§9.02
Operational Procedures for Computing and Communications
Responsible Manager
Rev. 09/07
Laboratory voice telephone, cellular telephone, data-switching,
networking, and teleconferencing systems (except for public address and radio
communications systems; see Paragraphs (8) and (11),
below) are managed by the Networking Telecommunications
Department (NTD) of the Information Technology (IT) Division. Laboratory
communications systems include the Integrated Communications System (ICS),
which is based on a large distributed voice/data digital switching system
and LBLnet, a
Laboratory-wide high-speed local area network. These systems also include
extensive underground and intrabuilding copper-wire and optical-fiber cable
plants and microwave links. Inquiries or suggestions concerning the operation
or development of Laboratory communications and networking resources should
be directed to NTD.
All requests for communications and networking resources, services, or expenditures
must be processed through the appropriate NTD office, as described below.
Procedures governing communications, networking systems, and computing may
be found on the Berkeley Lab IT Policy Web
site.
- Requesting Services. The Telephone Services Office of NTD handles
requests for all types of ICS services, including information about voice
and cellular telephone services. To ensure compliance with DOE and Laboratory
policies, voice services or equipment may be ordered only through the Telephone
Services Office. Unauthorized equipment may not be attached to the ICS system
or its related equipment. Violations causing damage may result in the cost
of repair being charged to the responsible party.
- Repairs. Requests for ICS repairs should be made to the
Telephone Service Center. See Telephone & Data Switching Repair in the Organizations
and Services section of the Berkeley Lab Telephone Directory (or in Directory
Services on the Web) for the appropriate extension.
- Planning New or Changed Services. Planning for and design of new
or modified ICS services are accomplished through the Telephone Services Office
to ensure compatibility with existing systems and the most cost-effective
use of Laboratory funds. See Telephone Services Office in the Organizations
and Services section of the Telephone Directory (Directory Services on the Web) for the appropriate
extension.
- Long-Distance Services. It is the Laboratory's policy to use the
least-cost routing for long-distance calling. ICS automatically selects the
least-cost facility for long-distance service.
- Personal Calls. Laboratory
desktop and cellular telephones are for official business, and the Laboratory
pays for each official call. Use of Laboratory telephones for brief personal
calls is permitted when required by changes in work plans, emergencies, or
coordination of work activities with family members or others who can be reached
only during working hours. These calls are also treated as official calls
and are paid for by the Laboratory.
- Desktop Telephones. If an employee finds it necessary to use
a Laboratory desktop telephone for a personal call not treated as an official
call (see above), the employee is responsible for the cost of the call.
Pay telephones are located throughout the Laboratory for the convenience
of employees. See the General Information/Pay Telephone Locations on the
Telephone Services Center Web site
for specific locations.
Laboratory telephone use is subject to audit by random sampling. Employees
may be required to validate an itemized telephone bill and reimburse the
Laboratory for personal calls not treated as official calls.
- Cellular Personal Calls. Laboratory cellular telephones are intended
for official business use. Issuance of a cellular phone must be approved
by the employee's division management.
Employees must acknowledge receipt of the cellular
procedures governing the use of Laboratory cell phones by returning
a signed copy to Telephone Services MS 50E0101 prior to receiving a
Laboratory cell phone.
If an employee does not adhere to the cellular procedures, his/her
Laboratory cell phone may be disconnected, and further disciplinary
action may be taken.
- Personal Usage Criteria. Personal usage must also satisfy the
following criteria:
- It does not impact or interfere with the employee's legitimate job
performance.
- It does not impact or interfere with the work of any other employee
or the correct functioning of any Berkeley Lab information service.
- It does not support running a business or paid consulting.
- It does not involve illegal activities or violate Berkeley Lab policy.
- It does not involve any activity that could potentially embarrass
Berkeley Lab, DOE, or UC, or result in a loss of public trust.
- Credit
Cards. The Telephone Services Office handles all requests for telephone
credit cards (also known as calling cards). See Telephone Services Office
in the Organizations and Services section of the Telephone Directory (or Telephone
Services in Directory Services on the Web) for the appropriate extension.
Requests for credit cards must have the approval of the requester's division
director or division administrator.
- Laboratory Telephone Directory, Operator Information, and Other Telephone
Directories. The Telephone Services Office maintains the word-processing
and database systems used to publish the Telephone Directory. The information
in these systems is also used to provide operator information services. Electronic
versions of the directory are available through the World Wide Web and other
servers. All requests for changes to published information or inquiries about
electronic access to personnel data should be directed to the Telephone Services
Office. See Telephone Services Office in the Organizations and Services section
of the Telephone Directory (or Telephone
Services in Directory Services on the Web) for the appropriate extension.
- Requesting Services. The Telephone Services Office of NTD handles
requests for all types of ICS switched-data services. These services primarily
provide asynchronous switched connections between terminals, personal computers,
Laboratory computer systems, and incoming or outgoing connections over external
communications networks.
Unauthorized equipment may not be attached to the ICS or its related equipment.
Connection of RS-232 asynchronous devices to ICS data sets may be done by
users as long as the equipment is authorized. If in doubt, check with the
Data Communications Support Group. See Communications & Networking Facilities
in the Organizations and Services section of the Telephone Directory (or
in Directory
Services on the Web) for the appropriate extension. Violations causing
damage may result in the cost of repair being charged to the responsible
party.
- Repairs. Requests for ICS repairs should be made to the
Telephone & Data Switching Repair Telephone Service Center. See Telephone
& Data Switching Repair in the Organizations and Services section of the
Telephone Directory (or in Directory
Services on the Web) for the appropriate extension.
- Technical Questions and Planning. Users needing to discuss technical
issues or plan significant data-switching applications should contact the
Communications and Networking Facilities office of NTD. See Communications
& Networking Facilities in the Organizations and Services section of the
Telephone Directory (or in Directory
Services on the Web) for the appropriate extension.
