• Created by Unknown User (slagell), last modified on Sep 17, 2014

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

Document Name: NCSA Staff Security Policy
Version: 0.1
Accountable: Adam Slagell
Authors: Adam Slagell
Approved:   

Mission & Purpose

The National Center for Supercomputing Applications (NCSA) is an interdisciplinary hub at the University of Illinois at Urbana-Champaign, which serves the computational needs of the nation's scientists and engineers through the cyberinfrastructure (hardware, software, & services) they develop and support.

The NCSA Security Office supports the mission of the center by assuring the confidentiality, integrity and availability of the center's digital assets and resources and those of its partners. This is achieved through its monitoring, incident response, proactive security design, education, and awareness activities at the center and with its collaborators.

This policy document supports these missions by promoting sound practices for securing digital assets by educating users on their responsibilities and authorized procedures and processes at NCSA.

Scope

This policy is applicable to all University faculty & staff with appointments at NCSA, and compliments other NCSA and UIUC security policies (e.g. the NCSA Network Security Policy and UIUC Information Security Policy). Links to these and other security policies can be found in the reference section of this document.

This policy does not cover physical security. Physical security is the responsibility of the building managers for each building NCSA occupies. These persons are in the Admin Directorate, separate from the Security Office, and are responsible for implementing University policies regarding visitors, cameras, key and key card management, safety systems, etc. Where appropriate, they work with the Security Office to fulfill security requirements.

Responsibility

As security is a process, and not a technology, security is everyone's responsibility and requires cooperation, awareness and ownership by all parties. Therefore, not only does the Security Office hold responsibilities for protecting NCSA assets, but so do all staff.

Security Office Responsibilities

The Security Office is responsible for investigating and coordinating responses to security incidents as well as proactively monitoring NCSA networks and systems for indicators of compromise. Many of the services provided and maintained by the security team are for these purposes.

The Security Office provides assistance in the design and implementation of security architectures, assisting the resource providers at NCSA in developing systems that are hardened and more resilient to cyber attacks. This requires the security team to maintain leading edge skills in their domain and to translate that expertise to the other engineers and developers at NCSA.

The responsibility to uphold University and NCSA policies and agreements related to cyber security also falls on this office. They must therefore monitor and audit for compliance, and take actions (e.g., removing a system from the network or reporting incidents to NCSA leadership or Human Resources) to support NCSA's obligations.

The Security Office must also ensure that NCSA systems are not used in an attack against other institutions, and can remove systems from the network to protect others.

Finally, they hold responsibility for providing adequate training, awareness and guidance to NCSA staff, partners and customers.

NCSA Staff Responsibilities

Faculty & Staff have responsibility to follow the security policies and procedures of NCSA, UIUC and State of Illinois. That includes this policy, but also the applicable policies referenced at the end of this document. Staff associated with some projects and activities may also have additional responsibilities, for example, from non-disclosure agreements that put additional restrictions on data sharing via our contracts with vendors or industrial partners.

NCSA staff are expected to corporate with security, legal and regulatory investigations or audits. This includes being truthful, not spoofing another person's identity, and never falsifying or destroying evidence.

It is the responsibility of all staff to report security incidents or violations of these policies to the Security Office. Similarly, it is everyone's responsibility to promptly report a suspected compromise of their systems or credentials so that abuse can be prevented as early as possible.

Finally, NCSA staff must attend a security training or watch recorded materials within the first 90 days of employment, and again if the Security Office announces major updates to the training program. This is important not only to keep up-to-date with changing policies and procedures, but best practices and security threats change over time.

Policy

Privacy Expectations

The University and the NCSA respect the privacy of its staff and customers. However, staff and NCSA users must both be aware that there are systems in place that actively monitor for indicators of compromise and record logs that support the IT infrastructure at NCSA. For example, the NCSA monitors its networks in realtime for security and performance issues; shared systems record logs to a centralized log server; vulnerability scanners regularly scan systems and credentials for weaknesses; and High Performance Computers (HPCs) may record all interactions on the command line, though not without appropriate warning to users. These systems can therefore see all unencrypted traffic as well as laptop/workstation backups if encryption is not utilized.

