...

Mission & Purpose

The National Center for Supercomputing Applications (NCSA) is an interdisciplinary hub at the University of Illinois at Urbana-Champaign, which serves the computational needs of the nation's scientists and engineers through the cyberinfrastructure (hardware, software, & services) they develop and support.

...

This policy is applicable to all University faculty, staff workforce members & students with any appointment at NCSA, sponsored guests and vendors allocated physical space in an NCSA building, and any person responsible for resources hosted on NCSA networks (referred to hereafter as "stakeholders"). It complements other NCSA and UIUC security policies (e.g. the NCSA Network Security Policy and UIUC Information Security Policy). Links to these and other security policies can be found in the reference section of this document.

...

Persons in NCSA buildings and on NCSA networks (i.e. NCSA stakeholders) have a responsibility to follow the security policies and procedures of NCSA, UIUC and the state State of Illinois. That includes this policy, but also the applicable policies referenced at the end of this document. This list may not be exhaustive, as special agreements with vendors or project specific policies can have security implications as well.

Stakeholders are expected to cooperate with security, legal and regulatory investigations or audits. This includes being truthful, not impersonating another person's identityexceding their authorizations, and never falsifying or destroying evidence.

...

As a state institution, stakeholders need to be aware that anything they do using University systems or for University purposes, is potentially open to FOIA requests. This includes emails saved on University systems, printed records, and things written on wikis or other forums at the University. As such, the University recommends that all employees have the following footer included on their University emails.

...

The privacy of others must also be respected, and unauthorized snooping of traffic or communications is a serious offense that will be reported to Human Resources (HR) or a guest's sponsor. This includes network traffic recording or any means of superseding ones authorizations to look at digital files they should not access. 

...

NCSA stakeholders are in a position of trust when given authentication credentials, such as, passwords, keys or tokens. These accounts are for their use only, and cannot be shared to give another party access to NCSA systems or resources. Furthermore, per the University's policies, passwords are confidential high risk information and therefore cannot be stored or transmitted unencrypted. For example, NCSA passwords cannot be emailed unencrypted or put on a web site or wiki.

Stakeholders are expected to obey all relevant laws and regulations regarding computer "hackingcracking", attacking, fraud, etc. Users of NCSA resources, including stakeholders, also agree not to attack NCSA systems or exceed their authority on them. This includes violating file permissions, impersonating others, stealing/cracking other users' credentials, and using NCSA systems as part of an attack on other computers or electronic equipment. 

...

Operating Servers at NCSA

Services Reputational systems and services are primarily run out of one of three directorates at NCSA: Advanced Digital Services (ADS), Information Technology Services (ITS), or the Integrated Cyberinfrastructure (ICI) Directorate, which includes the Security Office. These groups The ICI division leads meet regularly and their leaders form with other stakeholders on the NCSA Information Internal Infrastructure Board who work together to provide the best services possible for our staffworkforce members, users and partners. However, there are many R&D projects that run their own internal services less formally. Regardless, operators of any service still have obligations and need to be aware of NCSA/UIUC policies and procedures.

Raised access floor (RAF) space is provided for servers at NCSA. Based on the needs of the project and costs, servers could be placed in either the main data center at NPCF or one of the smaller RAF spaces in the NCSA building. The Information Internal Infrastructure Board works with PIs (Principal Investigators) to find the appropriate space. 

...

Just as services provided by ADS, ITS, and Cybersecurity ICI must respect the privacy of users, so too must anyone else running services at NCSA respect user privacy, maintain transparency, and follow applicable laws. Failure to do this endangers NCSA's reputation and standing, and could result in a system or service being taken offline.

Finally, the Security Office must be involved early on when developing funding proposals that will place new infrastructure at NCSA. This is because special requirements could require extra planning by security staff or even have extra costs that must be accounted for in the proposal. As examplesFor example, storing personal protected health information could require clearance with the University, and possibly special physical or network security environments contracts to be established; and bringing new WAN links online could incur extra costs for the planning and monitoring of NCSA networkssigned, and additional audits. It could also require offsite hot backups and special support commitments for emergency modes of operation, and all of this costs money and time.

NCSA Equipment Use

Many stakeholders have University laptops, workstations or other computer equipment assigned to them, for which they are responsible. This responsibility includes providing for the physical and cyber security of these devices.

...

NCSA staff are usually allowed to take laptops and some other equipment home, but this must be done with approval from their manager and registered registration with Shipping & Receiving. They are responsible for inventory of NCSA equipment and must be informed of equipment that leaves the office or any transfers of equipment to othersother persons. Such equipment must still have a business purpose if taken home, and staff are again advised to contact the Ethics Office with specific questions about personal use of University equipment.

...

NCSA accounts may or may not be deactivated, depending on the role the person maintains with the Center. However, if they are departing staff, they must be removed from all staff groups in NCSA authorization systems and staff email lists. They will also be removed from any other NCSA email lists unless the list owner actively approves of their continued membership.

Violations

The NCSA Security Office has the right and responsibility to take systems offline that are either attacking or causing harm to others and those of persons violating NCSA security policies. While due effort is made to notify system owners before taking a host offline, this is not always possible in an emergency.

Depending upon the severity, type and recurrence of a violation, the Security Office may report the issue to supervisors, HR, senior management or even law enforcement.

Exceptions Process

There are exceptions and special cases to any policy. Requests for exceptions should be made to the Security Office and may be approved by either that office or the NCSA Director's Office.

Updates

This policy is reviewed annually by the Security Office. Feedback is solicited from the Information Infrastructure Board for any recommended changes. New versions are approved by the NCSA Director's Office.

