ORCID is an international nonprofit organization with users and members throughout the world. We are aware that values and community norms regarding data collection, use, and privacy vary from region to region, and recognize that is important that our policies and practices reflect our global scope.
We are committed to protecting the security of information stored in the ORCID Registry. This article gives an overview of ORCID’s data security standards and procedures.
We keep your data safe by using enterprise-level data security practices and limiting the information that we collect and hold about you. All systems are protected by local and network firewalls, and are configured using secure baseline configurations, also known as hardened security templates.
We use well-respected cloud service providers such as Rackspace and AWS to host our data and servers. We review these organizations on an annual basis at a minimum to ensure alignment with ORCID’s security and privacy practices, as well as confirm their ability to comply with international regulations.
We may store and process your information on servers or in a cloud located outside the country where you originally deposited the data. Regardless of where we store and process data, ORCID continuously monitors and aligns our privacy and security practices with international regulations.
ORCID maintains a high standard for uptime. We use industry best practices for disaster recovery and backups to mitigate the impact of any unforeseen conditions which may affect our uptime.
We replicate data across multiple databases in the event a server is affected. A copy of the master database is scheduled to run twice a day, and a secure and encrypted version of this is stored for 120 days.
ORCID uses a combination of encryption at rest (while the data is stored in the server) and in transit (when the data is moving from your machine to our servers) to ensure the security of the Registry. ORCID uses one-way salted hashes for all passwords.
We use Secure Sockets Layer (SSL) encryption to provide security on sensitive pages such as sign-in, registration, and whenever you use the Registry section of the orcid.org website. We constantly monitor our SSL implementation against industry standards, such as SSL Labs deployment best practices, to ensure that items such as protocol and cipher suites vulnerabilities are not introduced
ORCID has strict access control protocols, designed around the principles of separation of duties -- more than one person is required to complete a task -- and least privilege -- ORCID staff are granted only the access they need based on their job role. All access to servers requires explicit approval by the ORCID Director of Technology. Only staff who requiring server access are granted it, such as members of the technical team.
Staff with server access are prevented from accessing servers directly and instead must connect to a jumpbox, using a Virtual Private Network(VPN), configured with hardened security templates to ensure proper security. The jumpbox requires multiple layers prior to authentication, such as account / username combination, a secure shell (SSH, a type of encryption) key and passphrase, certificates, and a time-based authentication token.
ORCID conducts extensive quality assurance testing of all code changes. We track and version all developments and changes to our code using GitHub. Prior to any code being pushed to our QA environment, at least two members of the technical team must approve the code.
The approved code is pushed to ORCID’s QA environment; another round of testing is performed on the ORCID sandbox if needed. Testing consists of both automated and manual testing to cover a wide scope of potential issues.
Once code has passed testing, it can be released to the live Registry. Code changes are coordinated between ORCID’s community and technical teams to ensure that ORCID staff are available if you or other users are affected. This process can be followed on the ORCID Current Development Trello board.
Security testing and vulnerability management
ORCID security scanning is aligned with the Open Web Application Security Project (OWASP) Top 10, a consensus ranking of the most critical security risks to web applications. We conduct application-level vulnerability testing once a week at a minimum. This testing will display any findings, giving a score based on the Common Vulnerability Scoring System (CVSS). We then adjust this score as appropriate for our own environment.
In addition to security testing, ORCID constantly monitors new vulnerabilities and exploits as they are released using the CVSS and takes remedial action as needed.