- Requesting Services, Technical Questions, and Planning. LBLnet is
a Laboratory-wide high-speed local area network managed by the Networking
and Telecommunications Department of the IT Division.
LBLnet also provides Wireless LAN installation and coordination services
(WLAN) to the Laboratory as part of its standard networking technology and
service offerings. To ensure interoperability and appropriate cyber security
and to prevent radio frequency interference, only NTD will provide WLAN
services that are integrated with LBLnet. NTD authority for WLAN services
extends to remote Berkeley Lab sites, and all deployment of WLAN must follow
the Berkeley Lab policy for Radio Frequency Management specified in RPM
§9.02(A)(13) (Radio Emissions Standards and Spectrum Management).
Requests for services, information, planning of new installations, or changes
to existing installations should be directed to the LBLnet office. See LBLnet
in the Organizations and Services section of the Telephone Directory (or
in Directory
Services on the Web) for the appropriate extension.
When scheduling LBLnet changes or new installations in conjunction with
ICS telephone and/or data-switching work, the Telephone Services Office
will also accept requests for LBLnet work and ensure that the appropriate
LBLnet effort is scheduled.
-
Repairs. Requests for repairs to LBLnet, including AppleTalk networks,
should be made through the LBLnet Operations Office. See LBLnet in the Organizations
and Services section of the Telephone Directory (or in Directory
Services on the Web) for the appropriate extension.
All interactions concerning planning for the use of, or information about,
these resources should be directed to the Communications and Networking Facilities
Office of NTD. See Communications & Networking Facilities in the Organizations
and Services section of the Telephone Directory (or in Directory
Services on the Web) for the appropriate extension.
ICS wall receptacles include a separate keyed receptacle that can be used
to support a wide range of communications services over twisted-pair copper
wire between any two points in the Laboratory. Twisted-pair copper-wire and
optical-fiber facilities with customized terminations can also be provided.
Off-site dedicated twisted-pair wire facilities requiring Pacific Bell or other
supplier services must be ordered through the Communications and Networking
Facilities Office.
- Off-site Western Union telegram services are available for Laboratory
employees. The toll-free Western Union number appears under Wire Services
in the Telephone Directory. Telegrams should not be sent by Western Union
unless Laboratory electronic mail facilities are unavailable.
- Facsimile (fax) machines for general use are listed below. Outgoing
and incoming fax messages can be directed to compatible systems via these
machines:
- Telephone Services Office (Building 50B)
- Copy Center (Building 50)
- Copy Center (Building 90)
Detailed instructions for sending and receiving fax messages appear in
the Telephone Directory (Directory Services on the Web). Questions may
be directed to the Telephone Services Office.
Detailed instructions for using the Laboratory electronic mail facilities
(the Laboratory Electronic Post Office) appear in the Telephone Directory (or
visit the E-mail support
site on the Web).
The Laboratory public address system is designed to give broad coverage in
most buildings and general work areas to provide general announcements to
Laboratory personnel. It may be used to transmit information during emergencies,
but it is not considered an emergency communications system.
Modifications
and maintenance of the public address system are under the exclusive control of
the Engineering Division Communications Engineering staff. See
Communications Engineering in the Organizations and Services section
of the Telephone Directory (Directory Services on the Web) for the appropriate extension.
Communications Engineering must be notified in advance if any changes in the
public address system are required.
The public address system is tested on
the second Wednesday of each month at 2 p.m. The test consists of alert tones
(two beeps in quick succession) followed by a voice announcement. To ensure
complete coverage, employees should notify Communications Engineering or their
building managers if the test announcement is weak or unintelligible.
Announcements are normally made by the Fire Department dispatcher or the
telephone operators. Use of the public address system is reserved at all times
for emergencies and health and safety matters. See Integrated
Communications System Office in the Organizations and Services section of
the Telephone
Directory (Directory Services on the Web) for the appropriate extension.
Requests for installation of interoffice communication, paging, or
audio-communication systems that are not part of the Integrated Communications
System (ICS) require authorization through the Engineering Division
Communications Engineering Group. See Communications Engineering in
the Organizations and Services section of the Telephone Directory (Directory Services on the Web) for the appropriate extension. This group
has the responsibility for engineering design, installation, and maintenance of
the speakers and related equipment.
The Engineering Division Communications Engineering Group is responsible for
the engineering, installation, maintenance, and adjustment of Laboratory radio
communications systems such as portable, mobile, base, and microwave radios. All
requests for such equipment require authorization by this group. See
Communications Engineering in the Organizations and Services section
of the Telephone Directory (Directory Services on the Web) for the appropriate extension.
Each request should include a description of the intended use and the need for
the equipment or system desired. Purchased equipment is Laboratory property and
should be returned to the Engineering Division when the authorized use or
function is completed.
12. Radio Paging Systems
Requests for internal Laboratory-provided and Laboratory-maintained radio
pagers should be made through the Engineering Division, Communications Engineering
Group. This group is responsible for the engineering design and maintenance
of Laboratory radio paging systems. Requests for external vendor-provided radio
pagers should be made through the Telephone Services Office.
The Engineering Division Communications Engineering Group is responsible for
the Laboratory's spectrum management and radio emissions. All equipment that
generates or uses radio frequencies must be certified by this group for initial
installation and after any changes or modifications.
All requests for card access, property protection, area surveillance, and
personal assistance alarm devices must be made through the Property Protection
& Life Safety (PPLS) group for approval by the Security Manager. PPLS will coordinate
engineering design and installation with the Facilities Division. For security
points of contact, see http://www.lbl.gov/ehs/security/xl_contacts/index.html.
The Facilities Division is responsible for the engineering design, installation,
and maintenance of security systems. Security maintenance issues should be directed
to the Work Request Center.
The Engineering Division Communications Engineering Group has services
available for the design and installation of video, fiber-optic, and other signal
systems.