Questions

Questions regarding this policy or its implications can be sent to the Security Office (security@ncsa.illinois.edu) or the NCSA Help Desk (help@ncsa.illinois.edu).

References

University Security & Privacy Policies

UIUC IT policies are posted at https://www.cio.illinois.edu/policies/index.html

UIUC Security standards and guidelines can be found at https://wiki.cites.illinois.edu/wiki/display/ITStandards/Standards+and+Guidelines

1. UIUC Information Security Policy (includes the data classification policy)
2. Policy on Appropriate Use of Computers and Network Systems
3. UIUC IT Standards & Guidelines
   1. Desktop Security
   2. Laptop Security
   3. Mobile Device Security
   4. Server Security
   5. Sensitive Data
   6. Payment Card Industry Data Security Standard
4. Web Privacy Notice
5. Permanent Cookie Policy

...

Additionally, departing staff must acknowledge the NCSA Acceptable Use Policy, which includes a confidentiality agreement for workforce members with access to sensitive data, to ensure employees are reminded of their obligation to not discuss sensitive information after employment.

Security Controls

NCSA prescribes security controls consummate with the risk level of the information systems.  Current controls are in place to prevent, detect, contain, respond to, and/or otherwise recover from security incidents. These controls are found in the following security policy documents:

• NCSA HIPAA Access Control Standard
• NCSA CUI Access Control Standard
• ACHE Facility Security Procedures
• Identity and Access Management Policy
  
• ACHE Vulnerability and Patch Management Standard
• NCSA Incident Response Policy
• NCSA Information Security Policy (this document)
• NCSA Network Security Policy
• NCSA Security Monitoring Policy

Systems or users may not bypass security controls either unintentionally or otherwise.  The NCSA Security Office reserves the right to prevent such bypassing of security controls. Intentional bypassing of security controls may be treated as a violation of NCSA security policies.

Advanced Computational Health Enclave

The Advanced Computational Health Enclave (ACHE) is a special environment with restricted physical and electronic access at NCSA. Sensitive data including all electronic Protected Health Information (ePHI) and Controlled Unclassified Information (CUI) processed or stored at NCSA is done within this environment.

All NCSA workforce members who need access to this environment or who may come in contact with ePHI during day-to-day operations or an emergency are designated as a part of the NCSA Health Care Component (NHCC) of the University of Illinois Covered Entity. All NCSA workforce members who need access to this environment or who may come in contact with CUI during day-to-day operations or an emergency are designated as a part of the NCSA Staff with ACHE Access group.

All workforce members in the Covered Entity must take the official UofI HIPAA training annually, and all workforce members in the NCSA Staff with ACHE Access group must take CUI training. If they use laptops to access these systems, the devices must utilize full disk encryption. All laptops and workstations they use for this work must also employ password protected screen savers that automatically lock after a period of inactivity.

Removable media may not be brought into, connected to or used in the ACHE environment without explicit permission of the Security Office. If removable media is approved for use in the ACHE environment it must be encrypted in accordance with the BAA agreement and the Security Office. Currently this is AES currently employing 128 bit crypto key length.

The Security Office will verify compliance to the ACHE policy through various methods, including but not limited to, periodic physical inspection, video monitoring, security and business tool reports, internal and external audits.

Violations

The NCSA Security Office has the right and responsibility to take systems offline that are compromised (e.g. either attacking or causing harm to others). It also has the right and responsibility to take the systems offline of those persons violating NCSA security policies. In the event that systems are to be removed from the network in the case of security policy violations a ticket shall be created to track the incident. The CISO shall make the final decision and document this in the ticket, noting the impact on risk and thereby justifying the decision to remove the system. If the CISO is unable to be contacted and cannot make a decision in a timely manner, the ICI director will make the decision and document it in the ticket. While due effort is made to notify system owners before taking a host offline, this is not always possible in an emergency.

Depending upon the severity, type and recurrence of a violation, the Security Office may report the issue to supervisors, HR, senior management or even law enforcement. Violations of the NCSA or University's policies involving electronic Protected Health Information (ePHI) will be reported to the UofI HIPAA Privacy and Security Officer, and violators will be subject to disciplinary action as described by the University's policies. 

Exceptions Process

There are exceptions and special cases to any policy. Requests for exceptions should be made to the Security Office and may be approved by either that office or the NCSA Director's Office.  Note: the Security Office has a process to request exceptions.  These requests are referred to as "variances" since they are requests to vary from NCSA's security policies.

Updates

This policy is reviewed annually by the Security Office. Feedback is solicited from the Internal Infrastructure Board for any recommended changes. New versions are approved by the NCSA Director's Office.

Questions

Questions regarding this policy or its implications can be sent to the Security Office (security@ncsa.illinois.edu) or the NCSA Help Desk (help@ncsa.illinois.edu).

References

University Security Policies & Standards

UIUC IT policies are posted at https://techservices.illinois.edu/office-cio/information-technology-policies

UIUC Security standards can be found at https://techservices.illinois.edu/security/illini-secure

The U of I HIPAA policy and resources page can be found at https://hipaa.uillinois.edu/

NCSA Security & Privacy Policies, Standards, & Procedures

Policies, standards, guidelines, and procedures created developed by the NCSA Security Office are linked to from httphttps://securitywiki.ncsa.illinois.edu/ 

...

display/cybersec/Policies+and+Procedures

...

Other Resources

1. University of Illinois Ethics Office (www.ethics.uillinois.edu)
2. Illinois Freedom of Information Act (www.foia.uillinois.edu/foia)