Date: Thu, 28 Mar 2024 17:21:49 -0500 (CDT) Message-ID: <1434694712.1454.1711664509568@wiki.ncsa.illinois.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1453_1683594568.1711664509566" ------=_Part_1453_1683594568.1711664509566 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Document Name: NCSA Information Security Policy
Version: 2.2
Accountable: James Eyric=
h
Authors: Adam Slagell, Alex Withers
The National Center for Supercomputing Applications (NCSA) is an interdi= sciplinary hub at the University of Illinois at Urbana-Champaign, which ser= ves the computational needs of the nation's scientists and engineers throug= h the cyberinfrastructure (hardware, software, & services) they develop= and support.
The NCSA Security Office supports the mission of the Center by assuring = the confidentiality, integrity and availability of the Center's digital ass= ets and resources and those of its partners. This is achieved through monit= oring, incident response, proactive security design, education, and awarene= ss activities at the Center and with its collaborators.
This policy document supports these missions by promoting sound practice= s for securing digital assets by educating the tenants of NCSA buildin= gs and networks of their responsibilities and the procedures and processes = at NCSA.
This policy is applicable to all University workforce members &a= mp; students with any appointment at NCSA, sponsored = guests and vendors allocated physical space in an NCSA building, a= nd any person responsible for resources hosted on NCSA networks (referred t= o hereafter as "stakeholders"). It complements other NCSA and UIUC security= policies. Links to these and other security policies can be found in the r= eference section of this document.
This policy does not cover building security, though it covers the physi= cal protection of electronic devices that store University data.
As security is a process, and not a technology, security is everyone's r= esponsibility and requires cooperation, awareness and ownership by all part= ies. Therefore, not only does the Security Office hold responsibilities for= protecting NCSA assets, but so do all the stakeholders in our shared offic= es and on our networks.
The Security Office is responsible for investigating and coordinating re= sponses to security incidents as well as proactively monitoring NCSA networ= ks and systems for indicators of compromise. Many of the services provided = and maintained by the security team are for these purposes.
The Security Office provides assistance in the design and implementation= of security architectures, assisting the resource providers at NCSA in dev= eloping systems that are hardened and more resilient to cyber attacks. This= requires the security team to maintain leading edge skills in their domain= and to translate that expertise to the other engineers and developers at N= CSA.
The responsibility to uphold University and NCSA policies and agreements= related to cyber security also falls on this office. They must therefore m= onitor and audit for compliance, and take actions (e.g., removing a system = from the network or reporting violations to Human Resources and appropriate= management) to support NCSA's obligations.
The Security Office must also ensure that NCSA systems are not used in a= n attack against itself or other institutions and will remove systems from = the network as needed to do so.
Finally, they hold responsibility for providing adequate training, aware= ness and guidance to NCSA staff, partners and customers.
Persons in NCSA buildings and on NCSA networks (i.e. NCSA stakeholders) = have a responsibility to follow the security policies and procedures of NCS= A, UIUC and the State of Illinois. That includes this policy, but also the = applicable policies referenced at the end of this document. This list may n= ot be exhaustive, as special agreements with vendors or project specific po= licies can have security implications as well.
Stakeholders are expected to cooperate with security, legal and regulato= ry investigations or audits. This includes being truthful, not exceding the= ir authorizations, and never falsifying or destroying evidence.
It is the responsibility of all NCSA stakeholders to report security inc= idents or violations of these policies to the Security Office. Similarly, i= t is everyone's responsibility to promptly report a suspected compromise of= their systems or credentials (e.g., passwords, security tokens, SSH keys, = and digital certificates) so that abuse can be prevented as early as possib= le.
Finally, NCSA stakeholders must annually review this policy and sign off= that they have done so. Security training will be provided at least annual= ly as part of the Security Office's training and outreach activities. These= are important not only to keep up-to-date with changing policies and proce= dures, but also with industry best practices and current security threats, = which also change over time.