16. Video Teleconferencing
The Information Technology Division has responsibility for
Laboratory video teleconferencing systems. Current conference rooms include
50B-4205 and 50F. Point-to-point and multiple-site direct-dialed conferences
are possible in Standards Mode and in both VTEL and CLI proprietary modes.
For more information, see Berkeley Lab Communications and Networking Resources.
A dedicated full-motion microwave radio video to SLAC is located in Building
71-263.
For information or technical support, contact the Video Data Communications
group. This group also handles scheduling for the Video Teleconferencing Room.
See Video Conferencing in the Organizations and Services section of the Telephone
Directory (or in Directory
Services on the Web) for the appropriate extension.
17. Remote Access Services
The Information Technology Division is responsible for Laboratory
managed and funded remote access services, including reimbursed services. The
Networking and Telecommunications Department (NTD) is the Responsible Office
for establishing procedures and guidelines for the provision or reimbursement
of remote access services, including dialup, DSL, cable, satellite, cellular
packet switched, and other data services. The Computer Protection Program
is the Responsible Office for establishing baseline security configurations
and security policies governing all Laboratory managed and funded remote access
services. Available remote access services and procedures may be found on
the
NTD Web site.
As a scientific institution, the Laboratory has a responsibility to enhance
the ability of its staff to communicate with colleagues around the world. This
communication includes correspondence, raw data, preliminary drafts of technical
papers, and finished publications. At the same time, as a primarily federally
funded institution, the Laboratory has a responsibility to ensure that federal
laws and DOE directives regarding authorized access and the protection of information
are observed. This operational guideline is concerned primarily with the first
of these responsibilities and with questions of access. The protection of information
is addressed in Paragraph (D), below.
This guideline is intended to provide a graded approach
to electronic access, recognizing that the mechanisms used for granting or
restricting access should be appropriate for the breadth of access desired, the
sensitivity of the information involved, and the protection mechanisms in use on
the systems employed.
All users of electronic media should remember that once
information has been committed to the network, the originator loses all control
over how it is used, how it is modified, to whom it is distributed, or to whom it
is attributed.
- Whenever appropriate, it should be possible to provide broad access
in a convenient fashion to information held at the Laboratory.
- Proprietary, regulatory, and licensing constraints should be observed
at all times.
- Information should not be made generally available before it is ready
for publication. This restriction does not imply that incomplete data or unfinished
documents may not be shared over the network within the workgroup, but only
that such information should have appropriate access controls.
- Responsibility for propriety, access, protection, and usage rests
with the owner of the data, files, systems, or user identification involved.
- The provision of electronic access to information held at Berkeley
Lab is a form of publication by the Laboratory, and thus such information
is subject to Laboratory publication policies. Any material that is to be
made available to the general public should be reviewed by a qualified reviewer
before its access restrictions are lifted. Division administrators maintain
lists of qualified reviewers for their divisions.
- It is impossible to ensure that the recipient will treat information
transmitted or posted on electronic media in a manner consistent with the
degree of informality intended by the originator.
- Electronic correspondence originating at the Laboratory should be
composed with the same care as is afforded to traditional correspondence transmitted
on Laboratory letterhead.
- All electronic correspondence should be considered to be more permanent
than its obvious conventional (telephone or paper) analogue.
- Electronic correspondence that identifies the author as a Laboratory
staff member is often interpreted by some recipients as containing official
Laboratory positions. There is no guarantee that any disclaimer inserted or
appended by the originator will remain associated with the correspondence
when it is forwarded or transcribed.
- Laboratory employees are prohibited by the
DOE/LBNL Contract between the University and DOE from engaging in activities
that are considered to be lobbying. Lobbying includes attempts to influence
the introduction, enactment, or modification of state or federal legislation.
If you have questions about a specific activity or need a complete definition,
see your division director or division administrator. For more details, see
RPM §2.23(H) (Contacts with State and Federal
Officials).
This guideline covers the kinds of electronic access listed in RPM
Table 9.02(B) (Access Categories). The categories of access are listed
in rough order of increasing risk of damage resulting from improprieties or
inadequate access control.
Table 9.02(B)
Access Categories
|
Information content |
Breadth of access |
1. |
Read-only access to fully formatted publications that have been adequately reviewed
in accordance with Laboratory publication policy. RPM §5.02 (Scientific and Technical Publications).
|
Unrestricted world access. |
2. |
Read-only access to raw data files or to
draft material intended for publication. |
Group only (includes collaborators). |
3. |
Correspondence. |
Content-dependent. |
4. |
Read-only access to proprietary data. |
Need to know. |
5. |
Read/write access to raw data files or draft material intended
for publication. |
Owner/designee only. |
6. |
Read/write access to final-form publications. |
Author/designee or technical editor only. |
7. |
Read/write access to files containing proprietary
data. |
Owner/designee only. |
Electronic access controls can be exercised at site, system, user, individual
data set, or file level. Because of its nature as a scientific institution,
the Laboratory places no generic restrictions on access at the site level. Provisions
exist to deny access to the Laboratory from sites that tolerate computer network
security abuses or to deny on-site access to Laboratory personnel who violate
Laboratory computer and network security and propriety policies. It is not expected,
however, that it will be necessary to make extensive use of these policies.
With respect to access control at the system, user, or file levels, controls
may be applied at any or all levels. For most Laboratory information, access
protection at any one level should be sufficient. Thus, except in unusually
sensitive cases, either of the following modes should suffice:
- Public-access system: password-protected or encrypted file
- Controlled-access system: world-readable file
In other words, sufficient access control can be obtained by limiting access
to the system, the file, or both. Further protection can be provided by limiting
the ability of individual users to access specific files, directories, or system
commands, and by encrypting particularly sensitive files.
