No. 21.000 Rev. 2 (4/26/2007)
Effective Date 1/1/99
ScopeThis policy covers all computing operations at Fermilab.
This policy applies to:
- all Fermilab owned systems regardless of whether they are connected to the Fermilab network;
- all systems, regardless of ownership, when they are attached to the Fermilab network (or are assigned a Fermilab IP address);
- all users of these systems.
In all cases where this policy applies, individuals have waived their rights to privacy.
Fermilab's Computing Policy is a set of mandated user and system behaviors designed to:
- operate an effective and efficient computing and networking environment;
- maintain an open environment supporting global collaboration and innovation and free exchange of scientific information;
- guard the laboratory's reputation and protect its computing systems, data, and operations against attacks and unauthorized use;
- ensure compliance with all applicable mandates, directives and legal requirements for computing.
The Computing Division has been assigned the responsibility for the laboratory's computing and networking infrastructure. Complete details of the various policies can be found by following the appropriate links at http://security.fnal.gov/Policies which are maintained by the Computing Division.
- Appropriate use: All computer users are required to behave in a way that maintains the security of the laboratory computing environment. Laboratory computers should only be used for laboratory business with exceptions made for limited incidental use consistent with the computing policy on prohibited activities.
- Incident reporting: All users are required to comply with computing policy on reporting suspected computer security incidents.
- Information handling: All users must comply with laboratory policies dealing with information categorization and protection, in particular with protecting personally identifiable information (PII).
- Data integrity and backup: All computer users ("data owners") are responsible for determining what data requires protection and how their data is to be recovered if the online copy is destroyed (either by accidental or malicious damage).
- Security training: All computer users must participate in periodic security training. System administrators receive more advanced training.
- Respecting rights of privacy: All computer users are required to abide by the computing policy about access to private files or data as stated at http://security.fnal.gov/Policies.
- System registration: All devices attached to the laboratory network must be registered and have a registered system administrator with an up-to-date email address. (The system administrator is the individual responsible for applying security patches to the device and choosing system and software configurations.)
- Virus protection, patching, and configuration management: Computing systems should be running recent and supported versions of operating systems, regardless of network connectivity, as specified in the baseline configurations that can be viewed at http://security.fnal.gov/Baselines. In particular this includes virus protection for Windows systems. Systems not meeting the baselines must document the reasons why the system cannot be brought up to date and must document how the system is patched and configured to provide the same level of security as provided in baseline configurations.
- Restricted services: Services that would create a significant security risk or would interfere with the operation of site computing or networking infrastructure can only be operated by systems authorized by the Fermi Computer Security Coordinator (FCSC). A current list of such restricted services can be found at http://security.fnal.gov/Policies
- Access control: All applications, other than those intended for the general public, must support appropriate levels of authentication and authorization. In particular, any systems allowing arbitrary program execution or data transfer require authentication consistent with computing strong authentication policy at http://security.fnal.gov/StrongAuthentication
- Individuals who violate this policy will be denied access to laboratory computing and network facilities and may be subject to further disciplinary action depending on the severity of the offense.
- Computing systems with unpatched critical vulnerabilities or exhibiting unusual network behavior typical of hacking activity will be blocked from network access until the condition is mitigated.
It is Fermilab policy to avoid reliance on a computer as an essential element of any system that is necessary to protect people from serious harm, to protect the environment from significant impact, or to protect property the loss of which would have a serious impact on our mission.