Fermilab Policy on Computing

Fermilab's Policy on Computing covers all Fermilab-owned computers and any device, regardless of ownership, when it is connected to our network (and/or showing a Fermilab address). You are responsible for the actions of any person whom you permit to use Fermilab computing or network resources through an account assigned to you. Note that discrete electronic devices that are not on the general network are not considered to be computers nor governed by this policy document. Devices used in Safety Instrumented Systems are covered by requirements listed in the Fermilab Work Smart Standards.

Fermilab's Computing Policy is a set of mandated user and system behaviors designed to:

The Computing Sector has been assigned the responsibility for the laboratory's computing and networking infrastructure. Complete details of the various policies can be found by following the appropriate links at http://security.fnal.gov/Policies which are maintained by the Computing Sector.

Policies Governing Personal Conduct

Appropriate Use

All computer users are required to behave in a way that maintains the security of the laboratory computing environment. In particular, unauthorized attempts to gain computer access, to damage, alter, falsify, or delete data, to falsify either email or network address information, or to cause a denial of computing or network service are forbidden. Laboratory computers should only be used for laboratory business with exceptions made for limited incidental use consistent with this policy.

The following activities and uses are explicitly NOT permitted:

Not explicitly prohibited but likely to get you into immediate trouble through embarrassment to the laboratory are all activities on newsgroups, auctions, game sites, etc. that are not clearly Fermilab business, all such Internet activities that are in competitive and/or contentious environments (e.g., auctions, political news groups, etc.) and using your computer to act as a public server of music or other media unrelated to our mission.

Questions of proper or improper use of computers are normally management rather than computer security issues and should be handled in the normal course of supervisory oversight.

More details about the lab's appropriate use policy can be found in the Guidelines for Incidental Computer Usage lined at http://security.fnal.gov/Policies/Guidelines.htm

Incident Reporting

You are required to immediately report any suspected computer security incidents to 630-840-2345, or, if immediate response is not required, to computer_security@fnal.gov. The Fermilab Incident Response Team investigates incidents. The head of the response team may assume full administrative control of affected systems until the incident is resolved, call on other experts for priority assistance and direct local system managers' response to the situation. Nothing should be done to the system before the response team has a chance to examine it. You may not disclose information regarding a computer security incident without authorization.

Information Handling

All users must comply with laboratory policies dealing with information categorization and protection, in particular with protecting personally identifiable information (PII). Details of these procedures are at http://security.fnal.gov/Policies/PII%20Procedures-final-clean.htm

Data Integrity and Backup

Users ("data owners") are responsible for determining what data requires protection and how their data is to be recovered if the online copy is destroyed (either by accidental or malicious damage). They may choose not to back up data, but if so they must make sure they know how to recreate the lost data if needed. If backup is necessary then the users must coordinate a backup plan. This may either be an individual backup done by the users themselves or coordinated with the system managers into a regular system backup plan.

Security Training

All computer users must participate in periodic security training. System administrators will receive more advanced training.

Respecting Rights of Privacy

Fermilab respects the privacy rights of all employees and visitors, and will not look at any individual's private computer files without authorization from the lab director or designee except in a computer security emergency. Note that this policy does not apply to files in areas that formerly belonged to personnel who no longer maintain their previous association with the laboratory. In this case the file ownership is assigned to the person's former supervisor for appropriate disposition. In addition, it should be remembered that by connecting any computer to the lab network or using the Fermilab assigned names or IP addresses, the individual has waived their privacy rights with respect to the Department of Energy (as stated in the logon banner present on all lab devices), and even personal or university owned devices are subject to confiscation in a DOE Inspector General investigation.

Policies Governing Computing Systems

System and node registration

All devices attached to the lab network must be registered and have a registered system administrator with an up-to-date email address. The system administrator is the individual responsible for applying security patches to the device and choosing system configuration.

Visitors will be given an opportunity to temporarily register their devices when they first request a DHCP address by connecting to the lab network. They will be granted access unless a critical vulnerability is detected on their computer (see http://security.fnal.gov/CriticalVuln/index.html). In that case they will need to physically take their device to the help desk in Wilson Hall (where an offsite network connection is available to allow them to patch their device) or mitigate the vulnerability in some other manner.

Virus Protection, Patching and Configuration Management policy

All lab Windows computers or computers offering Windows file shares must have enabled virus scanning software and must have a plan for applying security patches and updating virus signatures. Devices in the Fermi Windows domain satisfy this requirement, as do those subscribing to one of the lab SMS servers; for other devices users must supply documentation of how this requirement is met. The full aniti-virus policy is given at
http://security.fnal.gov/Policies/FNAL%20Anti-Virus%20Policy-v2.htm

Computing systems should be running recent and supported versions of operating systems, regardless of network connectivity, as specified in the lab configuration management policy and listed baseline configurations that can be viewed at:
http://security.fnal.gov/Baselines

It is recognized that in some circumstances it may be necessary to continue to run an obsolete operating system (for example, to avoid breaking software applications). In those cases the user of such systems must document the reasons why the system cannot be brought up to date and must document how the system is protected to provide the same level of security as provided in baseline configurations. A service desk ticket requesting a baseline variance and providing the required information should be opened in such cases. In addition, certain services (such as web servers) cannot be offered on such obsolete systems.