Laboratory information can be promulgated electronically through four general mechanisms: correspondence, file transfer, voice and video,
or facsimile. In each case, certain proprieties, procedures, and precautions
should be observed:
- Correspondence (including e-mail, bulletin boards, USEnet News,
List Servs, conferencing systems, and the like). The Laboratory correspondent
is responsible for limiting his or her participation to topics within the
scope of the Laboratory mission and for avoiding comments that could be construed
as lobbying or attempting to influence legislation. In some situations it
may be necessary to insist that one is acting as an individual expert, but
it cannot be ensured that the recipients will differentiate between an individual
position and an official Laboratory position. For further information, see
RPM §2.23(H) (Contacts with State
and Federal Officials).
- File Transfer (whether provided through individual user accounts
or through file or data servers, including public access servers). The person
posting the file is responsible for ensuring that everyone who has write access
to the file is in fact authorized to make changes in the file, and that everyone
who has read access to the file is in fact authorized to have access to the
information. These conditions are particularly true of proprietary information,
but they also apply to information destined for external copyright or that
has not been fully reviewed.
Furthermore, if the existence of the file has been mentioned in any public-access
bulletin board, List Serv, or conference, it must be assumed that sufficient
knowledge to obtain access is available worldwide.
If access to the data should be restricted because of
sensitivity, its proprietary nature, or for any other reason, the owner must take
appropriate steps to limit access to authorized individuals.
Finally, when using public domain software (e.g., FTP (file transfer protocol)
to provide access), the owner is responsible for securing up-to-date (protected)
versions of the software. The Laboratory Computer
Protection Program Manager (CPPM) maintains a list of names of staff
members knowledgeable in appropriate software. Unexamined versions of
either new or familiar programs must not be used on systems that contain
valuable information.
- Voice and Video (including voice mail, voice-only teleconferencing,
room-based or studio video teleconferencing, and desktop messaging or teleconferencing).
In these cases, the rules of ordinary conduct apply. In general, the more
limited the audience, the more informal the interaction may be.
- Facsimile. Fax traffic should be treated as if the material were
being sent through Laboratory or United States mail, except that information
subject to the Privacy Act should not be sent to an unattended fax machine.
The foregoing
summary does not cover all cases, or even any single case in full detail.
Nevertheless, it should provide guidelines sufficient to address most situations.
Questions should be addressed to the CPPM.
This policy is concerned with publicly accessible electronic media and browsers
such as the World Wide Web (Web) front-ended by Netscape. It provides a graded
approach to control presentation and content, restriction of access, and scope
of responsibility, recognizing that the procedures employed should be appropriate
for the breadth of access expected and the sensitivity of the information involved.
All users of electronic media should remember that once
information has been committed to the network, the originator loses all control
over how it is used, to whom it is distributed, or to whom it is attributed.
These principles and guidelines use the page terminology of the Web, but they
should be taken to apply more generally as technology advances. They should
also be taken to apply, as appropriate, to older technology such as anonymous
FTP and Usenet
- LBL Server. A network node that provides access to information or
services and that is part of or administered on behalf of a Laboratory facility,
function, project, or program.
- Page. A logical information structure, accessible as a unit from,
on, or through an information server. A page may contain links to other pages
or files located on other servers.
- LBL page (file). A page (file) resident on any Laboratory server
or accessible directly through any Laboratory server without passing through
a server or page belonging to another institution.
These guidelines apply to all Laboratory information servers, regardless of
location, and to all Laboratory files posted on any information server, whether
or not located at the Laboratory, and regardless of the home page(s) or
directories with which they are associated.
A server that is administered by
the Laboratory for another institution or agency, or located at the Laboratory
but administered by another institution or agency, is governed by the
policies established by that institution or agency.
- Whenever appropriate, it should be possible to provide broad access
in a convenient fashion to information held at the Laboratory.
- Proprietary, regulatory, and licensing constraints should be observed
at all times.
- Information should not be made available to the general public before
it is ready for publication. This restriction does not imply that incomplete
data or unfinished documents may not be made available through network information
services, but only that such information should have appropriate access controls.
See Paragraph (B), above. If the desired
server does not provide the capability to install appropriate access controls,
the information should not be posted.
- Responsibility for propriety, access, protection, and usage rests
with the owner of the data, files, servers, or pages involved. The page owner
is responsible for ensuring that both the content and presentation of information
on a page are consistent with Laboratory policies and guidance. Questions
concerning the suitability of information for publication should be addressed
to the Laboratory Scientific and Technical Information Officer.
- The posting of information on any Laboratory page is a form of publication
by the Laboratory and subject to Laboratory publication policies. See RPM
§5.02 (Scientific and Technical Publications).
- Any material that is to be made available to the general public should
be reviewed by a qualified reviewer before its access restrictions
are lifted. Division administrators maintain lists of qualified reviewers
for their divisions.
- The scope of responsibility of a page owner extends to, but not beyond,
links that occur on the page (i.e., the owner of a page is responsible for
knowing the immediate content of all links on a page, but not for ensuring
the propriety of information existing at the end of an arbitrary chain of
links).
- The default for Laboratory pages is universal read access
and owner-only write access.
- The page (file) owner is responsible for determining the appropriate
level of access for the page (file) and for ensuring that appropriate access
restrictions are in place.
- The page (file) owner is responsible for ensuring that everyone who
has write access to the page (file) is in fact authorized to make changes
to the page (file), and that everyone who has read access to the page (file)
is in fact authorized to have access to the information. This responsibility
applies particularly to proprietary information, but it also applies to information
that is destined for external copyright or that has not been fully reviewed.
- The Laboratory may establish open pages, analogous to open bulletin
boards. The owner of an open page is responsible for verifying that the person
making a posting is authorized to post information on a Laboratory page. Every
posting on an open page must carry the name of a Laboratory sponsor either
directly or on an obvious link. The Laboratory sponsor is responsible for
the content of the posting.
- The posting of inappropriate information on a Laboratory page or
file may be cause for disciplinary action. Information that is proprietary
in nature or contrary to Laboratory policy concerning lobbying, the use of
Laboratory computers, or the use of open bulletin boards may be considered
to be inappropriate. This policy applies to nontextual information as well
as to text.
