• Created by Unknown User (slagell), last modified on Sep 17, 2014

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Document Name: NCSA Staff Security Policy
Version: 0.1
Accountable: Adam Slagell
Authors: Adam Slagell
Approved:   

Mission & Purpose

The National Center for Supercomputing Applications (NCSA) is an interdisciplinary hub at the University of Illinois at Urbana-Champaign, which serves the computational needs of the nation's scientists and engineers through the cyberinfrastructure (hardware, software, & services) they develop and support.

The NCSA Security Office supports the mission of the center by assuring the confidentiality, integrity and availability of the center's digital assets and resources and those of its partners. This is achieved through its monitoring, incident response, proactive security design, education, and awareness activities at the center and with its collaborators.

This policy document supports these missions by promoting sound practices for securing digital assets by educating users on their responsibilities and authorized procedures and processes at NCSA.

Scope

This policy is applicable to all University faculty & staff with appointments at NCSA, and compliments other NCSA and UIUC security policies (e.g. the NCSA Network Security Policy and UIUC Information Security Policy). Links to these and other security policies can be found in the reference section of this document.

This policy does not cover physical security. Physical security is the responsibility of the building managers for each building NCSA occupies. These persons are in the Admin Directorate, separate from the Security Office, and are responsible for implementing University policies regarding visitors, cameras, key and key card management, safety systems, etc. Where appropriate, they work with the Security Office to fulfill security requirements.

Responsibility

As security is a process, and not a technology, security is everyone's responsibility and requires cooperation, awareness and ownership by all parties. Therefore, not only does the Security Office hold responsibilities for protecting NCSA assets, but so do all staff.

Security Office Responsibilities

The Security Office is responsible for investigating and coordinating responses to security incidents as well as proactively monitoring NCSA networks and systems for indicators of compromise. Many of the services provided and maintained by the security team are for these purposes.

The Security Office provides assistance in the design and implementation of security architectures, assisting the resource providers at NCSA in developing systems that are hardened and more resilient to cyber attacks. This requires the security team to maintain leading edge skills in their domain and to translate that expertise to the other engineers and developers at NCSA.

The responsibility to uphold University and NCSA policies and agreements related to cyber security also falls on this office. They must therefore monitor and audit for compliance, and take actions (e.g., removing a system from the network or reporting incidents to NCSA leadership or Human Resources) to support NCSA's obligations.

The Security Office must also ensure that NCSA systems are not used in an attack against other institutions, and can remove systems from the network to protect others.

Finally, they hold responsibility for providing adequate training, awareness and guidance to NCSA staff, partners and customers.

NCSA Staff Responsibilities

Faculty & Staff have responsibility to follow the security policies and procedures of NCSA, UIUC and State of Illinois. That includes this policy, but also the applicable policies referenced at the end of this document. Staff associated with some projects and activities may also have additional responsibilities, for example, from non-disclosure agreements that put additional restrictions on data sharing via our contracts with vendors or industrial partners.

NCSA staff are expected to corporate with security, legal and regulatory investigations or audits. This includes being truthful, not spoofing another person's identity, and never falsifying or destroying evidence.

It is the responsibility of all staff to report security incidents or violations of these policies to the Security Office. Similarly, it is everyone's responsibility to promptly report a suspected compromise of their systems or credentials so that abuse can be prevented as early as possible.

Finally, NCSA staff must attend a security training or watch recorded materials within the first 90 days of employment, and again if the Security Office announces major updates to the training program. This is important not only to keep up-to-date with changing policies and procedures, but best practices and security threats change over time.

Policy

Privacy Expectations

The University and the NCSA respect the privacy of its staff and customers. However, staff and NCSA users must both be aware that there are systems in place that actively monitor for indicators of compromise and record logs that support the IT infrastructure at NCSA. For example, the NCSA monitors its networks in realtime for security and performance issues; shared systems record logs to a centralized log server; vulnerability scanners regularly scan systems and credentials for weaknesses; and High Performance Computers (HPCs) may record all interactions on the command line, though not without appropriate warning to users. These systems can therefore see all unencrypted traffic as well as laptop/workstation backups if encryption is not utilized.

In addition to this automated monitoring, manual investigations of security incidents or performance issues may require authorized staff to view traffic or files on NCSA networks and equipment.

Cameras record activity in public spaces for physical security in all buildings NCSA occupies for safety and security.

As State employees, staff need to be aware that anything they write using University systems, is potentially open to FOIA requests. This includes emails saved on University systems, printed records, and things written on wikis or other forums at the University. As such, it is recommended that staff have the following footer included on their University emails.

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 

The privacy of other staff must also be respected, and unauthorized snooping of traffic or communications of fellow staff is a serious offense that will be reported to HR. This includes unauthorized video and audio recording as well as network traffic recording or any means of superseding ones authorizations to look at digital files they should not access. Some types of unauthorized recording are a criminal offence in Illinois and could also be reported to the authorities.

  • Policy
    • privacy
      • Privacy of users/ customer data
      • Privacy of others & snooping
      • FOIA
      • Security team respects privacy
        • network monitoring
        • Cameras
        • investigations
        • vulnerability scanning, including passwords
    • Appropriate use of systems/accounts/services
      • authentication credentials
        • No sharing
        • no cleartext storage
        • no clear text email/xfer
      • hacking/exceeding authority
        • includes violating permissions & impersonating others
        • using to attack others
      • personal use and ethical consideration
        • University ethics office
        • not making money, inline with mission of the university
    • Service operation
      • BE aware of laws and privacy of users
      • follow network security policies
      • involve security in planning process
      • change control as appropriate
      • production servers belong in a RAF room, see network zone policy
    • Equipment registered to you
      • Follow best practices and maintain updates, follow university policies
      • screen locks on mobile devices, leaving office doors open
      • taking home
      • Done with it, broken or lost
        • surplus & wipe
        • xfer equipment
      • ethical use
      • Personal equipment implications
    • Information/Data
      • Follow university policy
        • includes printed materials and physical locks
      • Notify of high risk or confidential data
      • backup important
      • encryption on backup & mobile
      • approved third parties like box
    • employee exit
      • authorizations
      • keys
      • email lists
      • property return
  • Authority & Consequences
    • revoked accounts, privileges, taken off network, reported to HR
    • PA only has authority to speak with the public directly or the DO
  • Exceptions process
  • Review & update
  • References

 

  • No labels