The University and the NCSA respect the privacy of its staff and custome= rs. However, both must both be aware that there are systems in place that a= ctively monitor for indicators of compromise and record logs to support the= IT infrastructure at NCSA. For example, NCSA monitors its networks in real= time for security and performance issues; shared systems record logs to a c= entralized log server; vulnerability scanners regularly scan systems and cr= edentials for weaknesses; and security systems continuously monitor user in= teractions on shared systems looking for indicators of compromise, such as,= execution of certain command sequences. These systems can therefore see al= l unencrypted traffic as well as laptop/workstation backups if encryption i= s not utilized.
In addition to this automated monitoring, manual investigations of secur= ity incidents or performance issues may require authorized staff to view tr= affic or files on NCSA networks and equipment.
As a state institution, stakeholders need to be aware that anything they= do using University systems or for University purposes, is potentially ope= n to FOIA requests. This includes emails saved on University s= ystems, printed records, and things written on wikis or other forums at the= University. As such, the University recommends that all employees have the= following footer included on their University emails.
"Under the Illinois Freedom of Information Act (FOIA),= any written communication to or from University employees r= egarding University business is a public record and may be subjec= t to public disclosure."
The privacy of others must also be respected, and unauthorized snooping = of traffic or communications is a serious offense that will be reported to = Human Resources (HR) or a guest's sponsor. This includes network traffic re= cording or any means of superseding ones authorizations to look at digital = files they should not access.
Only the NCSA Public Affairs department or Director's Office has the aut= hority to speak to the public about an ongoing security investigation. Whil= e the Security Office may share information with trusted partners or law en= forcement to resolve an incident, they do not speak to the public about an = ongoing incident. And even after the incident, they only do so while respec= ting the anonymity of individuals.
NCSA stakeholders are in a position of trust when given authentication c= redentials, such as, passwords, keys or tokens. These accounts are for thei= r use only, and cannot be shared to give another party access to NCSA syste= ms or resources. Furthermore, per the University's policies, passwords are = high risk information and therefore cannot be stored or transmitted unencry= pted. For example, NCSA passwords cannot be emailed unencrypted or put on a= web site or wiki.
Stakeholders are expected to obey all relevant laws and regulations rega= rding computer "cracking", attacking, fraud, etc. Users of NCSA resources, = including stakeholders, also agree not to attack NCSA systems or exceed the= ir authority on them. This includes violating file permissions, impersonati= ng others, stealing/cracking other users' credentials, and using NCSA syste= ms as part of an attack on other computers or electronic equipment. = p>
While the University respects academic freedom and has a broad mission, = stakeholders need to take careful consideration of personal use of Universi= ty owned systems or networks. For example, profiting or politicking with Un= iversity equipment violates State law. Other activities may be legal but ag= ainst the mission of the University. People are advised to contact the Ethics Office with specific questions about personal use of Uni= versity equipment.
Reputational systems and services are run out of the Integrated Cyberinf= rastructure (ICI) Directorate, which includes the Security Office. The ICI = division leads meet regularly and with other stakeholders on the NCSA Inter= nal Infrastructure Board to provide the best services possible for our work= force members, users and partners. However, there are many R&D projects= that run their own internal services less formally. Regardless, operators = of any service still have obligations and need to be aware of NCSA/UIUC pol= icies and procedures.
Raised access floor (RAF) space is provided for servers at NCSA. Based o= n the needs of the project and costs, servers could be placed in either the= main data center at NPCF or one of the smaller RAF spaces in the NCSA buil= ding. The Internal Infrastructure Board works with PIs (Principal Investiga= tors) to find the appropriate space.
Running any service requires knowledge of and compliance with th= e NCSA Netw= ork Security Policy, which defines security requirements based= on the network zone where the service is hosted. Servers are not to b= e run out of office or wireless networks, and server operators must subscri= be to the NCSA Security blog to stay inf= ormed of current security issues.