- All individuals posting information on any publicly accessible Laboratory
page or file are encouraged to review posted material carefully. Everything
posted on any network information service reflects on the intelligence, quality,
integrity, and competence of the Laboratory as an institution and the page-owner
and page-poster as individuals.
- Every Laboratory page must contain the following information directly
or contain a link to an owner's page that provides it: owner's name, address,
e-mail address, and telephone and fax numbers, plus any disclaimers or restrictions
that apply to the contents of the page.
- The owner of the Laboratory Home Page is the Head of the Public
Affairs Department. He or she is responsible for establishing and enforcing
guidelines for the content, presentation, and style of the Home Page and
its immediate links.
- The Home Page and its immediate links are to be considered as corporate
data, which may be changed or deleted only by authorized personnel.
- The administrator of each Laboratory server is responsible for ensuring
that each file on or first-level page accessible through that server has a
Laboratory sponsor. The Laboratory sponsor is responsible for ensuring that
all applicable page policies are observed. A first-level page is one that
is directly accessible without passing through another server or intermediate
page.
- The administrator of each Laboratory server will maintain records
of the owners and Laboratory sponsors of all current first-level pages and
will provide this information to the IT Division Network Information Services
group in a timely fashion.
- The administrator of each Laboratory server is responsible for ensuring
an appropriate level of data and access protection for the server and for
informing file- and page-owners and Laboratory sponsors of all first-level
pages of the protection level maintained.
These guidelines are concerned with minimum acceptable
computer and network security practices for general operations. Divisions or
groups may apply more stringent policies if warranted by the sensitivity of the
data or applications involved.
These guidelines, together with RPM §9.01 (Computing
and Communications), embody the Laboratory's implementation of DOE Order
1360.2B.
- Distribution of function and capability entails equal distribution
of responsibility. The owners of individual and workgroup systems must assume
responsibility for the proper administration and operation of the systems
they control. This responsibility extends to individual staff members working
at home or on travel.
- The Laboratory is a federally funded scientific institution. As such,
it has a responsibility to enhance the ability of its staff to communicate
with colleagues around the world and to practice appropriate economy in operation.
Thus, the level of protection and cost of protective measures should be commensurate
with the magnitude of the threat to the institution inherent in the system,
breadth of access, and sensitivity of the data and application involved. Threat
is a combination of likelihood of compromise and magnitude of potential damage.
- Breadth of access should be encouraged within the constraints
imposed by provision of adequate protection. System managers are charged with the
responsibility of determining and enforcing the level of protection necessary.
- The primary elements of the Laboratory organization for computer
and network security are the Computer Protection Program Manager (CPPM) and
the Computer Protection Implementation Committee (CPIC), which is chaired
by the CPPM and includes computer security liaisons (CSLs) from each division,
office, and center (including the Reception Center), plus assistant CPPMs
for the Scientific Computing Facility, the Administrative Computing Facility,
distributed workstations, telephone systems, and networks.
- The generic distribution of responsibility between the Laboratory
CPPM and the divisions (D), centers (C), and offices (O) is given in RPM Table
9.02(D)(2) (Distribution of Computer Responsibility). Specific responsibilities
are addressed in the next section.
Table 9.02(D)(2)
Distribution of Computer Responsibility
Responsibility
|
Responsible parties
|
Definition of Laboratory-wide policy |
Computer Protection Program Manager (CPPM) |
Random file checks |
D, O, and C |
Implementation of access policies |
D, O, and C |
Computer and communications security training
|
CPPM; Computer Security Liaisons (CSLs) |
Computer security awareness: program definition
|
CPPM |
Computer security awareness: program implementation
|
Reception Center; D, O, and C |
Incident detection |
D, O, and C; CPPM |
Incident reporting: internal |
D, O, and C |
Incident reporting: external |
CPPM |
Table 9.02(D)(3)
Specific Computer Responsibilities
Responsible party
| Specific responsibilities
|
|
Associate Laboratory
Director for Operations |
Appoints Laboratory Computer Protection Program Manager
(CPPM) and Assistant CPPMs. CPPM
is listed in the Telephone
Directory. |
Laboratory Computer Protection Program Manager (CPPM) |
Defines and, with assistance of Computer Protection Implementation
Committee (CPIC), implements and administers Laboratory's computer security
program in accordance with Laboratory policy and applicable DOE directives. |
Assistant CPPMs |
Assist CPPM as necessary in activities pertaining to their areas of
expertise. |
Computer Protection Implementation Committee (CPIC) |
Meets periodically to:
- Review computer and communications security awareness and training.
- Provide regular (at least every other year) reviews of Laboratory's
computer and communications incident history and current security
technology.
- Make recommendations for revisions to Laboratory's computer security
policies as necessary.
Committee reviews and revises electronic access and computer security
guidelines as appropriate. |
Division, Center Directors, and Heads of Offices |
Appoint a representative to the CPIC, for their division,
center, or office and ensure that Laboratory computer security policies
and procedures are observed within their division, center, or office. |
Computer Security Liaisons (CSLs) |
Serve as two-way communication channels between Laboratory
Computer and Communications Security Program and their division, office,
or center.
Participate in meetings of CCSC, learn and understand Laboratory computer
and communications security policy, and assist as necessary in implementation
of this policy. |
Human Resources Staffing Unit |
Ensures that all new employees, visitors, and participating
guests receive an appropriate introduction to computer security policy
and practice at Laboratory. |
Division administrators |
Ensure that all user IDs and passwords used by terminating
employees and guests are deactivated or continued through a Laboratory
sponsor. |
Supervisors and managers |
Ensure that employees under their supervision maintain a
continuing awareness of proper computer security practices. A standard
computer security awareness statement (Form CPP 13) is available from
CPPM. It may be used to document a computer user's continuing awareness. |
System managers |
Maintain an appropriate level of security for their systems.
