JLab Security Guidelines

(Last Revised: January 2018)

Introduction

Purpose

The computing and network infrastructure, equipment, and the information and data residing on those systems are critical to the mission of the Jefferson Lab (JLab).  This policy statement has a twofold purpose.  First, to emphasize to all JLab staff and user community the importance of information system security and their role in its maintenance.  The second purpose is to assign specific responsibilities for the provision of information and data security and for the security of the computing infrastructure itself.

Scope

The policy applies to all computational, storage, and network devices that make use of any of the JLab resources. These include, but are not limited to, any system whether JLab purchased or not, attached to the network, either directly or remotely by any means. This includes all access via Internet Service Provider (ISPD) or any other type of connection.

The policy applies to any and all users of the systems and resources. By attaching to any system, or making use of any JLab computing or network resource the user implicitly agrees to this policy. All registered users at the time of registration are required to sign an agreement accepting these policies.

Goals

The goals of the JLab Computer Protection Program and these Security Guidelines are to provide a secure, robust, and useable computing environment for the working community of JLab. This goal embodies appropriate protection of data and resources from unauthorized use, protection from operational failures due to unauthorized use, and the use of procedures and policies that are effective without being operationally burdensome. Further goals are to ensure individual accountability for data, information, and other computing resources to which individuals have access, and to ensure that all applicable policies, directives, mandates and legal requirements are applied and adhered to by all staff and users.

Responsibilities

The following groups have responsibilities for implementing and maintaining the security goals set out in this policy.

  • Computing and Networking Infrastructure (CNI) staff: are responsible for informing users about this policy, and interacting with users on security issues. They are responsible for ensuring the continued operation of the systems and implementing appropriate security measures to comply with this security policy.
  • Local administrators, who include:
    • Any user with superuser (root) access to a Unix or Linux system,
    • all Windows domain or resource-domain administrators,
    • PC owners with administrative privilege on their desktop, laptop, or tablet,

are responsible for ensuring that the security of their systems is in accordance with this security policy.

  • End users: any person who has access to a computing or network resource. They are responsible for using the resources in accordance with this policy, and for reporting any suspected breach of security to the CNI group.

Enforcement

The CNI group is authorized to take appropriate measures in cases of breach of use and security policies. These measures are at the discretion of the CNI Manager and designated CNI Security Officer, but may include immediate disconnection of a compromised system from the network, immediate blocking of a compromised user account, or any other measure deemed necessary. In addition, the use of any account or system in such a way that breaches this policy will be reported to the appropriate supervisor, sponsor or management and may lead to further disciplinary and legal action.

Policies

General Policies

  1. Every personal computer should have an "owner" or "system manager" who is responsible for the maintenance and security of the computer and for following all applicable policies and procedures.
  2. In order to prevent unauthorized access to data, software, and other resources residing on the network, all security mechanisms of the system must be under exclusive control of the local administrator and relevant personnel of the CNI.
  3. In order to prevent the spread of malicious software and help enforce license agreements, users must ensure that software is properly licensed, safe, and updated.
  4. Backups of all data residing on stand-alone systems or clusters are the responsibility of the local administrator. The CNI staff is responsible for backups of all central systems and servers.
  5. Each user is assigned a unique username and password on receipt of a user account request and signed user agreement. Users must not share their assigned username.
  6. All new computer account holders are required to agree to the Jefferson Lab Computer User Responsibilities and complete the Annual Security Awareness Training course as part of their orientation. This is aimed at familiarizing them with their security responsibilities, guidelines and practices as well as acceptable and appropriate use.
  7. Users must be authenticated before accessing network resources. This is normally achieved by password verification. There will be no access to shared resources (e.g. wireless, printers) without authentication.
  8. After 6 months of inaction a username will be de-activated.
  9. Use of traffic monitors/recorders, sniffers, routers, etc. is explicitly prohibited without the prior consent of the CNI staff.

