Information Security
| Question/ Answer | |
| Q | Policy – Which Information Security Policy is being followed? |
| A | KNAW follows the guidelines of BIHO. |
| Q | ISO 27001 – Is DANS ISO 27001 certified? |
| A | No, DANS is currently not certified. DANS will consider a certification process from 2023 onwards. |
| Q | ISO 27001 – Are the DANS Sub-processors ISO 27001 certified? |
| A | The data storage for DANS Products and Services is purchased via Surf-Cumulus (SURFnet) from Vancis CM&S. The data and backup of the data are stored in the Interxion data center on hardware from Vancis CM&S in Amsterdam and Schiphol-Rijk. Vancis CM&S is ISO27001 and Nen7510 certified |
| Q | ISO 27001 – Does DANS mointor the certification of subprocessors? |
| A | At the moment, no. KNAW has started a project (Q2 2022) to monitor sub-processor compliance. |
| Q | Access – Do DANS employees or subprocessor employees have access to the data? |
| A | A limited number of people within DANS (the functional manager, the application manager and the replacements who have Superuser (Admin) rights within the application or service) have access. Furthermore, there are system administrators who have access to the servers and all files on them. In principle, these people can access the data, but they cannot delete the backup. Like all DANS employees, they have signed a confidentiality agreement. DANS has an SLA with VANCIS CM&S via the KNAW, security measures are part of this and available on request. |
| Q | Access – What agreements are made about this with the (DANS) employees and is access to data and infrastructure logged? |
| A | All employees at DANS have signed a non-disclosure agreement. Access to the infrastructure is logged (centrally). Access to data is logged from that applicable application or service. |
| Q | Accessibility – Is Dataverse WCAG compliant? To which level? |
| A | In recent years Harvard has worked hard on WCAG compliance, and most of the issues have been resolved. The UI is not quite WCAG 2.1 compliant yet. An initiative has recently been launched to tackle this. |
| Q | CoreTrustSeal – Is DataverseNL CoreTrustSeal certfiied? |
| A | DataverseNL as a service itself is not certified because CoreTrustSeal never only certifies the ‘repository software’ itself. The work processes, governance and sustainability surrounding it must also be certified. So a CoreTrustSeal must be requested by the institute that uses DataverseNL. For example, Tilburg University has certified its dataverse within DataverseNL. If an institute itself wants to request a CoreTrustSeal for its dataverse within DataverseNL, DANS is of course always willing to assist. |
| Q | CoreTrustSeal – Is EASY CoreTrustSeal certified? |
| A | Yes, and re-certified at the end of 2021 for another three years. |
| Q | CoreTrustSeal – Are the Data Stations CoreTrustSeal certified? |
| A | Certification is not possible before the Data Station is operational. Certification will be requested end of Q2 2022. |
| Q | CoreTrustSeal – Is the Vault Service CoreTrustSeal certified? |
| A | The Vault Service itself is not certified because CoreTrustSeal never only certifies the ‘repository software’ only. The work processes, governance and sustainability surrounding it must also be certified. ACoreTrustSeal must be requested by the institution using the Vault Service. |
| Q | Encryption – Is the data at-rest (on the server) encrypted? |
| A | The operational version of the data is not encrypted. The backup copy is. This situation will change in the near future with the transition to object storage at SURF. When this is realized, we will update the documentation with the new situation. |
| Q | Test – Is a security test periodically performed on DANS Services and Applications? |
| A | DANS continuously monitors security advice and information about vulnerabilities, and regularly updates and patches the software based on this. In case of a serious threat, this is carried out immediately.