Respond appropriately to detection of a security incident.
Are responsible for all security threats or other improper usage originating
from or passing through systems under their control.
Have authority to deny access to their systems to any person observed
not using proper computer security practice. |
Network managers |
Maintain network integrity and a level of security awareness appropriate
to their networks.
Know how to isolate their networks from all non-Laboratory connections
and respond appropriately to detection of a security incident.
Have authority to deny network access to any system or external connection
for security reasons. |
Individual users |
Know and follow Laboratory computer and network security policies.
Bring any security violations to attention of their system manager,
CPPM, or other proper authority.
Are responsible for all actions originating from user IDs under their
name or control, whether or not they authorized such use. |
University of California Police Department |
Maintains 24-hour telephone service to assist users in locating
appropriate management or administrative authority to deal with suspected
data security incidents. |
- Designated Systems Administrators. All UNIX systems connected
to LBLnet must have designated system administrators who have completed
UNIX system administration and security education. In addition, system administrators
are required to update their UNIX system security education at least annually.
- Minimum Standard Configurations. All UNIX systems connected to
LBLnet will be required to conform to minimum standard configurations set
by the UNIX group. These standard configurations include OS versions, patches,
and specific utilities as well as general configuration policies. The UNIX
group will post these configurations on the Web and update them as necessary.
- LBNL Host Database. All hosts that are connected to LBLnet must
be listed in the LBNL Host database. This database will include the names
of the currently designated systems administrators or contacts. The database
must be reviewed annually by each division to ensure that host information
is current.
The computer and network security incident-handling procedure is given here
in summary form. A more detailed version can be obtained from the CPPM.
An employee who encounters a suspected computer or network security incident
(repeated attempts at unauthorized access or the occurrence of a rogue program,
i.e., one that intends to disrupt or subvert the system in some way; viruses
and worms are rogue programs) should first try to inform the appropriate people
(by telephone rather than e-mail) and then, if necessary, respond to the incident.
To inform the appropriate people, call one of the following and report the
system affected and the nature of the problem:
- If using a multiuser system, the system manager. If using a single-user
workstation, the appropriate technical support group.
- The CPPM.
- The Division Director of the IT Division.
- The University of California Police Department, which has a telephone
tree to locate the appropriate technical and/or administrative authorities.
Be sure to specify that the call is to report a data security incident in
progress.
The following general rules govern response to the incident:
- In all cases: Log the incident and inform the appropriate personnel.
- In an isolated case of unsuccessful attempt at entry (i.e., a single,
unrepeated, unsuccessful attempt): No further action is necessary unless
the attempt is repeated.
- In a case of successful penetration if it appears that the integrity of
user data is threatened: Attempt simple close-out, i.e., shut down the known
access paths and monitor all attempts to access user IDs that the attacker
is known to have used. If necessary, re-authenticate all users. This means
to disable all existing user IDs and require some form of personal contact
before allowing individual users back on the system. Users should check
their files for evidence of tampering and should be prohibited from using
the same password.
- In case of discovery of a rogue program: Isolate the system and quarantine
all disks and tapes that have been on it since the introduction of the rogue
program. Do not connect to any other system or transfer any programs or
data from the system to any other system by any means until the system manager
has declared the system to be clean.
- In other cases: Confer with division management and/or the CPPM.
- In the absence of other advice or information: Act to protect the data
rather than to monitor or trap the attacker.
It is Laboratory policy that all computer files be accessible only by the
person responsible for those files unless that person has explicitly authorized
others to access them. Access will be granted to the person's supervisor or
manager if it is necessary for Laboratory purposes. This policy applies regardless
of the level of access protection assigned to a particular file.
In the course of their work, certain authorized individuals (e.g., system
managers and computer security personnel) are required to inspect users'
files. Under no circumstances, except as specified below, are the contents
of those files to be revealed and then only to the CPPM, the Director of
the Information Technology Division, or such other persons specified by
the Associate Laboratory Director
for Operations. In these circumstances,
only the following information may be divulged:
- Evidence of unauthorized internal or external access
- Evidence of improper use of Laboratory facilities
- Evidence of security-threatening practices
To ensure adequate security of Laboratory computer systems and networks,
a program of computer security monitoring will be conducted under the supervision
of the CPPM. It will include the following activities, as necessary:
- Random sampling of user files
- Verification of proper control and authentication of new users
- Verification of proper password procedures and use
- Verification of proper physical security
- Monitoring of network traffic
- Monitoring of usage patterns
Any apparent violation of Laboratory policy, attempt at unauthorized access,
or any situation that exhibits less than acceptable computer security will
be reported to the CPPM for further action. In all cases involving the monitoring
of user files and data traffic, Laboratory policy on confidentiality of computer
files applies.
- Desktop and Other Small Systems. Microcomputer-based personal
or desktop computers, notebook and palmtop computers, intelligent terminals,
word-processing, and similar systems are commonplace in Laboratory offices
and because of their portability are particularly vulnerable to physical
attack, including theft. Laboratory employees who possess such equipment
are responsible for ensuring the physical safety of that equipment. Contact
Electronics Engineering's Installation Shop to obtain information and technical
assistance with antitheft lockdown devices and permanent imprinting of the
manufacturer's serial numbers on the equipment.
- Proprietary Software and Data. Proprietary software and data should
be secured in a manner commensurate with the threat.
Laboratory staff, visitors, guests, and contractors are expected to exhibit
good network citizenship in all network interactions by following these rules:
- Do not distribute or encourage the distribution of network junk mail.
Be judicious in the use of utilities that generate responses automatically
(such as those used to announce that you are on vacation or travel).
- Avoid indiscriminate use of distribution lists. Do your best to ensure
that mail is sent only to interested addressees.
- Make appropriate use of automatic-answering facilities to ensure that
replies are sent only to people with a genuine interest in the correspondence.
It is especially important to know whether the auto-answer facility will
send the response to the entire address list of the original message or
to only the originator.