Specific Responsibilities

Users

Users are expected to be familiar with JLab security policies, and other applicable laws, policies, mandates and procedures. Users are responsible for their own behavior. Specifically:

  1. Responsible for understanding and respecting relevant Federal laws, DOE policies and procedures, and other applicable security policies and associated practices for the JLab computing environment.
  2. Responsible for employing available security mechanisms for protecting the confidentiality and integrity of their own information when required.
    1. Use file protection mechanisms to maintain appropriate file access control.  Select and maintain good passwords. Do not write passwords down, or disclose them to others. Passwords must to conform to the rules described on the Password Rules page.
    2. Use password encryption wherever possible. Secure shell (ssh) is available for all systems at the lab, the central IMAP mail server is capable of password encryption. For all practical purposes there is no reason to use clear text passwords between any systems on site. Do not use telnet, use ssh. Do not use POP (or clear text IMAP), use encrypted IMAP. Simple instructions for using these services are available from the IT Division.
    3. Use ssh wherever possible when connecting to the lab from an external site. Ask your local system administrator to set up ssh. The only reason to not use ssh is from countries (e.g. France) where it is illegal to do so. When connecting with ssh from outside the lab, you must use a pass phrase.
    4. Do not share accounts. In general, there are no shared accounts on central systems.
  3. Responsible for advising others who fail to properly employ available security mechanisms. Notify them and the CNI group of resources (e.g. files, accounts) left unprotected.
  4. Responsible for notifying the local administrator and the CNI group if a security violation or failure is suspected or detected.
  5. Responsible for not exploiting system weaknesses.
    1. Do not intentionally modify, destroy, read, or transfer information in an unauthorized manner; do not intentionally deny others authorized access to or use of computing resources and information.
    2. Provide the correct identity and authentication information when requested and to not attempt to assume another party's identity.
  6. Responsible for ensuring that backups of data and software on their own personal computer are performed.
  7. Responsible for being familiar with how malicious software (e.g. viruses) operates, methods by which it is introduced and spread, and vulnerabilities that are exploited by such software and unauthorized users.
  8. Responsible for knowing and utilizing appropriate procedures for the prevention, detection, and removal of malicious software.

Local Administrators

Local administrators are expected to utilize the available security services and mechanisms to support and enforce applicable security policies and procedures. In this contex,t a local administrator is anyone who has Administrative access to a system including a desktop, laptop, or tablet running Windows, Macintosh, Linux, or other Unix system. Any user who currently has such access but who does not wish to take on these responsibilities should contact the IT Division for guidance. Systems that do not comply with these policies may be denied network access. Specifically:

  1. Responsible for managing all users' access privileges to data, programs, and functions.
  2. Responsible for monitoring all security related events and following up on any actual or suspected violations where appropriate. Responsible for notifying and coordinating with the CN for investigation and monitoring of security related events.
  3. Responsible for maintaining and protecting system software and relevant files using available security mechanisms and procedures. Specifically this includes applying any and all system patches as recommended or directed by the CNI group.
  4. Responsible for running the CNI group provided monitor scripts (under the generic non-privileged account).
  5. Responsible for scanning local servers with anti-virus software at regular intervals to assure no virus becomes resident on the server.
  6. Responsible for ensuring that all users are registered with the CNI group. No one is permitted to use any JLab computing or network resource unless they are registered and have signed the User Agreement.
  7. Responsible for promptly notifying the CNI group of all computer security incidents, including malicious software:
    1. Notify the CNI group if a penetration is in progress, assist other local administrators in responding to security violations.
    2. Cooperate with other local administrators and the CNI group in finding violators and assisting in enforcement efforts.
  8. Responsible for providing assistance in determining the source of malicious software and the extent of contamination.
  9. Use encrypted passwords (ssh) for all superuser access except from the system console. Under NO circumstances should the superuser password be passed in clear text over the network.

CNI Staff

The CNI group is expected to enforce all local security policies. Specifically:

  1. Responsible for applying available security mechanisms for enforcement of local security policies.
  2. Responsible for advising management on the workability of existing policies and any technical considerations that might lead to improved practices.
  3. Responsible for securing the environment within the site and interfaces to outside networks.
  4. Responsible for responding to emergency events in a timely and effective manner.
    1. Notify local administrators if a penetration is in progress, assist local administrators in responding to security violations.
    2. Aid local administrators in locating violators and assist in enforcement efforts.
  5. Responsible for employing generally approved and available auditing tools to aid in the detection of security violations.
  6. Responsible for conducting timely audits of log files.
  7. Responsible for remaining informed on DOE policies and recommended practices, informing local users and advising management of changes or new developments.
  8. Responsible for backing up all data and software on the central servers on a regular basis.
  9. Responsible for conducting periodic reviews to ensure that proper security procedures are followed.
  10. Responsible for reporting all security incidents to the appropriate authorities - CIAC, CPPC, etc.