...
The NCSA Security Office supports the mission of the Center by assuring the confidentiality, integrity and availability of the Center's digital assets and resources and those of its partners. This is achieved through monitoring, incident response, proactive security design, education, and awareness activities at the center Center and with its collaborators.
...
This policy is applicable to all University faculty, staff & staff students with any appointment at NCSA, sponsored guests and vendors allocated physical space in an NCSA building, and any person responsible for resources hosted on NCSA networks (referred to hereafter as "stakeholders"). It complements other NCSA and UIUC security policies (e.g. the NCSA Network Security Policy and UIUC Information Security Policy). Links to these and other security policies can be found in the reference section of this document.
...
The responsibility to uphold University and NCSA policies and agreements related to cyber security also falls on this office. They must therefore monitor and audit for compliance, and take actions (e.g., removing a system from the network or reporting violations to Human Resources and appropriate management) to support NCSA's obligations.
...
Finally, they hold responsibility for providing adequate training, awareness and guidance to NCSA staff, partners and customers.
...
Stakeholder Responsibilities
Persons in NCSA buildings and on NCSA networks (hereafter referred to as "stakeholders"i.e. NCSA stakeholders) have a responsibility to follow the security policies and procedures of NCSA, UIUC and the state of Illinois. That includes this policy, but also the applicable policies referenced at the end of this document. Persons associated with some projects and activities may also have additional responsibilities, for example, from non-disclosure agreements that put additional restrictions on data sharing via our contracts with vendors or industrial partnersThis list may not be exhaustive, as special agreements with vendors or project specific policies can have security implications as well.
Stakeholders are expected to cooperate with security, legal and regulatory investigations or audits. This includes being truthful, not impersonating another person's identity, and never falsifying or destroying evidence.
It is the responsibility of all NCSA stakeholders to report security incidents or violations of these policies to the Security Office. Similarly, it is everyone's responsibility to promptly report a suspected compromise of their systems or credentials (e.g., passwords, security tokens, SSH keys, and digital certificates) so that abuse can be prevented as early as possible.
...
The University and the NCSA respect the privacy of its staff and customers. However, both must both be aware that there are systems in place that actively monitor for indicators of compromise and record logs to support the IT infrastructure at NCSA. For example, NCSA monitors its networks in realtime for security and performance issues; shared systems record logs to a centralized log server; vulnerability scanners regularly scan systems and credentials for weaknesses; and High Performance Computers (HPCs) may record all interactions on the command line, though not without appropriate warning to userssecurity systems continuously monitor user interactions on shared systems looking for indicators of compromise, such as, execution of certain command sequences. These systems can therefore see all unencrypted traffic as well as laptop/workstation backups if encryption is not utilized.
...
As a state institution, stakeholders need to be aware that anything they write do using University systems, is potentially open to FOIA requests. This includes emails saved on University systems, printed records, and things written on wikis or other forums at the University. As such, it is recommended that staff the University recommends that all employees have the following footer included on their University emails.
"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
The privacy of other stakeholders others must also be respected, and unauthorized snooping of traffic or communications is a serious offense that will be reported to HR or a guest's sponsor. This includes unauthorized video and audio recording as well as network traffic recording or any means of superseding ones authorizations to look at digital files they should not access. Some types of unauthorized recording are a criminal offence in Illinois and could also be reported to the authorities.
Only the NCSA Public Affairs department or Director's Office has the authority to speak to the public about an ongoing security investigation. While the Security Office may share information with trusted partners or law enforcement to resolve an incident, they do not speak to the public about an ongoing incident. And even after the incident, they only do so while respecting the anonymity of individuals.
...
Stakeholders are expected to obey all relevant laws and regulations regarding computer "hacking", attacking, fraud, etc. Staff and users Users of NCSA systems resources, including stakeholders, also agree not to "hack" attack NCSA systems or exceed their authority on them. This includes violating file permissions, impersonating others, stealing/cracking other users' credentials, and using NCSA systems as part of an attack on other computers or electronic equipment. Attacks in this context do not include authorized cracking as part of normal research and development, but rather malicious or unauthorized activities.
While the University respects academic freedom and has a broad mission, stakeholders need to take careful consideration of personal use of University owned systems or networks. For example, profiting or politicking with University equipment violates State law. Other activities may be legal but against the mission of the University. People are advised to contact the Ethics Office with specific questions about personal use of University equipment.
...