Security Plan

Introduction

Purpose

The purpose of the BioCompute Security Plan Document is to intricately outline a comprehensive and robust framework that articulates the security policies, objectives, and measures specifically tailored to fortify the confidentiality, integrity, and availability of the BioCompute platform. This document serves as an essential compass for stakeholders, providing an exhaustive overview of the multifaceted security controls and processes meticulously crafted to perpetuate the credibility and reliability of BioCompute Objects.

This document not only delineates security policies and objectives but also integrates essential guidelines to uphold the security and integrity of data and systems within the BioCompute platform. Incorporating recognized standards and best practices is fundamental to achieving this goal. Adherence to influential frameworks such as ISO/IEC 27001 and NIST SP 800-53 establishes a systematic approach to managing security risks, while the NIST Cybersecurity Framework offers a risk-based methodology. Factor Analysis of Information Risk (FAIR) contributes a structured risk management framework, GDPR and HIPAA compliance safeguards personal and healthcare data, and data integrity best practices ensure the sanctity of information. Robust access controls, encryption standards, and regular security audits collectively fortify the BioCompute system, acknowledging the need for adaptability based on data nature, legal obligations, and regulatory nuances. Through these measures, the BioCompute Security Plan strives to create a resilient and trustworthy environment for its users.

Scope

This document encompasses all BioCompute users, employees, data repositories, and operational processes intricately interwoven with the BioCompute platform. This Security Plan extends its grasp to encompass an exhaustive array of security considerations, manifesting a coherent and integrated approach designed to safeguard the multifaceted dimensions of the platform's integrity and confidentiality.

Document Revision History

Last Amended Date: 12/18/2023

Next Review Date: 1/19/2023

Security Policy Statement

Commitment to Information Security

Our unwavering commitment to information security is a resolute dedication demonstrated by GWU in securing and preserving scientific data within the BioCompute platform. Echoing the principles set down in the Commonwealth of Virginia Information Technology Resource Management (COV ITRM) Security Standard SEC501, our commitment aligns with industry standards, assiduously safeguarding user data and ensuring unswerving compliance with regulatory imperatives.

Security Objectives

The main objectives of this policy are:

1. Confidentiality, Integrity, and Availability: The foremost goal is to ensure that the confidentiality, integrity, and availability of data are maintained. This involves implementing robust measures to prevent unauthorized access (confidentiality), maintaining the accuracy and reliability of data (integrity), and ensuring uninterrupted access for authorized users (availability).
2. Compliance with Security Regulations and Standards: BioCompute is steadfast in its commitment to compliance. The platform adheres rigorously to all relevant security regulations and standards. This includes but is not limited to the Commonwealth of Virginia Information Technology Resource Management (COV ITRM) Security Standard SEC501, PL-1, PL-2, PL-3, PL-4, and PL-6.
3. Continuous Monitoring and Improvement: A proactive stance is taken towards security by instituting continuous monitoring and improvement practices. BioCompute undergoes comprehensive assessments to evaluate the efficacy of security measures and quality of services. This iterative approach ensures that the platform evolves in response to emerging user needs and industry advancements.
4. Clear Explanation of System Requirements: BioCompute recognizes the importance of clarity in system requirements. Another objective is to provide a lucid and comprehensive explanation of the system's requirements. This not only aids users and administrators in understanding their roles but also facilitates effective implementation of security measures.

These security objectives collectively form the cornerstone of BioCompute's commitment to robust and resilient security practices. By addressing core principles such as data protection, compliance, continuous improvement, clarity in requirements, and controlled access, BioCompute establishes a holistic security framework that aligns with industry best practices and evolving standards.

Scope and Applicability

Covered Systems and Data

The security measures outlined in this plan encompass the entirety of the BioCompute system, ensuring comprehensive protection of user data and stored metadata. This includes but is not limited to:

• User Data: All personally identifiable information (PII) and user-related data within the BioCompute system are subject to stringent security measures. Protection mechanisms extend to cover data related to user authentication, authorization, and any other information linked to individual user profiles.

• Stored Information: Security protocols are implemented to safeguard all forms of stored information, including Biocompute Objects (BCOs) and associated metadata. The coverage spans the entire lifecycle of stored information, from submission to retrieval, ensuring data integrity and confidentiality at every stage.

• System Components: Security controls apply to all components and modules within the BioCompute system. This encompasses databases, application servers, communication channels, and any other elements that contribute to the functionality of the BioCompute environment.

• Interconnected Systems: Where applicable, security measures extend to interconnected systems, ensuring a secure flow of data and information between integrated platforms. This includes third-party integrations, data exchanges, and any interfaces that facilitate communication between the BioCompute system and external entities.

