Computing is one of many tools used at Fermilab. General policies, written and unwritten, that govern life at Fermilab apply equally to computing. For example, the same rules of ethical behavior apply regarding fraud, forgery, plagiarism, harassment and libel. whether computers are involved or not. However, the ability of modern computers and networks to manipulate, store, and broadcast information is so extraordinarily powerful that it changes many qualitative aspects of how we function in a research laboratory, often in dramatic ways.
Fermilab's Policy on Computing covers all Fermilab-owned systems and any system, regardless of ownership, when it is connected to our network (and/or showing a Fermilab address). You are responsible for the actions of any person whom you permit to use Fermilab computing or network resources through an account assigned to you.
Fermilab's Computing Policy is a set of mandated user and system behaviors designed to:
The Computing Division has been assigned the responsibility for the laboratory's computing and networking infrastructure.Complete details of the various policies can be found by following the appropriate links at http://security.fnal.gov/Policies which are maintained by the Computing Division.
All computer users are required to behave in a way that maintains the security of the laboratory computing environment. In particular, unauthorized attempts to gain computer access, to damage, alter, falsify, or delete data, to falsify either email or network address information, or to cause a denial of computing or network service are forbidden. Laboratory computers should only be used for laboratory business with exceptions made for limited incidental use consistent with the computing policy on prohibited activities.
The following activities and uses are explicitly NOT permitted:
Not explicitly prohibited but likely to get you into immediate trouble through embarrassment to the laboratory are all activities on newsgroups, auctions, game sites, etc. that are not clearly Fermilab business, all such Internet activities that are in competitive and/or contentious environments (e.g., auctions, political news groups, etc.) and using your computer to act as a public server of music or other media unrelated to our mission.
Questions of proper or improper use of computers are normally management rather than computer security issues and should be handled in the normal course of supervisory oversight.
More details about the lab's appropriate use policy can be found in the Guidelines for Incidental Computer Usage lined at http://security.fnal.gov/Policies/Guidelines.htm
You are required to immediately report any suspected computer security incidents to 630-840-2345, or, if immediate response is not required, to computer_security@fnal.gov. The Fermilab Computer Incident Response Team (FCIRT) investigates incidents. The Head of FCIRT may assume full administrative control of affected systems until the incident is resolved, call on other experts for priority assistance and direct local system managers' response to the situation. Nothing must be done to the system before FCIRT has a chance to examine it. You may not disclose information regarding a computer security incident without authorization.
All users must comply with laboratory policies dealing with information categorization and protection, in particular with protecting personally identifiable information (PII). Details of these procedures are at http://security.fnal.gov/Policies/PII%20Procedures-final-clean.htm
Users ("data owners") are responsible for determining what data requires protection and how their data is to be recovered if the online copy is destroyed (either by accidental or malicious damage). They may choose not to back up data, but if so they must make sure they know how to recreate the lost data if needed. If backup is necessary then the users must coordinate a backup plan. This may either be an individual backup done by the users themselves or coordinated with the system managers into a regular system backup plan.
All computer users must participate in periodic security training. System administrators will receive more advanced training.
Fermilab respects the privacy rights of all employees and visitors, and will not look at any individual's private computer files without authorization from the lab director or designee except in a computer security emergency. Note that this policy does not apply to files in areas that formerly belonged to personnel who no longer maintain their previous association with the laboratory. In this case the file ownership is assigned to the person's former supervisor for appropriate disposition. In addition, it should be remembered that by connecting any computer to the lab network or using the Fermilab assigned names or IP addresses, the individual has waived their privacy rights with respect to the Department of Energy (as stated in the logon banner present on all lab machines), and even personal or university owned machines are subject to confiscation in a DOE Inspector General investigation.
All devices attached to the lab network must be registered and have a registered system administrator with an up-to-date email address. The system administrator is the individual responsible for applying security patches to the device and choosing system configuration.
Visitors will be given an opportunity to temporarily register their machines when they first request a DHCP address by connecting to the lab network. They will be granted access unless a critical vulnerability is detected on their computer (see http://security.fnal.gov/CriticalVuln/index.html). In that case they will need to physically take their machine to the help desk in Wilson Hall (where an offsite network connection is available to allow them to patch their machine) or mitigate the vulnerability in some other manner.
System owners are required to perform an annual risk assessment for their machines using the procedures documented at http://security.fnal.gov/FSRM/. This task is ordinarily delegated to the primary system administrator and requires performing a security scan, verifying that all offered network services are necessary, and understanding the residual risk inherent in the system configuration.
