Privacy and Security Notice

CC Home | JLAB Home | JLAB Internal

Helpdesk | Services | Scientific Computing | Networks | Telecommunications | CAD/CAE | Policies

Jefferson Lab Computer Security Guidelines

Updated April 2007

Introduction

Purpose

The computing and network infrastructure and equipment and the information and data residing on those systems are critical to the mission of the Laboratory.

This policy statement has a twofold purpose. First, to emphasize to all Laboratory staff and user community the importance of information system security and their role in its maintenance. The second purpose is to assign specific responsibilities for the provision of information and data security and for the security of the computing infrastructure itself.

Scope

The policy applies to all computational, storage, and network devices that make use of any of the Laboratory resources. These include, but are not limited to, any system whether Lab purchased or not, attached to the network, either directly or remotely by any means including any type of dial-up connection, access via ISP or any other type of connection.

The policy applies to any and all users of the systems and resources. By attaching to any system, or making use of any Laboratory computing or network resource the user implicitly agrees to this policy. All registered users at the time of registration are required to sign an agreement accepting these policies.

Goals

The goals of the Jefferson Lab Computer Protection Program and these Security Guidelines are to provide a secure, robust, and useable computing environment for the working community of Jefferson Lab. This goal embodies appropriate protection of data and resources from unauthorized used, protection from operational failures due to unauthorized use, and the use of procedures and policies that are effective without being operationally burdensome. Further goals are to ensure individual accountability for data, information, and other computing resources to which individuals have access, and to ensure that all applicable policies, directives, mandates and legal requirements are applied and adhered to.

Responsibilities

The following groups have responsibilities for implementing and maintaining the security goals set out in this policy.

• Computer Center staff: are responsible for informing users about this policy, and interacting with users on security issues. They are responsible for ensuring the continued operation of the systems and implementing appropriate security measures to comply with this security policy.
• Local administrators, who include:
  • Any user with superuser (root) access to a Unix or Linux system,
  • all Windows NT domain or resource-domain administrators,
  • PC owners with administrative privilege on their desktop PC,
  are responsible for ensuring that the security of their systems is in accordance with this security policy.
• End users: any person who has access to a computing or network resource. They are responsible for using the resources in accordance with this policy, and for reporting any suspected breach of security to the Computer Center.

Enforcement

The Computer Center staff is authorized to take appropriate measures in cases of breach of use and security policies. These measures are at the discretion of the Computer Center Manager and designated Computer Security Officer, but may include immediate disconnection of a compromised system from the network, immediate blocking of a compromised user account, or any other measure deemed necessary. In addition, the use of any account or system in such a way that breaches this policy will be reported to the appropriate supervisor, sponsor or management and may lead to further disciplinary and legal action.

Policies

General Policies

1. Every personal computer should have an "owner" or "system manager" who is responsible for the maintenance and security of the computer and for following all applicable policies and procedures.
2. In order to prevent unauthorized access to data, software, and other resources residing on the network, all security mechanisms of the system must be under exclusive control of the local administrator and relevant personnel of the Computer Center.
3. In order to prevent the spread of malicious software and help enforce license agreements, users must ensure that software is properly licensed and safe.
4. Backups of all data residing on stand-alone systems or clusters are the responsibility of the local administrator. The Computer Center staff is responsible for backups of all central systems and servers.
5. Each user is assigned a unique userid and password on receipt of a user account request and signed user agreement. Users must not share their assigned userid.
6. All new users are required to attend a short training course as part of their orientation. This is aimed at familiarizing them with their security responsibilities, guidelines and practices as well as acceptable and appropriate use.
7. Users must be authenticated before accessing network resources. This is normally achieved by password verification. There will be no access to shared resources (e.g. printers) without authentication.
8. After 6 months of inaction a userid will be de-activated.
9. Use of traffic monitors/recorders, sniffers, routers, etc. is explicitly prohibited without the prior consent of the Computer Center.

