NCCS and NAS Computing Resources Rules of Behavior
Section I: Introduction and Definitions
The Office of Management and Budget (OMB) Circular A-130, Appendix
III,
Security of Federal Automated Information Resources
requires that
Rules of Behavior
be established for individual users of each interconnected set of
"information technology" (IT) computing resources under the same
direct management control which share common functionality.
This document outlines the
Rules of Behavior
for the use of the computing resources maintained and operated by the
NASA Center for Computational Sciences (NCCS) at the NASA Goddard
Space Flight Center and NASA Advanced Supercomputing (NAS) at NASA
Ames Research Center.
The purpose of this document is to increase awareness of security
issues and to ensure that all users use NCCS and NAS computing resources
in a secure, ethical, and lawful manner.
NCCS and NAS computing resources are U.S. Government resources and
are for authorized use only.
A user account is to be used only for the purpose for which it has
been authorized and is to be used only for NASA-related activities.
A user account is assigned to one individual user for use of
computing resources.
Use of a user account is permitted only by the user assigned the
user account.
Use of a user account by anyone other than the user assigned the
user account is considered unauthorized use and is not permitted.
Unauthorized use of a user account or of a computing resource
is a violation of Section 799, Title 18, of the U.S. Code, constitutes
theft, and is punishable by law.
Computing resources are subject to monitoring, keystroke
recording, and auditing.
Access to and use of computing resources constitutes implicit
consent to this monitoring, keystroke recording, and auditing.
Any non-compliance with the
Rules of Behavior
outlined in this document will constitute a security violation, will
be reported to the user's management, to NCCS and NAS management,
and will result in short-term or permanent loss of access to
computing resources.
Serious violations may also result in civil or criminal prosecution.
In the text of this document, the following definitions apply:
-
Computing Resource
refers to the disks, cartridges, tapes, computers, ancillary
equipment, systems, networks, facilities, and any other
information technology maintained and operated by the NCCS and NAS.
-
Information
refers to the datasets, scripts, programs, applications, utilities,
files, directories, filesystems, databases, and any other data
maintained in any medium on a computing resource.
-
User
refers to a person with non-privileged access to a computing
resource.
A user may use and access his or her own information and the
information available to all users on the computing resource (e.g.
commands like
passwd,
pwd,
etc.), but the user is restricted from the use of and access to the
privileged-level information on the computing resource.
A user can not alter or bypass the security controls on a
computing resource.
-
System Administrator
refers to a person with either limited or unlimited privileged access
to a computing resource.
A system administrator is also a user and may, therefore, use and
access his or her own information and the information available to all
users on the computing resource, but a system
administrator--unlike a user--may also use and access privileged-level
information on all or part of the computing resource.
A system administrator may alter or bypass some or all of the security
controls on a computing resource.
-
User Account
refers to the unique character string used in a computing
resource to identify a user (or system administrator).
Also known variously as an account, a login, a loginid, a loginname,
a memberid, a userid, a username, etc., a user account is used by a
user (or system administrator) in conjunction with a password to gain
access to a computing resource and to maintain the security of
the user's (or the system administrator's) information on a
computing resource.
-
Non-NCCS/NAS Issuing Entity
refers to an entity--other than NCCS or NAS--(e.g. CISTO, the Data
Intensive Computer Environment (DICE) Program, etc.) through which
the user has requested and been granted access to a computing
resource.
Section II: Rules of Behavior for Users
The following rules apply to users with non-privileged access and to
system administrators with either limited or unlimited privileged
access:
-
The user is responsible for using computing resources in a
secure, ethical, and lawful manner.
-
The user is responsible for protecting all information imported, used,
or stored on his or her user account.
(Contact your User Services Group or the Non-NCCS/NAS Issuing Entity
as appropriate for information concerning the standard protection
mechanisms on computing resources and for guidelines for protecting
user accounts.)
-
The user shall not import, use, or store any "classified" information
on a computing resource.