• Comprehensive Coverage:The scope of security coverage is designed to address potential vulnerabilities across all layers of the BioCompute architecture. This includes the application layer, network infrastructure, and data storage, creating a robust defense against diverse security threats.

This plan is applicable to all users, administrators, and stakeholders involved in the BioCompute system. By delineating the specific areas of coverage, we establish a clear framework for safeguarding sensitive information and maintaining the overall security posture of the BioCompute ecosystem. Regular assessments and updates will be conducted to adapt to evolving security challenges and technological advancements.

System Functionality Overview

The BioCompute platform is designed with a multifaceted and user-centric approach, integrating a range of functionalities to meet the diverse needs of its users. This section provides an overview of the core system functionalities, emphasizing key aspects that contribute to the platform's effectiveness and user satisfaction.

• BioCompute Object Creation and Management:The cornerstone of the BioCompute platform is the creation and management of BioCompute Objects (BCOs). Users can seamlessly generate BCOs, encapsulating computational workflows, data processing steps, and metadata. The platform ensures robust management capabilities, allowing users to organize, version, and retrieve BCOs efficiently
• Workflow Design and Customization: BioCompute facilitates the design and customization of computational workflows, providing users with a flexible and intuitive interface. Users can construct and tailor workflows to specific analysis requirements, incorporating diverse tools and algorithms for optimal results.
• Collaboration and Knowledge Sharing: Collaboration is at the core of BioCompute's functionality, enabling users to collaborate on the development and refinement of computational workflows. The platform facilitates knowledge sharing through shared repositories, enhancing collaboration among researchers, bioinformaticians, and other stakeholders.
• Security and Access Controls: Security is paramount in the BioCompute platform. Robust access controls, including role-based access control (RBAC) and encryption standards, are implemented to safeguard sensitive data and ensure that only authorized individuals have access to specific functionalities within the system.
• Integration with External Tools and Databases: BioCompute is designed to seamlessly integrate with external bioinformatics tools and databases, expanding its capabilities and providing users with a comprehensive toolkit. This integration enhances the platform's versatility, allowing users to leverage a wide range of resources in their analyses.
• User-Friendly Interface and Documentation: The user interface of BioCompute is intuitively designed to enhance user experience. Additionally, comprehensive documentation is provided to guide users through the functionalities and best practices, ensuring that users can effectively harness the full potential of the platform.
• Compliance with Standards and Best Practices: BioCompute adheres to relevant industry standards and best practices, ensuring that analyses conducted on the platform meet established criteria for reproducibility, transparency, and data integrity. Compliance with standards such as ISO/IEC 27001 and NIST SP 800-53 is integral to the platform's functionality.
• Scalability and Performance Optimization: As computational demands evolve, BioCompute is engineered for scalability. The platform optimizes performance, ensuring efficient processing of large datasets and complex analyses. This scalability is vital to accommodate the varying needs of users and evolving bioinformatics challenges

In essence, the BioCompute platform seamlessly integrates a suite of functionalities to empower users in the design, execution, and collaboration of bioinformatics analyses. The platform's versatility, security measures, and adherence to industry standards collectively contribute to a robust and user-friendly environment that facilitates impactful scientific research and analysis.

Regulatory Compliance in BioCompute Security Plan

• SEC501: Commonwealth of Virginia Information Technology Resource Management (COV ITRM) Security Standard: SEC501 represents the comprehensive security standard established by the Commonwealth of Virginia Information Technology Resource Management. It serves as a foundational framework, outlining security measures and practices that BioCompute adheres to, ensuring alignment with state-level security guidelines.
• ISO/IEC 27001: Information Security Management System (ISMS) Standard: ISO/IEC 27001 sets the global standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Adhering to this standard ensures a systematic and comprehensive approach to managing security risks within the BioCompute platform, providing a robust foundation for safeguarding information.
• NIST Framework (NIST SP 800-53): Security and Privacy Controls for Federal Information Systems and Organizations: The National Institute of Standards and Technology (NIST) Framework, specifically outlined in NIST SP 800-53, offers a comprehensive set of security and privacy controls for federal information systems. BioCompute incorporates these controls to enhance security measures, aligning its practices with recognized federal standards and ensuring the confidentiality, integrity, and availability of information.
• IEEE 2791-2020: IEEE 2791-2020 focuses on accessibility and interoperability standards, improving communication and acknowledging the importance of making information and technology accessible to all users. By adhering to this standard, BioCompute emphasizes inclusive design and operational practices, ensuring that its platform is accessible and interoperable across various systems and user requirements.