Specific Responsibilities

Users

Users are expected to be familiar with Jefferson Lab security policies, and other applicable laws, policies, mandates and procedures. Users are responsible for their own behavior. Specifically:

1. Responsible for understanding and respecting relevant Federal laws, DOE policies and procedures, and other applicable security policies and associated practices for the Jefferson Lab computing environment.
2. Responsible for employing available security mechanisms for protecting the confidentiality and integrity of their own information when required.
   1. Use file protection mechanisms to maintain appropriate file access control.Select and maintain good passwords. Do not write passwords down, or disclose them to others. Passwords must to conform to the rules described in http://cc.jlab.org/policies/PasswordRules.html .
   2. Use password encryption wherever possible. Secure shell (ssh) is available for all systems at the lab, the central IMAP mail server is capable of password encryption. For all practical purposes there is no reason to use clear text passwords between any systems on site. Do not use telnet, use ssh. Do not use POP (or clear text IMAP), use encrypted IMAP. Simple instructions for using these services are available from the Computer Center.
   3. Use ssh wherever possible when connecting to the lab from an external site. Ask your local system administrator to set up ssh. The only reason to not use ssh is from countries (e.g. France) where it is illegal to do so. When connecting with ssh from outside the lab you must use a pass phrase.
   4. Do not share accounts. In general there are no shared accounts on central systems.
3. Responsible for advising others who fail to properly employ available security mechanisms. Notify them and the Computer Center of resources (e.g. files, accounts) left unprotected.
4. Responsible for notifying the local administrator and the Computer Center if a security violation or failure is suspected or detected.
5. Responsible for not exploiting system weaknesses.
   1. Do not intentionally modify, destroy, read, or transfer information in an unauthorized manner; do not intentionally deny others authorized access to or use of computing resources and information.
   2. Provide the correct identity and authentication information when requested and to not attempt to assume another party's identity.
6. Responsible for ensuring that backups of data and software on their own personal computer are performed.
7. Responsible for being familiar with how malicious software (e.g. viruses) operates, methods by which it is introduced and spread, and vulnerabilities that are exploited by such software and unauthorized users.
8. Responsible for knowing and utilizing appropriate procedures for the prevention, detection, and removal of malicious software.

Local Administrators

Local administrators are expected to utilize the available security services and mechanisms to support and enforce applicable security policies and procedures. In this context a local administrator is anyone who has Administrative access to a system including a desktop PC, MAC, Linux, or other Unix system. Any user who currently has such access but who does not wish to take on these responsibilities should contact the Computer Center for guidance. Systems that do not comply with these policies may be denied network access. Specifically:

1. Responsible for managing all users' access privileges to data, programs, and functions.
2. Responsible for monitoring all security related events and following up on any actual or suspected violations where appropriate. Responsible for notifying and coordinating with the Computer Center for investigation and monitoring of security related events.
3. Responsible for maintaining and protecting system software and relevant files using available security mechanisms and procedures. Specifically this includes applying any and all system patches as recommended or directed by the Computer Center.
4. Responsible for running the Computer Center provided monitor scripts (under the generic non-privileged account).
5. Responsible for scanning local servers with anti-virus software at regular intervals to assure no virus becomes resident on the server.
6. Responsible for ensuring that all users are registered with the Computer Center. No one is permitted to use any Laboratory computing or network resource unless they are registered and have signed the User Agreement.
7. Responsible for promptly notifying the Computer Center of all computer security incidents, including malicious software:
   1. Notify the Computer Center if a penetration is in progress, assist other local administrators in responding to security violations.
   2. Cooperate with other local administrators and the Computer Center in finding violators and assisting in enforcement efforts.
8. Responsible for providing assistance in determining the source of malicious software and the extent of contamination.
9. Use encrypted passwords (ssh) for all superuser access except from the system console. Under NO circumstances should the superuser password be passed in clear text over the network.

Computer Center Staff

The Computer Center is expected to enforce all local security policies. Specifically:

1. Responsible for applying available security mechanisms for enforcement of local security policies.
2. Responsible for advising management on the workability of existing policies and any technical considerations that might lead to improved practices.
3. Responsible for securing the environment within the site and interfaces to outside networks.
4. Responsible for responding to emergency events in a timely and effective manner.
   1. Notify local administrators if a penetration is in progress, assist local administrators in responding to security violations.
   2. Aid local administrators in locating violators and assist in enforcement efforts.
5. Responsible for employing generally approved and available auditing tools to aid in the detection of security violations.
6. Responsible for conducting timely audits of log files.
7. Responsible for remaining informed on DOE policies and recommended practices, informing local users and advising management of changes or new developments.
8. Responsible for backing up all data and software on the central servers on a regular basis.
9. Responsible for conducting periodic reviews to ensure that proper security procedures are followed.
10. Responsible for reporting all security incidents to the appropriate authorities - CIAC, CPPC, etc.