Versions Compared

Old Version 13

changes.mady.by.user Adam Slagell

Saved on

compared with

New Version 14

changes.mady.by.user Adam Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Finally, NCSA staff must attend a security training or watch recorded materials within the first 90 days of employment, and again if the Security Office announces major updates to the training program. This is important not only to keep up-to-date with changing policies and procedures, but best practices and security threats change over time.

Policy

Privacy Expectations

The University and the NCSA respect the privacy of its staff and customers. However, staff and NCSA users must both be aware that there are systems in place that actively monitor for indicators of compromise and record logs that support the IT infrastructure at NCSA. For example, the NCSA monitors its networks in realtime for security and performance issues; shared systems record logs to a centralized log server; vulnerability scanners regularly scan systems and credentials for weaknesses; and High Performance Computers (HPCs) may record all interactions on the command line, though not without appropriate warning to users. These systems can therefore see all unencrypted traffic as well as laptop/workstation backups if encryption is not utilized.

In addition to this automated monitoring, manual investigations of security incidents or performance issues may require authorized staff to view traffic or files on NCSA networks and equipment.

Cameras record activity in public spaces for physical security in all buildings NCSA occupies for safety and security.

As State employees, staff need to be aware that anything they write using University systems, is potentially open to FOIA requests. This includes emails saved on University systems, printed records, and things written on wikis or other forums at the University. As such, it is recommended that staff have the following footer included on their University emails.

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 

The privacy of other staff must also be respected, and unauthorized snooping of traffic or communications of fellow staff is a serious offense that will be reported to HR. This includes unauthorized video and audio recording as well as network traffic recording or any means of superseding ones authorizations to look at digital files they should not access. Some types of unauthorized recording are a criminal offence in Illinois and could also be reported to the authorities.

...

  • Policy
    • privacy
      • Privacy of users/ customer data
      • Privacy of others & snooping
      • FOIA
      • Security team respects privacy
        • network monitoring
        • Cameras
        • investigations
        • vulnerability scanning, including passwords
    • Appropriate use of systems/accounts/services
      • authentication credentials
        • No sharing
        • no cleartext storage
        • no clear text email/xfer
      • hacking/exceeding authority
        • includes violating permissions & impersonating others
        • using to attack others
      • personal use and ethical consideration
        • University ethics office
        • not making money, inline with mission of the university
    • Service operation
      • BE aware of laws and privacy of users
      • follow network security policies
      • involve security in planning process
      • change control as appropriate
      • production servers belong in a RAF room, see network zone policy
    • Equipment registered to you
      • Follow best practices and maintain updates, follow university policies
      • screen locks on mobile devices, leaving office doors open
      • taking home
      • Done with it, broken or lost
        • surplus & wipe
        • xfer equipment
      • ethical use
      • Personal equipment implications
    • Information/Data
      • Follow university policy
        • includes printed materials and physical locks
      • Notify of high risk or confidential data
      • backup important
      • encryption on backup & mobile
      • approved third parties like box
    • employee exit
      • authorizations
      • keys
      • email lists
      • property return
  • Authority & Consequences
    • revoked accounts, privileges, taken off network, reported to HR
    • PA only has authority to speak with the public directly or the DO
  • Exceptions process
  • Review & update
  • References

...