(NAS and NCCS computing resources are unclassified resources.
Information is considered "classified" if it has been designated
Confidential, Secret,
or
Top Secret
in accordance with Executive Order 12958 and which requires
safeguarding in the interest of National Security.)
-
The user shall not import, use, or store any Export Administration
Regulations (EAR) information or International Traffic in Arms
Regulations (ITAR) information on an NCCS computing resource.
(NCCS computing resources are not authorized to be repositories of
EAR or ITAR information.)
-
The user shall not import, use, or store any security information
(e.g. password cracking programs, etc.) on a computing resource
that may be used to reveal security weaknesses of a computing
resource.
-
The user shall not import, use, or store any information (e.g.
free software, etc.) on a computing resource that is free only
for personal, not government, use.
(Only information that is free, not only for personal use, but also
for government use, can be imported, used, or stored on a
computing resource and only as permitted by the NCCS and NAS.)
-
The user shall not import, use, or store any fraudulent, harassing, or
obscene information on a computing resource nor send to or from
a computing resource such information.
-
The user shall not divulge access information (e.g. login procedures,
lists of user accounts, etc.) for a computing resource to any non-user,
except as permitted by the NCCS and NAS.
-
The user shall not make unauthorized copies of the configuration
information (e.g. the
/etc/passwd
file, etc.) on a computing resource, for unauthorized personal
use nor divulge this information to a non-user, except as permitted by
the NCCS and NAS.
-
The user shall not make unauthorized copies of copyrighted information
(e.g. copyrighted software, etc.), except as permitted by law or by
the owner of the copyright.
-
The user shall not attempt to access information contained on
computing resources for which the user does not have explicit consent
of the owner of the information.
-
The user shall select and activate his or her own password(s), after
being issued an initial temporary password.
The user shall use a unique password on each computing resource
(or each single sign-on environment for a set of computing resources),
subject to the password restrictions of the computing resource
(or the single sign-on environment for a set of computing resources).
The user shall change his or her password(s) at least once in the
ninety-day period during which a password is valid.
The user is responsible for safeguarding his or her password(s) from
any form of disclosure.
The user shall not share his or her user account or the password(s) to
this user account with anyone.
(A non-user in need of a user account should contact their User
Services Group for information concerning and assistance requesting a
user account.)
-
If the user has any difficulties using his or her user account or the
password(s) to this user account, the user shall notify their User
Services Group or the Non-NCCS/NAS Issuing Entity as appropriate.
-
The user is responsible for all actions performed on his or her user
account while this user account is logged in to a computing
resource and for any actions subsequent to the running of cron or
batch jobs on the computing resource while this user account is
logged out.
The user shall not allow access to his or her user account by others
once he or she has logged in to a computing resource.
The user shall not leave an open login session unattended.
The user shall either log out of the computing resource or use a
password-enabled screen saver to protect his or her user account from
unauthorized use.
-
The user shall not purposely engage in activities to harass another
user, to deprive another user access to a computing resource to
which that user has been authorized, to gain access to a
computing resource to which he or she has not been authorized, to
degrade the performance of a computing resource, or to
circumvent the security measures on a computing resource.
-
In order for the NCCS and NAS to maintain accurate user information for
users, as required by NASA Procedural Requirements (NPR) 2810.1A,
Security of Information Technology,
the user is responsible for notifying both the NCCS or NAS User Services
Group and any Non-NCCS/NAS Issuing Entity of any changes in his or her
employer, office address, office telephone number, e-mail address,
citizenship information, or any other information required by the
NCCS and NAS.
-
An Authentication Key Token (AKT) is an electronic security device
(e.g. an RSA SecurID, a CrytoCard, etc.) used in conjunction with a
user account and password to maintain the security of a computing
resource.
If an AKT is issued for use with the user's user account,
the following rules also apply to the user:
-
The AKT issued to the user remains the property of the U.S. Government.
-
The user is responsible for protecting the AKT from physical damage.
-
The user shall not share the AKT with anyone.