Just as services provided by ICI must respect the privacy of users, so t= oo must anyone else running services at NCSA respect user privacy, mai= ntain transparency, and follow applicable laws. Failure to do this endanger= s NCSA's reputation and standing, and could result in a system or service b= eing taken offline.
Finally, the Security Office must be involved early on when developing f= unding proposals that will place new infrastructure at NCSA. This is becaus= e special requirements could require extra planning by security staff or ev= en have extra costs that must be accounted for in the proposal. For example= , storing protected health information could require clearance with the Uni= versity, contracts to be signed, and additional audits. It could also requi= re offsite hot backups and special support commitments for emergency modes = of operation, and all of this costs money and time.
Many stakeholders have University laptops, workstations or other compute= r equipment assigned to them, for which they are responsible. This responsi= bility includes providing for the physical and cyber security of these devi= ces.
For the cyber-protection of equipment, it is required that devices left = unattended will lock within 5 minutes, requiring a password, passcode or bi= ometric to access them. This is especially important of mobile devices, suc= h as, tablets and laptops, but important for even workstations in shared of= fices or unsecured spaces. Even personal devices, if used for university bu= siness, must use such timed lockouts. For example, a mobile phone that is s= etup to use University email must have a passcode or biometric enabled.
Those who self-manage systems on NCSA networks are responsible for follo= wing security best practices and keeping their systems up-to-date. The= y must follow all University policies regarding anti-virus software, firewa= lls, and other security software. The Security Office will help keep stakeh= olders aware of these policies and best practices.
NCSA staff are usually allowed to take laptops and some other equipment = home, but this must be done with approval from their manager and registrati= on with Shipping & Receiving. They are responsible for inventory of NCS= A equipment and must be informed of equipment that leaves the office or any= transfers of equipment to other persons. Such equipment must still have a = business purpose if taken home, and staff are again advised to contact the&= nbsp;Ethics Office with specific questions about perso= nal use of University equipment.
NCSA equipment that is lost or stolen must be reported to one's manager/= sponsor and Shipping & Receiving. If it held high risk data as defined = in University Policy, its loss must also be rep= orted to the NCSA Security Office.
NCSA equipment with Blue inventory tags must be returned to Shipping &am= p; Receiving when no longer needed. It must not be disposed of personally, = even if broken. From there, equipment will be securely wiped clean and eith= er repurposed at NCSA, or sent to campus surplus.
Finally, personal equipment that is used on NCSA networks will still be = monitored and must follow the NCSA Network Security Policy. Personal equipment mus= t never be used to store high risk data for the University.
The University has three categories in its = Data Classification Policy: High Risk, Confidential, and Public. Stakeh= olders must follow University policies regarding these classifications and = also inform the NCSA Security Office if they are in possession of any high = risk data as this will require a data management plan.
University data that lives exclusively on a laptop, workstation or other= device must be backed up regularly or moved to shared service that is back= ed up, like a wiki or file server. NCSA provides a backup service to all fa= culty and staff with an appointment and will help to configure its use on t= heir systems.
Only University approved third-party cloud services are allowed for stor= ing unencrypted high risk or confidential University data = (this includes backups that may contain such data). If not pre-approved,&nb= sp;data must be locally encrypted before being put on the = third-party service.
Departing NCSA occupants and employees meet with the NCSA building manag= er who will collect any tagged equipment not transferred to another person = as well as remove access to server rooms, which may house equipment with se= nsitive digital information.
NCSA accounts may or may not be deactivated, depending on the role the p= erson maintains with the Center. However, if they are departing staff, they= must be removed from all staff groups in NCSA authorization systems and st= aff email lists. They will also be removed from any other NCSA email lists = unless the list owner actively approves of their continued membership.
Additionally, departing staff must= acknowledge the NCSA Acceptable Use Policy, which includes a confidentiali= ty agreement for workforce members with access to sensitive data, to ensure= employees are reminded of their obligation to not discuss sensitive inform= ation after employment.