Penetration tests have been performed periodically in the past. |
| Q | Test – Are institutes informed about this? |
| A | Not at the moment. Institutes and users are informed in the event of an incident. |
| Q | Security – Are DANS applications and services protected against malware/DDoS and are irregular usage patterns detected, e.g. if suddenly a lot of accounts are created? |
| A | Network traffic is monitored by KNAW and soon also by an external party at national level. We also use SURFnet’s DDoS protection. DANS is currently also implementing hardware protection measures. |
| Q | Security – Or if an exceptionally large amount of data is uploaded? |
| A | Monitored via network traffic. |
| Q | Security – Is access blocked after a certain number of login attempts? |
| A | Yes. |
| Q | Security – Is there a strong password policy for user accounts? |
| A | It is advised to use SURFconext. It is also possible to create a local user account. Passwords must meet minimum strength requirements. |
| Q | Integrity/ Continuity – Are updates/new versions of Dataverse first tested in a test or acceptance environment? |
| A | Dataverse is open source software and is used by more than 67 institutions. New versions of the software are extensively tested by this Dataverse community prior to release. DANS uses an OTAP sequence for the installation of DataverseNL and the Data Stations. Before a release, the new version is tested on the Acceptance server by the local administrators of the institutions (DataverseNL) and by the Functional Controllers at DANS (All products and services). |
| Q | Integrity/ Continuity – Are draft datasets backed up? |
| A | The backups are run daily (every evening). The backup also contains draft datasets, only drafts that are created and deleted during the same day are not included in the backup. |
| Q | Backup – Can an institution claim a backup in case of user errors, e.g. if user accidentally deleted a draft dataset? |
| A | Deleting a draft by accident is not that easy. To delete a draft, you have to consciously go to the delete button, then also confirm with the message that the dataset will actually be deleted. Using the backup in case of user errors is time-consuming because the backup is a joint service across all our platforms. Published datasets cannot be removed, but are set to deaccessioned, and a tombstone is placed to indicate why the dataset was removed and where possible the data can now be found. In exceptional cases (legally mandated) datasets and their backups will be removed completely. Please note: DANS only takes responsibility for the dataset when it has been submitted for publication, not in draft form. |
| Q | Versions – Does DANS/DataverseNL have log files in which access and changes to datasets are kept? |
| A | Changes to published datasets are always logged by Dataverse. Changes are processed in so-called minor and major versions. The differences between the version can also be viewed by everyone on the dataset page. In addition, the application manager can search in the database for changes made by each user. |
| Q | Logs – Can an institute, as part of an audit or following an incident, have access to the relevant part of the log file? |
| A | Yes. DANS will ensure that the privacy of users is guaranteed. This means that usernames and IP addresses will be anonymized. Log files do not remain available forever. System logs and web server logs are rotated monthly by default for the retention time of 3 months. Mutations are logged as ‘action’ in a database table with a timestamp. |
| Q | Rollen – Is it possible to completely delete a dataset only at the request of the institute or the depositor? |
| A | Published datasets cannot be removed, but are set to ‘deaccessioned’, and a tombstone is placed to indicate why the dataset was removed and where possible the data can now be found. Setting a dataset to ‘deaccessioned’ can be performed by the person with the admin role or curator role for the dataset in question. It is up to the institute itself to whom these rights are granted. In exceptional cases (legally mandated) datasets and their backups will be removed completely. |
| Q | Roles – Is there a clearly defined process for such requests (also to avoid social engineering, etc.)? |
| A | Yes. A request is handled via ticket system. Total deletion of a dataset is handled on request. |
| Q | Process – Is there a procedure to follow if it is determined that a user or organization does not comply with the Terms of Use? |
| A | If, for whatever reason, it is decided to end the collaboration, it will be discussed in close consultation how to proceed with the datasets. This takes into account the fact that a published dataset has a DOI, and that this DOI must always remain resolvable. For institutes with a cooperation agreement, the relevant article applies here, ‘Procedure for removing datasets upon termination of an agreement’. There is a period of 3 months in which unpublished datasets can be removed or published by the institute. All published datasets will be set to ‘deaccessioned’ after this period, and the tombstone of a published dataset can contain a description of why the dataset is no longer available and where it can be found. |
| Q | Process – Is it possible to also show the email address of the user when assigning rights (“assign roles to users/groups”)? |
| A | Only first/last name and username are visible. |
| Q | Roles – Which role(s) can deaccession a dataset? |
| A | This can be the Admin role and the curator role, so the people who are allowed to publish the dataset can also set it to deaccessioned. For DataverseNL, it is the intention that only a limited number of people per institute will be given this role. But it is up to the institute itself how this is set up. |
| Q | Roles – Looks like a curator can assign the curator role to another user (but only for specific datasets?). |
| A | Yes, this is possible. For DataverseNL: It is important here that the roles and rights of a dataverse are inherited by the dataset created in this dataverse. An admin of a dataverse is also admin of the underlying dataset. For the curator role it matters whether it is assigned at the dataset level or at the dataverse level. A curator of a dataverse can, for example, create sub-dataverses again, and view unpublished datasets in the relevant dataverse. When this role is assigned at the dataset level, these rights do not exist. |
| Q | Roles – Can only the institute admin appoint an extra curator for an entire (sub) dataverse? |
| A | Mostly applicable to DataverseNL: Inheritance of roles and permissions does not happen from dataverse to subdataverse. An admin of a dataverse therefore does not always have admin rights on the subdataverse below. (Unless this admin has created the relevant subdataverse himself.) The curator can make another user curator of his/her dataset. |
| Q | Roles – Does a Dataset Creator automatically also get rights as mentioned with Contributor (can edit own dataset drafts)? |
| A | Mostly applicable to DataverseNL: Dataset creator is a role at the dataverse level and allows someone to create datasets in a dataverse. At the institute, these people are then automatically Curators (role at dataset level). You can edit and publish your own dataset. A contributor cannot publish datasets themselves. |