CCS: Computing Policies
This is a list of general computer usage policies and
security rules that apply to all users of CCS resources. Principal
Investigators, and CCS staff members are responsible for implementing these
policies and procedures in their organizations and ensuring that users fulfill
their responsibilities. All holders of accounts on CCS machines are advised
to retain a copy of this document for reference and audit purposes.
Computer Use
|
Appropriate Use.
Computers, software, and communications systems provided by the CCS are to
be used for work associated with and within the scope of the project that
was approved by CCS. All CCS computers, networks, e-mail, and storage systems
are property of the United States Government. Any misuse or unauthorized
access is prohibited, and is subject to criminal and civil penalties.
Monitoring. Under the terms of UT Battelle's contract with the U.S.
Department of Energy, ORNL retains the right to monitor the content of all
messages and to access any computer files without prior knowledge or consent
of user, sender, or addressee. |
Passwords
|
Passwords should be eight
(8) characters long, and contain embedded punctuation marks and/or digits
and/or a mix of upper and lower case characters. Users should not share
accounts or passwords with anyone. The password must be changed every
180 days and as soon as possible after an unacceptable exposure or suspected
compromise. |
User Accountability
|
Users are accountable
for their actions and may be held accountable to applicable administrative
or legal sanctions.
Security. Users must notify CCS immediately when they become aware
that any of the accounts used to access CCS has been compromised.
Misuse/abuse. CCS personnel and users are required to address, safeguard
against and report misuse, abuse and criminal activities. Misuse of CCS
resources can lead to temporary or permanent disabling of accounts, loss
of DOE allocations, and administrative or legal actions.
Contact info. Users should inform CCS promptly of any changes in
their contact information (email, phone, affiliation, etc.). |
Software Use
|
Proprietary/Licensed
Software. All software used on CCS computers must be appropriately acquired
and used according to the appropriate licensing. Possession or use of illegally
copied software is prohibited. Likewise, users shall not copy copyrighted
software, except as permitted by the owner of the copyright. In general,
the use of export controlled codes is prohibited, but special circumstances
will be considered. The use of an export controlled code must be approved
prior to uploading it to CCS systems. |
Data Use
|
Prohibited Data.
The CCS computer systems are operated as research systems and only contain
data related to scientific research and do not contain personally identifiable
information (data that falls under the Privacy Act of 1974 5U.S.C. 552a).
Use of CCS resources to store, manipulate, or remotely access any sensitive
or national security information is prohibited. This includes, but is not
limited to classified information, unclassified controlled nuclear information
(UCNI), naval nuclear propulsion information (NNPI), the design or development
of nuclear, biological, or chemical weapons or any weapons of mass destruction.
The use of CCS resources for personal or non-work-related activities is
also prohibited.
Export Control. All Principal Investigators using CCS resources and
CCS staff members are responsible for knowing whether their project generates
any of these prohibited data types or information that falls under Export
Control. CCS users are required to restrict Export Controlled Information
from foreign nationals of DOE sensitive countries. For questions, contact
consult@ccs.ornl.gov. |
Foreign National Access
|
Principal Investigators
are required to verify the citizenship status of users from their project
(as provided on CCS account
request forms). Access to CCS systems is denied to foreign nationals
from countries on the Department of Commerce "Computer Tier 4" list. These
countries are Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. Additionally,
no work may be performed on CCS computers on behalf of foreign nationals
from these countries. |
Confidentiality
Integrity
and
Availability
|
CCS systems are provided
to our users without any warranty. CCS will not be held liable in the event
of any system failure or loss of data. The CCS systems provide reasonable
commercial protections to maintain the confidentiality, integrity, and availability
of user's data. These measures include the availability of file permissions,
archival systems with access control lists, and parity and CRC checks on
data paths and files. It is the user's responsibility to set access controls
appropriately for the data. However, in the event of system failure or
malicious actions, the CCS cannot guarantee that a user's data cannot be
accessed, changed, or deleted by another individual. It is the users responsibility
in insure the appropriate level of backup, and integrity checks on critical
data and programs. |
Prohibited
Actions
|
Account Sharing.
Accounts on the CCS machines are for the exclusive use of the individual
user named in the account application. Users should not share accounts or
passwords with anyone. If evidence is found that more than one person is
using an account, that account will be disabled immediately.
Malicious Software. Users must not intentionally introduce or use
malicious software such as computer viruses, Trojan horses, or worms.
Unauthorized Access. Users are not to attempt to receive unintended
messages or access information by some unauthorized means, such as imitating
another system, impersonating another user or other person, misuse of legal
user credentials (usernames, passwords, etc.), or by causing some system
component to function incorrectly.
Altering Authorized Access. Users are prohibited from changing or
circumventing access controls to allow themselves or others to perform actions
outside their authorized privileges.
Data Modification/Destruction. Users are prohibited from taking unauthorized
actions to intentionally modify or delete information or programs.
Denial of Service. Users may not deliberately interfere with other
users accessing system resources. |
|