The Fermilab Computer Security Coordinator (FCSC) may declare, when deemed necessary for protection of Fermilab computers and users, that certain configurations are considered to be a Critical Vulnerability. This designation and the corresponding corrective action will be publicized widely in email and at the link below. You are required to take immediate action to remove Critical Vulnerabilities from systems under your control. Failure to comply will result in the system being blocked from network access. The current list of critical vulnerabilities can be seen at:
http://security.fnal.gov/CriticalVuln/index.html

It is expected that computer users will practice "least privilege required", in particular only using administrative or root accounts for limited periods of time when conducting activities that require such privileges.

Restricted Central Services

Services that would create a significant security risk or would interfere with the operation of site computing or networking infrastructure can only be operated by systems authorized by the Fermi Computer Security Coordinator (FCSC).

For example, the following network services may only be implemented by the Core Computing Division:

Specific waivers from these restrictions must be requested in writing to servicewaivers@fnal.gov and may be granted only by the network manager or the FCSC. Waivers granted to non-Fermilab employees require the concurrence of the Fermilab CIO.

The following services are also examples of restricted services. (Exemption requests for professionally managed workgroup-local implementation will be considered by the FCSC.):

Furthermore, externally visible web services, including project and personal web pages, should only be offered on one of the central lab web servers. If necessary, a user can request permission to run a private web server through the Fermilab Service Desk at: https://fermi.service-now.com/navpage.do

This will require up-to-date security scans demonstrating that the proposed web server runs on a secure device. Web traffic to other-than-registered servers will be blocked at the site border.

Externally visible Globus gateways must also be registered and approved before being put into operation, and will normally be restricted to the Open Science Enclave.

Care must be taken with web content on both private and central servers. Owners of web pages are responsible for any posted content, and are required to institute procedures (e.g. authentication) that will discourage posting of dangerous or embarrassing content. Use common sense in displaying links on pages with Fermilab addresses. Web crawlers (Yahoo, etc.) index all pages they can see. Even accidentally inappropriate wording may be indexed. You can direct web crawlers to ignore pages that you do not need to be found through search engines. See http://computing.fnal.gov/web/publish/access.html. Semi-official pages and pages intended for the public are required by the DOE to carry a notice. Include a link on each such page to http://www.fnal.gov/pub/disclaim.html

A complete current list of restricted services can be found at http://security.fnal.gov/Policies

Access Control

All applications, other than those intended for the general public, must support appropriate levels of authentication and authorization. In particular, any systems allowing arbitrary program execution or data transfer require authentication consistent with computing authentication policy at http://security.fnal.gov/Policies/AuthenticationPolicy.htm, currently either a Kerberos principal (account) for use of general lab computing resources, or a PKI certificate for use of grid computing resources. You will need to understand how to authenticate yourself through proper use of your credentials before being able to use lab computers. The Authentication Policy document also gives the current lab regulations on use of passwords.

You must not allow anyone else to know or use your Kerberos password. Do not use your Kerberos password for other than Fermilab Kerberos. Do not transmit Kerberos passwords across the network. In the rare circumstances where transmitting a Kerberos password is necessary, it must be strongly encrypted. Never store Kerberos passwords (or the corresponding character strings) on a computer, encrypted or not.

Any remote login or general file transfer services in the General Computing Environment that are visible from outside the Fermilab network must be configured so as to require Kerberos authentication (or an exemption must be requested). See http://security.fnal.gov/StrongAuth for more details. Configuration rules for Kerberos-protected systems must not be circumvented. Similar services in the Open Science Environment must be configured to require appropriate grid certificates.

Policy Enforcement

Individuals who violate this policy will be denied access to laboratory computing and network facilities and may be subject to further disciplinary action depending on the severity of the offense.

Computing systems with critical vulnerabilities, that exhibit unusual network behavior typical of hacking activity, or are otherwise in violation of this policy will be blocked from network access until the condition is mitigated.

Software Intellectual Property (Licenses)

Employees and users of Fermilab computing are reminded that it is Fermilab policy to respect the intellectual property rights of others. This applies when computers are involved just as it does when computers are not involved. Fermilab expects license provisions to be followed.

Disclaimer

In using systems owned by Fermilab or attached to the Fermilab network, users waive their rights of privacy with respect to information on those systems, and accept the possibility of loss, damage or disclosure of any data, including their own, on those systems.

Use of Computers in Systems that Protect People, Property, or the Environment

It is Fermilab policy to avoid reliance on a computer as an essential element of any system that is necessary to protect people from serious harm, to protect the environment from significant impact, or to protect property the loss of which would have a serious impact on our mission. The use of computers for monitoring, data logging, and reporting is encouraged, however computers used for these purposes must not be essential for protection. Contact the Fermilab Computer Security Executive for any variance.

Further details on the various policies referred to here can be seen by following the links at:
http://security.fnal.gov/Policies

Apr 28, 2013