Versions Compared

Old Version 44

changes.mady.by.user Adam Slagell

Saved on

compared with

New Version 45

changes.mady.by.user Adam Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This policy is applicable to all University faculty & staff with appointments any appointment at NCSA, sponsored guests and vendors allocated physical space in an NCSA building, and any person responsible for resources hosted on NCSA networks. It complements other NCSA and UIUC security policies (e.g. the NCSA Network Security Policy and UIUC Information Security Policy). Links to these and other security policies can be found in the reference section of this document.

...

As security is a process, and not a technology, security is everyone's responsibility and requires cooperation, awareness and ownership by all parties. Therefore, not only does the Security Office hold responsibilities for protecting NCSA assets, but so do all staffthe stakeholders in our shared offices and on our networks.

Security Office Responsibilities

...

Finally, they hold responsibility for providing adequate training, awareness and guidance to NCSA staff, partners and customers.

...

Staff

...

, Vendors, & Sponsored Guest Responsibilities

Persons in NCSA buildings and on NCSA networks (hereafter referred to as "stakeholders") Faculty & Staff have a responsibility to follow the security policies and procedures of NCSA, UIUC and the state of Illinois. That includes this policy, but also the applicable policies referenced at the end of this document. Staff Persons associated with some projects and activities may also have additional responsibilities, for example, from non-disclosure agreements that put additional restrictions on data sharing via our contracts with vendors or industrial partners.

NCSA staff Stakeholders are expected to cooperate with security, legal and regulatory investigations or audits. This includes being truthful, not impersonating another person's identity, and never falsifying or destroying evidence.

It is the responsibility of all staff NCSA stakeholders to report security incidents or violations of these policies to the Security Office. Similarly, it is everyone's responsibility to promptly report a suspected compromise of their systems or credentials (e.g. passwords, security tokens, SSH keys, and digital certificates) so that abuse can be prevented as early as possible.

Finally, NCSA staff must attend a security training event or watch recorded materials within the first 90 days of employment, and again if the Security Office announces major updates to the training program. This is stakeholders must annually review this policy and sign off that they have done so. Security training will be provided at least annually as part of the Security Office's training and outreach activities. These are important not only to keep up-to-date with changing policies and procedures, but also with industry best practices and current security threats, which also change over time.

...

In addition to this automated monitoring, manual investigations of security incidents or performance issues may require authorized staff to view traffic or files on NCSA networks and equipment.

As State employees, staff a state institution, stakeholders need to be aware that anything they write using University systems, is potentially open to FOIA requests. This includes emails saved on University systems, printed records, and things written on wikis or other forums at the University. As such, it is recommended that staff have the following footer included on their University emails.

...

The privacy of other staff and stakeholders must also be respected, and unauthorized snooping of traffic or communications of fellow staff is a serious offense that will be reported to HR or a guest's sponsor. This includes unauthorized video and audio recording as well as network traffic recording or any means of superseding ones authorizations to look at digital files they should not access. Some types of unauthorized recording are a criminal offence in Illinois and could also be reported to the authorities.

...

Appropriate use of NCSA Systems & Services

Staff NCSA stakeholders are in a position of trust when given authentication credentials, such as, passwords, keys or tokens. These accounts given to staff are for their use only, and cannot be shared to give another party access to NCSA systems or resources. Furthermore, per the University's policies, passwords are confidential information and therefore cannot be stored or transmitted unencrypted. For example, NCSA passwords cannot be emailed unencrypted or put on a web site or wiki.

Staff Stakeholders are expected to obey all relevant laws and regulations regarding computer hacking, attacking, fraud, etc. Staff and users of NCSA systems also agree not to "hack" NCSA systems or exceed their authority on them. This includes violating file permissions, impersonating others, stealing/cracking other users' credentials, and using NCSA systems as part of an attack on other computers or electronic equipment. Attacks in this context do not include authorized cracking as part of normal research and development, but rather malicious or unauthorized activities.

While the University respects academic freedom and has a broad mission, staff stakeholders need to take careful consideration of personal use of University owned systems or networks. For example, profiting or politicking with University equipment violates State law. Other activities may be legal but against the mission of the University. Staff People are advised to contact the Ethics Office with specific questions about personal use of University equipment.