All lab Windows computers or computers offering Windows file shares must have enabled virus scanning software and must have a plan for applying security patches and updating virus signatures. Machines in the Fermi Windows domain satisfy this requirement, as do those subscribing to one of the lab SMS servers; for other devices users must supply documentation of how this requirement is met.
Computing systems should be running recent and supported versions of operating systems, regardless of network connectivity, as specified in the lab baseline configurations that can be viewed at http://security.fnal.gov/Baselines. It is recognized that in some circumstances it may be necessary to continue to run an obsolete operating system (for example, to avoid breaking software applications). In those cases the user of such systems must document the reasons why the system cannot be brought up to date and must document how the system is protected to provide the same level of security as provided in baseline configurations. In addition, certain services (such as web servers) cannot be offered on such obsolete systems.
The Fermilab Computer Security Coordinator (FCSC) may declare, when deemed necessary for protection of Fermilab computers and users, that certain configurations are considered to be a Critical Vulnerability. This designation and the corresponding corrective action will be publicized widely in email and at the link below. You are required to take immediate action to remove Critical Vulnerabilities from systems under your control. Failure to comply will result in the system being blocked from network access. The current list of critical vulnerabilities can be seen at http://security.fnal.gov/CriticalVuln/index.html.
Services that would create a significant security risk or would interfere with the operation of site computing or networking infrastructure can only be operated by systems authorized by the Fermi Computer Security Coordinator (FCSC).
For example, the following network services may only be implemented by the Computing Division:
Specific waivers from these restrictions must be requested in writing to servicewaivers@fnal.gov and may be granted only by the network manager or the FCSC. Waivers granted to non-Fermilab employees require the concurrence of the CSExec.
The following services are also examples of restricted services. Exceptional approval for professionally managed workgroup-local implementation will be considered by the FCSC.
Furthermore, externally visible web services, including project and personal web pages, should only be offered on one of the central lab web servers. If necessary, a user can request permission to run a private web server by use of the form at http://security.fnal.gov/WebServers/index.html
This will require up-to-date security scans demonstrating that the proposed web server runs on a secure machine. Web traffic to other-than-registered servers will be blocked at the site border.
Externally visible Globus gateways must also be registered and approved before being put into operation, and will normally be restricted to the Open Science Enclave.
Care must be taken with web content on both private and central servers. Owners of web pages are responsible for any posted content, and are required to institute procedures (e.g. authentication) that will discourage posting of dangerous or embarrassing content. Use common sense in displaying links on pages with Fermilab addresses. Web crawlers (Yahoo, etc.) index all pages they can see. Even accidentally inappropriate wording may be indexed. You can direct web crawlers to ignore pages that you do not need to be found through search engines. See http://computing.fnal.gov/web/publish/access.html. Semi-official pages and pages intended for the public are required by the DOE to carry a notice. Include a link on each such page to http://www.fnal.gov/pub/disclaim.html.
A complete current list of restricted services can be found at http://security.fnal.gov/Policies
All applications, other than those intended for the general public, must support appropriate levels of authentication and authorization. In particular, any systems allowing arbitrary program execution or data transfer require authentication consistent with computing strong authentication policy at http://security.fnal.gov/StrongAuth, currently either a Kerberos principal (account) for use of general lab computing resources, or a PKI certificate for use of grid computing resources. You will need to understand how to authenticate yourself through proper use of your credentials before being able to use lab computers.
You must not allow anyone else to know or use your Kerberos password. Do not use your Kerberos password for other than Fermilab Kerberos. Do not transmit Kerberos passwords across the network. In the rare circumstances where transmitting a Kerberos password is necessary, it must be strongly encrypted. Never store Kerberos passwords (or the corresponding character strings) on a computer, encrypted or not.
Any remote login or general file transfer services in the General Science Enclave that are visible from outside the Fermilab network must be configured so as to require Kerberos authentication (or an exemption must be requested). See http://security.fnal.gov/StrongAuth for more details. Configuration rules for Kerberos-protected systems must not be circumvented. Similar services in the Open Science Enclave must be configured to require appropriate grid certificates.
Individuals who violate this policy will be denied access to laboratory computing and network facilities and may be subject to further disciplinary action depending on the severity of the offense. Computing systems with critical vulnerabilities or exhibiting unusual network behavior typical of hacking activity will be blocked from network access until the condition is mitigated.
Employees and users of Fermilab computing are reminded that it is Fermilab policy to respect the intellectual property rights of others. This applies when computers are involved just as it does when computers are not involved. Fermilab expects reasonable care be taken to follow license provisions.
Further details on the various policies referred to here can be seen by following the links at: http://security.fnal.gov/Policies
Jan 6, 2009