-
If the AKT is lost or stolen, or if the user has any difficulties
using the AKT, the user shall notify their User Services Group
immediately.
-
The user shall return the AKT to their User Services Group either
in person--if possible--or via the U.S. Postal
Service--if necessary--when any of the following circumstances occur:
-
if the user no longer requires his or her user account,
-
when the AKT reaches its expiration date, or
-
if requested by a
bona fide
representative of their User Services Group to return the AKT.
If an AKT is issued by a Non-NCCS/NAS Issuing Entity for use with the
user's user account, the user shall adhere to the published standards
of practice for the Non-NCCS/NAS Issuing Entity for the AKT.
If the user discovers a weakness in the security of a computing
resource, an incident of possible unauthorized use of a computing
resource, or a violation of the
Rules of Behavior
as set forth in this document, or if the user believes that his or her
user account is involved in a security incident, the user shall notify
their User Services Group immediately, but only in person, by
telephone, or by encrypted e-mail.
(The user should resort to unencrypted e-mail only in a dire emergency.)
If the user no longer requires his or her user account, the user
is responsible for notifying both their User Services Group and any
Non-NCCS/NAS Issuing Entity and for ensuring that all of his or her
information is removed from computing resources or properly
transferred to another user account.
Section III: Rules of Behavior for System Administrators
In addition to the rules for users outlined in
Section II
above, the following rules apply to system administrators with either
limited or unlimited privileged access:
-
The system administrator shall read, understand, and enforce the
NCCS Security Controls
.
-
The system administrator shall ensure that the privacy information,
also known as "information in identifiable form" (IIF), stored on
computing resources is protected from disclosure and managed according
to NASA, GSFC, NCCS, ARC, and NAS policy.
The system administrator shall adhere to the IIF processes for
responding to a user's complaint(s) with reference to his or her
information and for notifying a user when changes occur in how his or
her information is collected, stored, used, or managed and whether
this information has been disclosed and to whom.
(Reference control:
NCCS Security Controls, 12.0 Security Planning, PL-5 Privacy Impact
Assessment
.)
-
As required by NPR 1600.1,
NASA Security Program Procedural Requirements,
Section 5.24 and NPR 2810.1A,
Security of Information Technology,
Section 11.3.14.9, the system administrator shall restrict and
protect the distribution of "sensitive but unclassified" (SBU)
information and ensure that SBU information is encrypted when
transmitted outside the security perimeter.
(Examples of SBU information include
-
NASA IT internal systems information revealing the infrastructure
used for servers, desktops, and networks,
-
application name, version, and release information,
-
switching, router, and gateway information,
-
interconnections and access methods,
-
systems inventories and enterprise architecture models,
-
systems security information revealing the security posture of
systems (e.g. threat assessments, system security plans, contingency
plans, risk management plans, Business Impact Analysis studies, and
Certification and Accreditation documentation, etc.), and
-
reviews or reports illustrating or disclosing infrastructure or
security vulnerabilities.
For additional details consult NPR 1600.1, Section 5.24.)
-
The system administrator shall adhere to the
Rules of Behavior
as outlined in
Section II
above, however, the system administrator may be exempt from certain of
these rules, due to the nature of his or her assigned tasks, but only
as permitted by the NCCS and NAS.
When a conflict appears to exist between a rule and the system
administrator's ability to perform an assigned task, the system
administrator shall consult with the DPI-CSO in order to determine a
resolution of the conflict.
Section IV: NCCS and NAS User Services Group Contact Information
Users can contact the NCCS User Services Group by telephone at
301-286-9120
or by e-mail at
support@nccs.nasa.gov
Users can contact the NAS User Services Group by telephone at
650-604-4444
or by e-mail at
support@nas.nasa.gov
Last Modified: Monday, 03-Dec-2007 13:08:59 EST
Reason for Modification: Re-organization and separation of rules into sections.
Return to the Top of the
NCCS and NAS Computing Resources Rules of Behavior
|