- Use the network only for Laboratory-sanctioned activities.
- Do not use proprietary software without an appropriate license.
- Do not distribute software to unauthorized users or make it available
to unauthorized users.
- Do not read other people's files or directories without explicit authorization.
With the exception of such public files such as stores catalogues, forms
repositories, and telephone lists, authorization should not be assumed for
any file not on a public access server.
In general, users should not post anything over the network that they
would not send on official Laboratory stationery, should not access any
information or software over the network that they would not send or for
which they have no authorization, and should not send any e-mail that
they do not want recorded.
These guidelines are not intended to address every situation that can arise,
but to provide a reasonable background so that individuals may make appropriate
judgments in those cases that are not covered. Questions should be addressed
to your CSL, assistant CPPM, or the CPPM.
- Individual Responsibility
- Each user is responsible for all activities originating from any
of his or her user IDs.
- Each password owner is responsible for all activities resulting from
shared use of that password.
- Shared user IDs and passwords are not generally allowed, but such
sharing may be appropriate under some circumstances. Users needing to
share their user IDs or passwords must request authorization from the
system manager. The system manager has the authority to deny such requests.
- Each system owner is responsible for the network citizenship of all
users of that system.
- System Protection
- Access to all Laboratory systems should be available only to Laboratory
staff (including participating guests and contractors) or to others
through a Laboratory sponsor. If an anonymous ftp or a similar utility
is enabled for a system, the system manager becomes a default sponsor
for the whole world. The Laboratory sponsor assumes responsibility for
all activities of sponsored persons. The use of someone else's user
ID or password implies sponsorship by the owner of the user ID or password,
whether or not the owner has explicitly granted permission.
- The safeguards that are provided by the operating system in use should
be invoked to the maximum extent that does not interfere with the work
of the users. Such safeguards include the following:
- Control over system privileges
- Protection of the password file
- User notification of unsuccessful log-in attempts
- Temporary deactivation of user ID after several successive failure
- Less-than-universal defaults for file access
- Suitable physical security measures should be employed. In addition
to appropriate fire and seismic protection, among the measures to be
considered are controlled access to the space, separate locked storage
of media, lock-down devices, and physical separation of backups from
primary versions.
- User IDs and Passwords
Access to all multiuser systems must be protected by standards that
conform to the following rules:
-
User-selected passwords. Users who select their own passwords
must ensure that these passwords are consistent with the security
features listed below:
- Passwords must contain at least eight nonblank characters;
- Passwords must contain a combination of letters (preferably a
mixture of upper and lowercase letters), numbers, and at least one
special character within the first seven positions;
- Passwords must contain a nonnumeric letter or symbol in the first
and last positions;
- Passwords may not contain the user ID
- Passwords may not include the user's own or (to the best of his
or her knowledge) a close friend's or relative's name, employee
number, Social Security number, birthdate, telephone number, or
any information about him or her that the user believes could be
readily learned or guessed;
- Passwords may not (to the best of the user's knowledge) include
common words from an English dictionary or a dictionary of another
language with which the user has familiarity;
- Passwords may not (to the best of the user's knowledge) contain
commonly used proper names, including the name of any fictional
character or place; and
- Passwords may not contain any simple pattern of letters or numbers
such as "qwertyxx" or "xyz123xx."
- Password protection. Individuals may not:
- Share passwords except in emergency circumstances or when there
is an overriding operational necessity; or
- Leave clear-text passwords in a location accessible to others
or secured in a location for which protection is less than that
required for protecting the information that can be accessed using
the password.
- Password changing. Passwords must be changed under any one
of the following circumstances:
- At least every six months.
- Immediately after sharing.
- As soon as possible, but at least within one business day after
a password has been compromised or after the user suspects that
a password has been compromised.
- On direction from management.
- Password administration. If the capability exists in the information
system, application, or resource, the system must be configured to ensure
the following:
- Except in the case of anonymous FTP servers and embedded systems
that use only cleartext passwords, any password sent over the network
is encrypted through use of secure shell (SSH), secure sockets layer
(SSL), or an equivalent protocol;
- Three failed attempts to provide a legitimate password for an
access request will result in an access lockout, which is automatically
restored following a period predetermined by the system manager;
- The password is rejected when a password specification does not
comply with the above requirements and the failure to comply is
verifiable by automated means;
- After six months of use, individuals are notified that their passwords
have expired and that lockout will occur if their password is not
changed within five access requests; and
- If technically feasible, any password file or database used by
the information system is protected from access by unauthorized
individuals.
- Network Security
- Network Access
- Scripts should not contain network access passwords.
- Use of the default DECnet account is not permitted except in certain
public-access situations.
- Proxy access should be used for remote log-ins to VMS systems.
- UNIX .rhosts entries should be aged and expired after 180 days.
- .xhost + should not be used.
- Access lists should be reviewed at least annually.
- LBLnet Connections
- The network address and/or name of each Laboratory system that
is connected to LBLnet, either directly or through a gateway, must
be registered with the administrator of network addresses for that
network. For example, an Internet-based system (i.e., one using
TCP/IP) must be registered with the Networking Telecommunications Department (NTD).
The registration must include the user name and location of the
system. The Head of the Communications and Networking Resources
Department maintains a list of Laboratory network administrators.
- Only the LBLnet Manager may authorize a new physical connection
to the LBLnet, and he or she will document all such connections.
The LBLnet Manager is listed in the Telephone Directory (Directory
Services on the Web).
- Individual Remote Access
Individual users accessing LBLnet remotely (e.g., from home) must
observe all LBLnet security policies.
- Physical Security
Physical access to all LBLnet computers will be limited to authorized
personnel.
- Institutional Information
Institutional information is any business or management information
involved in the support of the Laboratory as a whole or of specific projects
or groups within the Laboratory.
