Parent Policy: Lifecycle Management for Information, Hardware, Software, and Services
Document #: 10.01.003.01
Installation and attachment of wireless network equipment to LBLnet is not allowed. We monitor for and remove these 'rogue access points'.
LBLnet is the sole provider or wired networking. Installation of personal switches, firewalls, and NAT devices are allowed. Users need explicit permission to participate in routing protocols, runs DHCP servers, send RA's, send BPDU's, or otherwise attempt to manage the network. LBLnet staff reserves the right to disconnect equipment from LBLnet, including NAT devices, when it is deemed necessary to protect operational stability or security.
IP Address and Host Name Allocations
Allocation of IP-related configurations (ip addresses, host names in lbl.gov, etc). This includes names of services inside and outside lbl.gov where such services could cause confusion with institutional services. IT may reject or change/require changes to hostnames or service names where they conflict with institutional services or appear to represent institutional services (e.g. A single science division may not manage "events.lbl.gov" or "projects.lbl.gov", nor can a single division utilize lbl.sharepoint.com or lbnl.slack.com etc...).
Domain Name Server (DNS)
Advertising of DNS services to the internet
LBNL owned domain properly must use the LBNL IT Division registrar service.
Telephony, including cellular
Provision of laboratory telephones, PBX, cell towers, and wiring
Applications containing Protected Information
Protected Information includes Personally Identifiable Information. This information is most often contained in the Human Resources Information System (HRIS) and the Financial Management System (FMS). Berkeley Lab must protect this information as it faces fines in the event of inappropriate disclosure.
Public address systems, radio communication, wired intercoms, and alarms.
All systems related to physical security and life safety communication, and spectrum management.
Email Servers Exposed to Internet
All email servers with exposure to the internet must be approved.
SSL certificates for systems in the lbl.gov namespace.
SSL certificates are purchased centrally so that they can be tracked.
Data Centers and Closets
Any special purpose room that provides environmental controls designed for computing and networking must be coordinated with IT and Facilities. Datacenters and closets must be designed to meet efficiency standards and must be managed to ensure these standards are met.
Specific Procurement Controlled Items
IT implements additional controls on the procurement of a small number of items to ensure appropriate security and appropriate use of resources. The full list can be found in Procurement's Restricted Item list and includes cellular phones, tablets with cellular service, all cellular services, laptops/desktops limited to specific channels (to ensure they are tagged), wireless access points, and items that require additional justification such as smartwatches and fitness trackers.
This also includes internet service reimbursement which is subject to the procedures here: 9-02-320 - High Speed Remote Access Provisioning and Reimbursement