COS Data Breach Response Plan
Center for Open Science (COS) focuses significant attention on data security and has an established culture of openness, trust, and integrity and is committed to protecting the Open Science Framework’s (OSF) data.
Any individual that suspects that a theft, breach, or exposure of OSF protected data or COS sensitive data has occurred must immediately make COS aware, as stated in our Terms Of Use, by providing a description of the occurrence to Support@Osf.Io. The email address is monitored by COS’s security response team which will investigate all reports of theft, breach, or exposure to confirm if a data breach has occurred. If the security response team determines that a theft, breach or exposure of OSF data has occurred, the team will follow the appropriate procedure to mitigate additional risk and exposure.
As soon as a theft, data breach, or exposure of OSF content containing protected or sensitive data is identified, the process of removing all access to that resource will begin. For theft, data breach, or exposure to OSF sensitive, private, protected, or confidential data the security response team will analyze the breach and exposure to determine the cause and take measures to control, limit, prevent, or otherwise thwart further exposure. The COS security response team will follow communication protocols appropriate to the incident, and ensure all those affected are efficiently notified including use
Current Security Measures Employed By COS
The OSF database utilizes GCP's at-rest disk encryption. Columns containing sensitive information (such as third-party storage add-on credentials) are encrypted via AES256-GCM. Passwords are one-way encrypted via bcrypt and cannot be decrypted. Logs are primarily stored in Google Cloud Stackdriver indefinitely. All traffic is encrypted via TLS, both internally between pods and clusters, and externally from the internet.
The OSF has an internal interface, secured via an Identity-Aware Proxy, for managing service administration with various roles for user-support staff. COS user-support staff have limited access to certain metadata about projects, registrations, preprints, files, and users (including names and email addresses).
Suspect a breach of OSF data?
If you believe that you have detected a data breach on OSF, write to Support@Osf.Io and provide as much information as possible. A member of the COS security response team will follow up with you and coordinate an appropriate response with the rest of the COS staff.