-
Systems that process or store institutional data (as defined above)
should be backed up on a regular schedule. The intervals between back-ups
should be determined by the criticality and recoverability of the
data and the frequency of update. Both software and data need to be
backed up.
- Applications that use an electronic signature as a legal signature
must obtain concurrence from the Internal Audit Services group that
security controls for the application are adequate. When an on-line
signature is requested, the following language should be used to indicate
that a legal signature is being solicited: "The information requested
constitutes a legal signature for the person named. Use of this electronic
signature by anyone other than the person named, or his or her designee,
is forbidden and may result in disciplinary action, dismissal, or civil
or criminal liability."
- Other Guidelines
- Specific Applications. Systems that process environmental,
safety, or health data must be protected according to the stricter laws
that govern these data, if the requirements go beyond DOE policy.
- Distribution Lists. The addressees on mail exploders and automatic
distribution lists should be reviewed for proper authorization at least
semiannually.
- The CCSC will develop and administer training curricula for system
managers, division administrators, the reception center, and general staff,
and will provide material to assist in the determination of application
sensitivity.
- The CPIC will develop appropriate access and computer and network
security guidelines and make them available to all staff as needed.
- The CPPM will ensure that all assistant CPPMs and CSLs receive
appropriate training.
FTP |
File transfer protocol. The process by which files are copied
from one system to another over the Internet. Anonymous FTP is the process
that allows such transfers to take place without requiring a log-in
to the remote system. |
log-in |
The process of gaining access to a computer system. It usually
consists of providing a user ID and a password. |
password |
An access code that is associated with a particular user
ID. The user ID and password must match for access to be granted. Password
protection may be applied to individual files or commands as well as
to general system access. |
proprietary data |
Data that require extra protection because they are the
intellectual property of someone (internal or external to LBNL) who
has restricted their distribution. |
.rhosts; xhost + |
Mechanisms for granting and using remote access to a UNIX
system. |
threat |
The product of the probability of compromise or damage and
the dollar impact of the average incident: T = p(C) X
$. |
user ID |
The name by which an individual user is known to a system.
A single user may have multiple user IDs on the same or different systems.
In special circumstances, multiple users may use the same user ID. |
VMS proxy access |
A mechanism for granting access to a remote user of a VMS
system. |
xhost + |
See .rhosts. |
In-house software development must be managed in accordance with the Laboratory
Software Management Policy. DOE Order 1360.4A and DOE Notice 1360.8 define
the procedures to be used for the external distribution of finished software.
In particular, if finished software is to be distributed outside the United
States to other than programmatically approved collaborators, such distribution
must be accomplished through the Energy Science and Technology Software Center
(ESTSC) or the appropriate Specialized Information Analysis Center (SIAC).
DOE policy (DOE Order 1360.4) promotes sharing of DOE-developed software
wherever appropriate. This policy is implemented through the ESTSC. The policy
requires review of available shared software before a decision to develop
new software and submission of Laboratory-developed software to ESTSC when
it may have value to other DOE sites. Both review and submission of ESTSC
software are accomplished through the Laboratory Library. Questions of policy
or appropriateness of software for submission to ESTSC should be addressed
to the Office of Information Technology Resources (ITR) Planning.
Public domain software must be used with great care. Computer viruses or
other such mischievous or detrimental modifications to computer software could
cause significant loss or damage to the Laboratory. The importer of public
domain software into the Laboratory is responsible for ensuring that such
software does not contain such harmful modifications.
Laboratory policy is to use commercial software whenever it is functionally
appropriate and cost-effective rather than develop software in house. Many
users share development, documentation, and maintenance costs of commercial
software, and larger knowledgeable communities use the same software, which
can be advantageous.
Most commercial and some noncommercial software is made available under
a license agreement. Such agreements typically restrict usage to certain CPUs,
place restrictions on copying, require labeling of copies, and may contain
other terms and conditions of use. Occasionally some terms or conditions contained
in software license agreements are unacceptable to the Laboratory. In such
cases, an acceptable agreement must be negotiated or the software cannot be
used.
License agreements generally follow one of three formats:
- Some software suppliers (usually of larger or more expensive software)
require an explicit signed agreement before delivery of the software. This
type of agreement is managed as part of the official Laboratory purchase
order. No staff member, except authorized Purchasing Department staff, may
sign such an agreement.
- Other software (usually inexpensive or personal/microcomputer software)
is purchased without prior agreement but is delivered to the end user with
a license agreement included. Such agreements either claim to be in effect
if the software is used or request a signature on a postcard-type agreement
to be returned to the supplier. Recipients of such software usually want
to sign the agreement and return it because that is the mechanism for obtaining
updates. Generally, staff members may sign such agreements after a careful
reading. Any liability assumed by the signing of such an agreement may be
personal and not indemnified by the Laboratory. Questions concerning the
advisability of signing an agreement or using the software should be referred
to the Head of the Office of ITR Planning or the Purchasing Manager.
- Software is occasionally made available to the Laboratory under
specific agreement, but at no cost. If the software is to be handled as
proprietary information, see RPM §5.06 (Proprietary
Information from External Sources).
F.
STANDARDS FOR PROCUREMENT OF PERSONAL COMPUTERS
The procurement of new personal computers (PCs) must
follow the guidelines on recommended standard configurations. (Refer to "CIS
Standards and Policies.")
Since the integration and support of networked PCs in the Berkeley Lab computing
environment can be extremely complex, a Laboratory PC standard has been developed
and is updated periodically. PC configurations that have been identified as
recommended standards have been fully tested with Laboratory infrastructure
applications, and are guaranteed to work with the Laboratory's standard applications
(e-mail, Web browsers, calendaring software, Microsoft applications, LETS,
FMS, Procurement Card, Central File and Print Services, etc.). Such PCs are
fully supported by the centralized support organizations, whereas requests
for support for nonstandard PCs will be handled on a best-effort basis and
may result in increased service times and costs. However,
the final decision on the type of PC to be purchased is the responsibility
of the requesting Division.