COS Data Breach Response Plan
Center for Open Science (COS) focuses significant attention on data security and has an established culture of openness, trust, and integrity and is committed to protecting the Open Science Framework’s (OSF) data.
As soon as a theft, data breach, or exposure of OSF content containing protected or sensitive data is identified, the process of removing all access to that resource will begin. For theft, data breach, or exposure to OSF sensitive, private, protected, or confidential data the security response team will analyze the breach and exposure to determine the cause and take measures to control, limit, prevent, or otherwise thwart further exposure. The COS security response team will follow communication protocols appropriate to the incident, and ensure all those affected are efficiently notified including use
Current Security Measures Employed By COS
The OSF database utilizes GCP's at-rest disk encryption. Columns containing sensitive information (such as third-party storage add-on credentials) are encrypted via AES256-GCM. Passwords are one-way encrypted via bcrypt and cannot be decrypted. Logs are primarily stored in Google Cloud Stackdriver indefinitely. All traffic is encrypted via TLS, both internally between pods and clusters, and externally from the internet.
The OSF has an internal interface, secured via an Identity-Aware Proxy, for managing service administration with various roles for user-support staff. COS user-support staff have limited access to certain metadata about projects, registrations, preprints, files, and users (including names and email addresses).
Suspect a breach of OSF data?
If you believe that you have detected a data breach on OSF, write to firstname.lastname@example.org and provide as much information as possible. A member of the COS security response team will follow up with you and coordinate an appropriate response with the rest of the COS staff.