added audit contribution

3f567761 · Fornari · 9917154d · 3f567761 · 3f567761 · 3f567761
Commit 3f567761 authored 5 years ago by Fornari
--- a/build.sh
+++ b/build.sh
@@ -128,7 +128,7 @@ link_pdf padme 2019_PADMEcontribution.pdf
 #build_from_source ssnn2 vmware.tex *.JPG *.jpg

 #build_from_source infra Chiller.tex  chiller-location.png
-
+build_from_source audit Audit-2018.tex
 #build_from_source cloud_cnaf cloud_cnaf.tex *.png
 #build_from_source srp SoftRel.tex ar2017.bib
 #build_from_source st StatMet.tex sm2017.bib

--- a/cnaf-annual-report-2018.tex
+++ b/cnaf-annual-report-2018.tex
@@ -202,6 +202,7 @@ Introducing the sixth annual report of CNAF...
 \addtocontents{toc}{\protect\mbox{}\protect\hrulefill\par}
 %\includepdf[pages=1, pagecommand={\thispagestyle{empty}}]{papers/research.pdf}
 \cleardoublepage
+\ia{Internal Auditing INFN for GDPR compliance}{audit}
 %\ia{Continuous Integration and Delivery with Kubernetes}{mw-kube}
 %\ia{Middleware support, maintenance and development}{mw-software}
 %\ia{Evolving the INDIGO IAM service}{mw-iam}

--- a/contributions/audit/Audit-2018.tex
+++ b/contributions/audit/Audit-2018.tex
+\documentclass[a4paper]{jpconf}
+\bibliographystyle{iopart-num}
+
+\begin{document}
+\title{Internal Auditing INFN for GDPR compliance}
+\author{V.~Ciaschini, P.~Belluomo}
+\address{INFN CNAF, Viale Berti Pichat 6/2, 40127, Bologna, Italy}
+\address{INFN sezione di Catania, Via Santa Sofia 64, 95123, Catania, Italy}
+
+\begin{abstract}
+With the General Data Protection Regulation (GDPR) coming into
+force, INFN had to decide how to implement its principles and
+requirements.  To monitor their application and in general INFN's
+compliance with GDPR, INFN created a new group, called ``Compliance
+Auditing,'' whose job is to be internal auditors for all structures.
+This article describes the startup activity for the group.
+\end{abstract}
+
+\section{Compliance Auditing Group}
+\subsection{Rationale for creation}
+When discussing GDPR application during the Commissione Calcolo e Reti
+(CCR) 2018 workshop in Rimini, it became clear that setting up
+a set of rules and assuming that all parts of INFN would correctly
+follow them was not, by itself, enough.  Indeed it was necessary to
+comply with the duty of vigilance, which in turn required periodic
+checkups.
+
+To counteract this worries, and to vigilate on its proper application,
+it was soon proposed to create a team which would take the
+name of ``compliance auditors,'' whose job was to act as internal
+auditors for all of INFN structures to check on the proper
+application of the regulations as implemented by INFN.
+
+
+\subsection{Startup Activity}
+Following the proposal of the group creation, the first task to solve
+was how to staff it.  Two people, who had previous experience with the
+setup of ISO compliance structures for some of INFN sections
+volunteered, Patrizia Belluomo (Lead auditor, Sezione di Catania) and
+Vincenzo Ciaschini (CNAF).
+
+The first activity undertaken by the group was a collection, followed
+by the study of all the norms applicable to INFN's implementation of
+GDPR, like the text of the normative itself, other applicable Italian
+legislation, the documents describing INFN's implementation, and
+several INFN regulations that, while not specifically talking about
+GDPR, still governed issues that were related to it, e.g data
+retention policies.
+
+We also had to decide how to structure the audits.  We decided to
+implement it according to well-known quality assurance principles.  To
+apply these principles, we ended up deciding on a set of arguments
+that would be investigated during the audits, and a set of questions
+that could, but not necessarily would, be asked during the audits
+themselves, to act as a set of guidelines and to permit INFN
+structures to prepare properly.
+
+When the group was formally approved, these procedures were
+presented at the CCR workshop in Pisa in October, and an indicative
+calendar for the audits created and sent to the structures as a
+proposal on when they would be audited.
+
+Due to budget limitations, it was also decided that, at least for the
+first year, most of the audits would be done by telepresence, with
+on-site audits reserved for the sections that had, or would have, the
+most critical data, i.e: the structures that hosted or would host
+INFN's Sistema Informativo.
+
+The rest of the year was devoted to refine this organization and
+prepare the formal documentation that would be the output of the
+audits and the procedures that we would follow during the audits,
+which began in earnest in 9 January 2019, but that would be out of
+scope for 2018's Annual Report. 
+\end{document}