|
Below is a sample computer and data security plan for a JLab work group. Specific details, such as frequency of backup or the designation of specific individuals for technical support, should reflect the group's needs and resources.
This is only a suggested template. In general, plans should address system integrity, data integrity, access controls, handling of sensitive data (if any), incident reporting, and continuity of operation.
Note that group cyber security plans are subject to internal reviews and peer reviews as required by DOE O205.1 and as specified in the JLab Cyber Security Program Plan (CSPP).
This document is part of the XXXX Group Security Plan and details procedures that address computer and data security. The intent of these procedures is to ensure the integrity, availability, appropriate access, and appropriate use of data and systems within the group. This document augments the site's Cyber Security Program Plan and details local group policies.
All computer users in the XXX Group should be aware of our group's security policies, as well as those of the Lab as a whole (http://cc.jlab.org/policies/).
All individuals who are responsible for any software updates or system administration should subscribe to appropriate site mailing lists (see http://cc.jlab.org/docs/security/internal/mailserv-security.html).
[Note: these suggested policies, which make use of Computer Center facilities, provide a stable, low overhead method of maintaining system integrity and virus protection. Groups whose operational needs don't allow compliance to the following policies must register and justify the exceptions and ensure that their policies institute effective update procedures and virus protection.]
All Microsoft-based systems will be part of the CUE domain in order to have access to routine program and virus-protection updates.
All system and application software will be maintained at their latest appropriate version or patch level by prompt response to alerts from the Computer Center or software vendors regarding security or operational defects. Program updates will be obtained directly from the Computer Center or from reliable vendor sources.
Program updates that are not automatically done by CUE facilities are the responsibility of each computer user.
Program updates that are not automatically done by CUE facilities are the responsibility of the XXX group desktop support team.
All administrative data (memos, papers, spreadsheets, etc.) will be backed up every day. This may be done transparently by using the CUE "home" or "group" disks as routine work space (these disks are backed up nightly). Data stored on local hard drives should be moved to CUE disks or backed up by alternate means.
Any sensitive or proprietary data for which standard CUE access control is not sufficient, should remain on a local, unshared disk on a system which has user access control (i.e., requires a login). Screen locks should be used whenever the machine is not attended. Backups should be done to a removable medium which can be stored in a physically secure cabinet or safe.
Sensitive data (e.g., salary information, personnel details) should never be sent via unencrypted email.
Access to all computers should be controlled by passwords that conform to DOE guidelines (http://cc.jlab.org/cc_info/policies/PasswordRules.html).
A screen/keyboard lock or login screen should be active on all machines when they are not in use.
A supervisor (or JLab sponsor of non-staff users) is responsible for providing initial approval for a computer account and for notifying the Computer Center of a change in status of employees or users.
This document is maintained by {helpdesk@jlab.org}
Copyright Jefferson Lab 2007