Incorporating these regulatory compliance standards into the BioCompute Security Plan establishes a robust foundation for security measures. By addressing regional, international, and industry-specific standards, BioCompute not only ensures legal adherence but also fosters a secure and inclusive environment for its users and stakeholders.

Roles and Responsibilities

This section delineates the distinct roles and corresponding responsibilities of key stakeholders involved in upholding the security policies of the BioCompute platform. Each role plays a crucial part in ensuring the robustness, integrity, and confidentiality of BioCompute systems.

Roles	Responsibilities
System Managers	Testing and Maintenance: System Administrators are tasked with the ongoing testing and maintenance of BioCompute security protocols. This involves regularly assessing the effectiveness of existing security measures and implementing updates as needed to counter emerging threats. Documentation Development: System Administrators contribute significantly to the documentation aspect, playing a pivotal role in developing and updating documentation related to BioCompute systems. This includes the comprehensive Security Plan and testing documentation for the BioCompute portal.
Project Managers	Strategic Planning: Project Managers are central to the strategic planning aspects of BioCompute security. They play a key role in aligning security objectives with broader project goals, ensuring that security measures are integrated seamlessly into project timelines and milestones. Resource Allocation: Project Managers are responsible for resource allocation, ensuring that the necessary personnel, tools, and technologies are dedicated to implementing and maintaining BioCompute security measures effectively.
Outreach Personnel	Confidentiality Commitment & User education: Outreach personnel ensure the confidentiality and security of user information collected during outreach and are responsible for informing users about data handling practices, fostering trust in outreach interactions. Policy Adherence: Stay updated on privacy policies and guidelines, and ensure that all outreach practices align with the organization's privacy and data protection policies. Response to Concerns: Address user concerns regarding privacy promptly and effectively, demonstrating a commitment to resolving any issues related to the handling of personal information. Secure Communication: Utilize secure channels to prevent unintended disclosure of sensitive data.
Technical Personnel	Implementation and Integration: Technical Personnel are instrumental in the implementation and integration of security measures within BioCompute systems. This involves translating security plans into actionable steps, configuring systems, and deploying necessary technologies to fortify the platform. Incident Response: In the event of security incidents, Technical Personnel are at the forefront of incident response. Their responsibilities include swift identification and resolution of security issues, minimizing potential impacts on the platform and user data.
Users	Compliance: Users are pivotal in adhering to security protocols and guidelines outlined within the BioCompute platform. Compliance with established security measures, including password policies and access controls, contributes significantly to the overall security posture. Reporting Concerns: Users play an essential role in the security ecosystem by promptly reporting any security concerns or anomalies they may observe. Their vigilance is crucial in maintaining a proactive and responsive security environment.

This delineation of roles and responsibilities forms the foundation of a collaborative and effective security framework for BioCompute. By assigning specific tasks to each stakeholder group, the platform ensures a comprehensive and well-coordinated approach to security management. Regular communication and training initiatives further reinforce the shared responsibility of maintaining a secure and resilient BioCompute ecosystem.

Information Contacts

Name	Title	Email
Raja Mazumder	Principal Investigator	mazumder@gwu.edu
Jonathon Keeney	Co-Principal Investigator	keeneyjg@gwu.edu
Hadley King	Technical Lead	hadley_king@gwu.edu
Tianyi Wang	Outreach Lead	twang@email.gwu.edu
Chinweoke Okonkwo	Operations Lead	s.okonkwo@gwu.edu

Physical Security

Hardware Protection

The BioCompute system, consisting of two virtual machines hosting KBM clusters and sharing space with GlyGen, adheres to robust hardware protection measures. The underlying infrastructure is designed to ensure the integrity, availability, and security of the computational resources.

Within the BioCompute system, each virtual machine operates within a dedicated environment. These virtual machines are configured to host KBM clusters, emphasizing the importance of safeguarding both computational processes and associated knowledge bases. The hardware protection strategy is paramount to the confidentiality and proper functioning of these virtualized components. In particular, the virtualized setup involves comprehensive protection measures for the underlying hardware. This includes stringent controls on access, monitoring, and redundancy to mitigate potential risks and disruptions. The virtual machines are structured to operate in a secure and isolated manner, ensuring the integrity of data and computational processes.