In addition to this automated monitoring, manual investigations of security incidents or performance issues may require authorized staff to view traffic or files on NCSA networks and equipment.

Cameras record activity in public spaces for physical security in all buildings NCSA occupies for safety and security.

As State employees, staff need to be aware that anything they write using University systems, is potentially open to FOIA requests. This includes emails saved on University systems, printed records, and things written on wikis or other forums at the University. As such, it is recommended that staff have the following footer included on their University emails.

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 

The privacy of other staff must also be respected, and unauthorized snooping of traffic or communications of fellow staff is a serious offense that will be reported to HR. This includes unauthorized video and audio recording as well as network traffic recording or any means of superseding ones authorizations to look at digital files they should not access. Some types of unauthorized recording are a criminal offence in Illinois and could also be reported to the authorities.

Appropriate use of University Systems & Services

Staff are in a position of trust when given authentication credentials, such as, passwords, keys or tokens. These accounts given to staff are for their use only, and cannot be shared to give another party access to NCSA systems or resources. Furthermore, per the University's policies, passwords are confidential information and therefore cannot be stored or transmitted unencrypted. For example, NCSA passwords cannot be emailed or put on a web site or wiki.

Staff are expected to obey all relevant laws and regulations regarding computer hacking, attacking, fraud, etc. Staff and users of NCSA systems also agree not to "hack" NCSA systems or exceed their authority on them. This includes violating file permissions, impersonating others, stealing/cracking other users' credentials, and using NCSA systems as part of an attack on other computers or electronic equipment. Attacks in this context do not include authorized cracking as part of normal research and development, but rather malicious or unauthorized activities.

While the University respects academic freedom and has a broad mission, staff need to take careful consideration of personal use of University owned systems or networks. For example, profiting or politicking with University equipment violates State law. Other activities may be legal but against the mission of the University. Staff are advised to contact the Ethics Office with specific questions about personal use of University equipment.

Operating Servers at NCSA

Production services are primarily run out of one of three directorates at NCSA: Advanced Digital Services (ADS), Information Technology Services (ITS), or Cybersecurity. These groups meet regular and their leaders form the NCSA IT Operations Board who work together to provide the best services possible for our staff, users and partners. However, there are many R&D projects that run their own services less formally. These PIs and project managers still have obligations and need to be aware of NCSA/UIUC policies and procedures that affect operators of any service.

Raised access floor (RAF) space is provided for servers at NCSA. Based on the needs of the project and costs, servers could be placed in either the main data center at NPCF or one of the smaller RAF spaces in the NCSA building. The IT Operations Board works with PIs to find the appropriate space.

Running any service requires knowledge of and compliance with the NCSA Network Security Policy policy, which defines security requirements based on the network zone where the service hosted.

Just as services provided by ADS, ITS, and Cybersecurity must respect the privacy of users, so too must anyone running production services at NCSA respect user privacy, maintain transparency, and follow applicable laws. Failure to do this endangers NCSA's reputation and standing, and could result in a system or service being taken offline.

Finally, the Security Office must be involved early on when developing proposals that will place new infrastructure at NCSA. This is because special requirements could require extra planning by security staff or even have extra costs that must be accounted for in the proposal. For example, having personal health information could require clearance with the University or special environments to be setup, and bringing new WAN links could incur extra costs or planning for monitoring NCSA networks.

  • Policy
    • Equipment registered to you
      • Follow best practices and maintain updates, follow university policies
      • screen locks on mobile devices, leaving office doors open
      • taking home
      • Done with it, broken or lost
        • surplus & wipe
        • xfer equipment
      • ethical use
      • Personal equipment implications
    • Information/Data
      • Follow university policy
        • includes printed materials and physical locks
      • Notify of high risk or confidential data
      • backup important
      • encryption on backup & mobile
      • approved third parties like box
    • employee exit
      • authorizations
      • keys
      • email lists
      • property return
  • Authority & Consequences
    • revoked accounts, privileges, taken off network, reported to HR
    • PA only has authority to speak with the public directly or the DO
  • Exceptions process
  • Review & update
  • References

 

  • No labels