC 20000-1 and ISO/IEC 27001. Certification was obtained in 2019 and retained 2020. The I/SMS controls and coordinates the activities in the IT service and information security management and ensures that the skills and processes of the LRZ are used in such a way that the service and security requirements are planned, introduced, delivered and continuously improved accordingly. The scope of the I/SMS covers all the services LRZ provides.

The I/SMS ensures that people, processes and technology are used in a coordinated manner to plan, execute, monitor and continuously improve management tasks as they arise. LRZ I/SMS policy considers both ISMS and SMS aspects and is the basis for all further topic-specific security policies, processes and procedures which concretise the specifications to achieve specified objectives.

One of these objectives is the development, provision, administration and improvement of IT services. In addition to the normative specifications from ISO/IEC 20000-1 and ISO/IEC 27001, especially the more than 100 controls in Annex A, defined processes and procedures are aligned with best practices of The Federal Office of Information Security (BSI).

 

SURFsara provides ICT services for the Dutch education and Research. SURFsara offers a wide range of services in the field of high performance computing (HPC) such as the Dutch National Supercomputer, Cartesius, LISA compute cluster and HPC Cloud services. SURFsara also offers services to facilitate Research Data Management such as the Data Archive for long-term preservation of data, EPIC Persistent Identifier (PID) service, and iRODS-based services for data management. Customers of SURFsara services must be confident that research data and other confidential information stored and processed at SURFsara are in safe hands.

SURFsara is ISO/IEC 27001 certified which means that we comply with the high requirements of this international standard in the field of information security. The set of procedures to satisfy ISO/IEC 27001 requirements are called Information Security Policy. We have a dedicated security team which develops and evaluates workable policies and associated procedures to guarantee the general level of security within SURFsara. Taking into account the requirements and compliance with the General Data Protection Regulation (GDPR), an extension and generalization of the Information Security Policy, is made which is called the Baseline Information security SURF (BIS). The BIS includes all organizational and technical measures which both the organization as a whole and all the services and systems where information is processed must meet. The Executive Board of SURFsara is ultimately responsible for integral security and the design, operation and the implementation of all security frameworks in the organisation. SURFsara also uses the FitSM lightweight standards for IT Service Management to bring order and traceability and practical support for IT services delivery.

Acquistare Viagra