Facility Access

Access to the BioCompute system's physical facility is governed by protocol that ensures that only authorized personnel can interact with the system, maintaining a secure environment for its operations. The system is hosted at the data center located at GW Virginia Science & Technology Campus. The data center is located in the Enterprise Hall building which is staffed with security personnel and three entrances requiring GW card access to access the building and extra permissions required for access to the data center. The physical location of the BioCompute system is subject to controlled access within the broader infrastructure of the HIVE Bioinformatics Laboratory. Access to the facility is restricted and monitored, with specific entry points requiring authentication via access cards or similar secure means. Security personnel are deployed to oversee the facility entrances, adding an additional layer of protection.

The physical facility housing the BioCompute system is equipped with surveillance cameras strategically placed to monitor access points, providing continuous oversight. Any access attempts are closely monitored to prevent unauthorized entry and to enhance the overall security posture of the system. This combination of controlled access points, security personnel, and surveillance measures ensures that the physical environment of the BioCompute system is well-protected, safeguarding against unauthorized access and potential security threats.

Access Control

User Authentication

BioCompute prioritizes secure user authentication as a foundational element of its access control strategy. This involves a meticulous process of user identity verification during login. Each user is required to authenticate using a combination of a username and password. This initial authentication step serves as a robust barrier against unauthorized access.

User Account Creation and Termination

The platform streamlines user account creation, ensuring a straightforward yet secure process for individuals seeking access. This includes collecting necessary information for account setup while adhering to data privacy standards. Conversely, when an individual's association with the platform concludes, account termination procedures are rigorously followed. This not only deactivates the user's access but also ensures proper data management and security.

Authorization and BCO API Permissions System

Authorization within BioCompute is finely tuned through the 'BCO API Permissions System.' This system governs access to specific functionalities and resources within the platform. The setting of prefixes, a critical aspect of the platform's architecture, necessitates appropriate permissions. Users must obtain explicit authorization to set prefixes, contributing to a granular and controlled access environment.

Password Policies

To fortify user accounts, BioCompute implements robust password policies. These policies include criteria for password strength, complexity, and expiration. Secure and reliable password recovery mechanisms are also in place for instances where users forget their passwords. The 'Forgot Password? Reset it Here' feature on the login page initiates a password recovery process. This process includes email verification to ensure the identity of the user and mitigate the risk of unauthorized password recovery attempts.

Password Storage and Reporting

BioCompute is committed to the secure storage of passwords, employing industry-best practices for encryption and protection against unauthorized access. In the rare event of any concerns or issues regarding password storage, users are encouraged to report them promptly. The platform provides a dedicated reporting channel accessible at BioCompute Bug Reporting. This proactive approach ensures that any potential vulnerabilities are swiftly identified and addressed through collaborative efforts. The Access Control measures within BioCompute collectively establish a secure and controlled environment. From user authentication and account management to finely tuned authorization mechanisms and password policies, each element contributes to the overall goal of safeguarding the integrity and confidentiality of the platform and its users. Regular updates and responsiveness to user-reported concerns further exemplify BioCompute's commitment to maintaining a robust access control infrastructure.

Documentation and Record-Keeping

This section outlines the meticulous documentation and record-keeping practices integral to BioCompute's commitment to transparency, accountability, and incident response readiness.

Incident Documentation:

• Incident Logging and Reporting: In the unfortunate event of a security incident, BioCompute adopts a systematic approach to incident documentation. All incidents, ranging from minor anomalies to critical breaches, are logged promptly. This includes details such as the nature of the incident, time of occurrence, and initial impact assessment.
• Investigation Reports: Following the initiation of incident response protocols, comprehensive investigation reports are generated. These reports delve into the root causes of the incident, the extent of the impact, and the steps taken to mitigate and remediate. This documentation is crucial for post-incident analysis and continuous improvement of security measures.
• Remediation Plans: Incident documentation extends to outlining remediation plans. This involves detailing the corrective actions taken to address vulnerabilities, prevent recurrence, and enhance overall security resilience. The documentation includes timelines, responsible parties, and follow-up procedures to ensure the effectiveness of remediation efforts.

Policy Records

• Security Policy Documentation: BioCompute maintains detailed records of its security policies. This includes the Security Plan, which serves as a comprehensive guide to the platform's security objectives, controls, and compliance measures. Policy documentation is regularly updated to align with evolving security standards and emerging threats.
• Policy Change Logs: Any modifications, updates, or revisions to security policies are logged. The change logs include information about the specific policy affected, the reason for the change, and the individuals involved in the decision-making process. This transparency ensures accountability and facilitates auditing processes.

This robust documentation and record-keeping framework underpins BioCompute's commitment to accountability, transparency, and continuous improvement. By maintaining detailed records of incidents, policies, and compliance efforts, the platform ensures a proactive and well-documented approach to security management.