...

Services are primarily run out of one of three directorates at NCSA: Advanced Digital Services (ADS), Information Technology Services (ITS), or the Security Office. These groups meet regularly and their leaders form the NCSA IT Operations Information Infrastructure Board who work together to provide the best services possible for our staff, users and partners. However, there are many R&D projects that run their own services less formally. Regardless, operators of any service still have obligations and need to be aware of NCSA/UIUC policies and procedures.

Raised access floor (RAF) space is provided for servers at NCSA. Based on the needs of the project and costs, servers could be placed in either the main data center at NPCF or one of the smaller RAF spaces in the NCSA building. The IT Operations Information Infrastructure Board works with PIs to find the appropriate space. 

...

Finally, the Security Office must be involved early on when developing funding proposals that will place new infrastructure at NCSA. This is because special requirements could require extra planning by security staff or even have extra costs that must be accounted for in the proposal. As examples, storing personal health information could require clearance with the University, and possibly special physical or network security environments to be established; and bringing new WAN links online could incur extra costs for the planning and monitoring of NCSA networks.

NCSA Equipment Use

Most full-time employees have Many stakeholders have University laptops, workstations or other computer equipment assigned to them, for which they are responsible. This responsibility includes providing for the physical and cyber security of these devices.

For the cyber-protection of equipment, it is required that devices left unattended will lock within 5 minutes, requiring a password, passcode or biometric to access them. This is especially important of mobile devices, such as, tablets and laptops, but important for even workstations in shared offices or unsecured spaces. Even personal devices, if used for university business, must use such timed lockouts. For example, a mobile phone that is setup to use University email must have a passcode or biometric enabled.

Staff that manage their own systems Those who self-manage systems on NCSA networks are responsible for following security best practices and keeping their systems up-to-date. They must follow all University policies regarding anti-virus software, firewalls, and other security software. The Security Office will help keep staff aware of these policies and best practices.

Staff NCSA staff are usually allowed to take laptops and some other equipment home, but this must be done with approval from their manager and registered with Shipping & Receiving. They are responsible for inventory of NCSA equipment and must be informed of equipment that leaves the office or any transfers of equipment to other staffothers. Such equipment must still have a business purpose if taken home, and staff are again advised to contact the Ethics Office with specific questions about personal use of University equipment.

Equipment NCSA equipment that is lost or stolen must be reported to one's manager and Shipping & Receiving. If it held high risk data as defined in University Policy, its loss must also be reported to the NCSA Security Office.

Equipment NCSA equipment with Blue inventory tags must be returned to Shipping & Receiving when no longer needed. It must not be disposed of personally, even if broken. From there, equipment will be securely wiped clean and either repurposed at NCSA, or sent to campus Surplus.

...

The University has three categories in our Data Classification Policy: High Risk, Confidential, and Public. NCSA staff Stakeholders must follow University policies regarding these classifications and also inform the NCSA Security Office if they are in possession of any high risk data as this will require a data management plan.

University data that lives exclusively on a staff member's laptop, workstation or other device must be backed up regularly or moved to shared service that is backed up, like a wiki or file server. NCSA provides a backup service to all staff and will help to configure its use on their systems.

Only University approved third-party cloud services are allowed for storing unencrypted high risk or confidential University data (this includes backups that may contain such data). If not pre-approved, like Box.com, data must be locally encrypted before being put on the third-party service. For example, syncing a password manager across an unapproved cloud service like Dropbox is allowed, provided that it is always stored encrypted with a password known only to the user of the password manager.

...

Exit Process

As part of the exit process, HR will have departing Departing NCSA occupants and employees meet with the NCSA building manager who will collect any tagged equipment not transferred to another staff member person as well as remove access to server rooms, which may house equipment with sensitive digital information.

NCSA accounts may or may not be deactivated, depending on the role the person maintains with the Center. However, if they are departing staff, they must be removed from all staff groups in NCSA authorization systems and staff email lists. They will also be removed from any non-staff other NCSA email lists unless the list owner actively approves of their continued membership.

...

This policy is reviewed annually by the Security Office. Feedback is solicited from the IT Operations Information Infrastructure Board for any recommended changes. New versions are approved by the NCSA Director's Office.

...