Versions Compared

Old Version 31

changes.mady.by.user Adam Slagell

Saved on

compared with

New Version 32

changes.mady.by.user Adam Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The NCSA Security Office supports the mission of the center by assuring the confidentiality, integrity and availability of the centerCenter's digital assets and resources and those of its partners. This is achieved through its monitoring, incident response, proactive security design, education, and awareness activities at the center and with its collaborators.

...

This policy does not cover physical security. Physical security is the responsibility of the building managers for each building NCSA occupies. These persons are in the Admin Directorate, separate from the Security Office, and are responsible for implementing University policies regarding visitors, cameras, key and key card management, safety systems, etc. Where appropriate, they work with the Security Office to fulfill security requirements for the Center.

Responsibility

As security is a process, and not a technology, security is everyone's responsibility and requires cooperation, awareness and ownership by all parties. Therefore, not only does the Security Office hold responsibilities for protecting NCSA assets, but so do all staff.

...

The responsibility to uphold University and NCSA policies and agreements related to cyber security also falls on this office. They must therefore monitor and audit for compliance, and take actions (e.g., removing a system from the network or reporting incidents violations to NCSA leadership or Human Resources) to support NCSA's obligations.

The Security Office must also ensure that NCSA systems are not used in an attack against other institutions , and can will remove systems from the network to protect others.

...

NCSA Staff Responsibilities

Faculty & Staff have a responsibility to follow the security policies and procedures of NCSA, UIUC and State the state of Illinois. That includes this policy, but also the applicable policies referenced at the end of this document. Staff associated with some projects and activities may also have additional responsibilities, for example, from non-disclosure agreements that put additional restrictions on data sharing via our contracts with vendors or industrial partners.

...

Finally, NCSA staff must attend a security training event or watch recorded materials within the first 90 days of employment, and again if the Security Office announces major updates to the training program. This is important not only to keep up-to-date with changing policies and procedures, but industry best practices and security threats also change over time.

Policy

Privacy Expectations

The University and the NCSA respect the privacy of its staff and customers. However, staff and NCSA users must both be aware that there are systems in place that actively monitor for indicators of compromise and record logs that to support the IT infrastructure at NCSA. For example, the NCSA monitors its networks in realtime for security and performance issues; shared systems record logs to a centralized log server; vulnerability scanners regularly scan systems and credentials for weaknesses; and High Performance Computers (HPCs) may record all interactions on the command line, though not without appropriate warning to users. These systems can therefore see all unencrypted traffic as well as laptop/workstation backups if encryption is not utilized.

...

Cameras record activity in public spaces for physical security in all buildings NCSA occupies for safety and security.

...

Only the NCSA Public Affairs department or Director's Office has the authority to speak to the public about an ongoing security incident investigation. While the Security Office may share information with trusted partners or law enforcement to resolve an incident, they do not speak to the public about an ongoing incident. And even after the incident, they only do so while respecting the anonymity of individuals.

...

Finally, the Security Office must be involved early on when developing funding proposals that will place new infrastructure at NCSA. This is because special requirements could require extra planning by security staff or even have extra costs that must be accounted for in the proposal. For example, having personal health information could require clearance with the University or special environments to be setup, and bringing new WAN links could incur extra costs or planning for monitoring NCSA networks.

...

Most full-time employees have laptops, workstations or other computer equipment assigned to them, for which they are responsible. This responsibility includes providing for the physical and cyber security of these devices.

For the cyber-protection of equipment, it is required that devices left unattended will lock within 5 minutes, requiring a password, passcode or biometric to access them. This is especially important of mobile devices, such as, tablets and laptops, but important for even workstations in shared office offices or unsecured spaces. Even personal devices, if used for university business, must use such timed lockouts. For example, a mobile phone that is setup to use University email must have a passcode or biometric enabled.

...

Staff are usually allowed to take laptops home and some other equipment home, but this must be done with approval from their manager and registered with Shipping & Receiving. They are responsible for inventory and must be informed of equipment that leaves the office or any transfers of equipment to other staff. Such equipment must still have a business purpose if taken home, and staff are again advised to contact the Ethics Office with specific questions about personal use of University equipment.

Equipment that is lost or stolen must be reported to one's manager and Shipping & Receiving. If it held high risk data as defined in University Policy, its loss must also be reported to the NCSA Security Office.

Equipment with Blue inventory tags must be returned to Shipping & Receiving when no longer needed. It must not be disposed of personally, even if it is broken. From there, equipment will be securely wiped clean and either repurposed at NCSA, or sent to campus Surplus.

...

NCSA accounts may or may not be deactivated, depending on the role they maintain the person maintains with the Center. However, they must be removed from all staff groups in NCSA authorization systems and staff email lists. They will also be removed from any non-staff NCSA email lists unless the list owner actively approves of their continued membership.

...