NCSA prescribes security controls consummate with the risk level of the = information systems. Current controls are in place to prevent, = detect, contain, respond to, and/or otherwise recover from sec= urity incidents. These controls are found in the following security policy = documents:
Systems or users may not bypass security controls either unintenti= onally or otherwise. The NCSA Security Office reserves the right to p= revent such bypassing of security controls. Intentional bypassing of securi= ty controls may be treated as a violation of NCSA security policies.=
The Advanced Computational Health Enclave (ACHE) is a special environmen= t with restricted physical and electronic access at NCSA. Sensitive data in= cluding all electronic Protected Health Information (ePHI) and Controlled U= nclassified Information (CUI) processed or stored at NCSA is done within th= is environment.
All NCSA workforce members who need access to this environment or who ma= y come in contact with ePHI during day-to-day operations or an emergency ar= e designated as a part of the NCSA Health Care Component (NHCC) of the Univ= ersity of Illinois Covered Entity. All NCSA workforce members who need acce= ss to this environment or who may come in contact with CUI during day-to-da= y operations or an emergency are designated as a part of the NCSA = Staff with ACHE Access group.
All workforce members in the Covered Entity must take the official UofI = HIPAA training annually, and all workforce members in the NCSA Staff wi= th ACHE Access group must take CUI training. If they use laptops to ac= cess these systems, the devices must utilize full disk encryption. All lapt= ops and workstations they use for this work must also employ password prote= cted screen savers that automatically lock after a period of inactivity.
Removable media may not be brought into, connected to or used in the ACH= E environment without explicit permission of the Security Office. If remova= ble media is approved for use in the ACHE environment it must be encrypted = in accordance with the BAA agreement and the Security Office. Currently thi= s is AES currently employing 128 bit crypto key length.
The Security Office will verify compliance to the ACHE policy through va= rious methods, including but not limited to, periodic physical inspection, = video monitoring, security and business tool reports, internal and external= audits.
The NCSA Security Office has the right and responsibility to take <=
span>systems offline that are compromised (e.g. either attacking or causing=
harm to others). It also has the right and responsibilit=
y to take the systems offline of those persons violating =
NCSA security policies. In the event that systems=
are to be removed from the network in the case of security policy violatio=
ns a ticket shall be created to track the incident. The CISO shall make the=
final decision and document this in the ticket, noting the impact on risk =
and thereby justifying the decision to remove the system. If the CISO is un=
able to be contacted and cannot make a decision in a timely manner, the ICI=
director will make the decision and document it in the ticket.
Depending upon the severity, type and recurrence of a violation, the Sec= urity Office may report the issue to supervisors, HR, senior management or = even law enforcement. Violations of the NCSA or University's policies invol= ving electronic Protected Health Information (ePHI) will be reported to the= UofI HIPAA Privacy and Security Officer, and violators will be subject to = disciplinary action as described by the University's policies.
There are exceptions and special cases to any policy. Requests for excep= tions should be made to the Security Office and may be approved by either t= hat office or the NCSA Director's Office. Note: the Security Office h= as a process to request exceptions. These requests are referred to as= "variances" since they are requests to vary from NCSA's security policies.=
This policy is reviewed annually by the Security Office. Feedback is sol= icited from the Internal Infrastructure Board for any recommended changes. = New versions are approved by the NCSA Director's Office.
Questions regarding this policy or its implications can be sent to the S= ecurity Office (security@ncsa.illinois.edu) or the NCSA Help Desk (h= elp@ncsa.illinois.edu).
UIUC IT policies are posted at https://techservices.illinois.edu/office-cio/information-tech= nology-policies
UIUC Security standards can be found at https://techservices.illinois.edu/security/illini-secure
The U of I HIPAA policy and resources page can be found at = https://hipaa.uillinois.edu/
Policies, standards, guidelines, and procedures developed by the NCSA Se=
curity Office are linked to from https://wiki.ncsa.illinois.edu/display/cybersec/Policies+a=
nd+Procedures