Minimum Security Requirements
Parent Policy: Security for Information Technology
Document #: 10.01.002.001
Computers connected to the Berkeley Lab network must meet minimum security requirements. Minimum security requirements establish a baseline of security for all systems on the Berkeley Lab network. Non-compliant devices may be disconnected from the network.
Cyber Security Operations will modify these requirements based on changing technology and evolving threats.
Exceptions: Computers on the visitor network (e.g. wireless network). Review Section D.5 of Security for Information Technology for our policy on additional exceptions.
= Required = Not applicable
Tips on Implementing
Install antivirus software and set to automatic updates.
Download Sophos for home and personal use at software.lbl.gov.
Install critical application patches. When available, enable automatic update functionality. Cyber Security enforces patching of critical patches.
Windows and Apple: download BigFix from software.lbl.gov for easy desktop application patching.
Encrypt passwords when authenticating; do not transmit passwords in clear text.
Do not use Telnet as it is unencrypted.
Only employees or affiliates may have institutional accounts (i.e. Berkeley Lab Identity/LDAP and Active Directory).
The Account Management FAQ describes procedures for obtaining and managing accounts.
Log to the central logging servers.
Exemption: Do not log if your computer is offsite or frequently offsite (e.g. a laptop).
Apple and Linux: Use Central Syslog Server instructions.
Windows: Use Central Winlog Server instructions.
Secure network services on your computer as follows:
- Only activate network services needed to support your work. Unnecessary network services increase your risk of compromise.
- Limit network access to only computers that need access.
- Example: Webservers are a network service. Only use them if you need to and only open your webserver to the Internet if it's a public service; otherwise, limit access to within the Berkeley Lab perimeter.
Windows: Contact the Help Desk and ask to be joined to Active Directory. This will help secure some of your network services.
Passwords used on Laboratory IT must meet one of the approved password requirement templates.
- Template 1
- Minimum 14 characters
- Strong on the strength meter (e.g. zxcvbn)
- Change every year
- Template 2
- Minimum 8 characters
- 1 lowercase letter
- 1 uppercase letter
- 1 number
- 1 special character
- Change every six months
Template 1 is in place for Berkeley Lab Identity (LDAP) passwords and Template 2 is in place for Active Directory (AD) passwords. In all cases the following apply.
- Do not use the last five passwords
- Do not share passwords except in emergency circumstances or when there is an overriding operational necessity.
Reset your password at password.lbl.gov. Also, try a password manager like 1Password, available at software.lbl.gov.
Mobile Device PIN lock screen
Mobile devices, both personal and Lab issued, used to authenticate to institutional resources must be protected by a PIN lock screen. Some examples of institutional resources included Gmail, Google Calendar, LETS, and multifactor authenticator tokens in Google Authenticator.
Biometric authentication, including fingerprint or facial recognition, and lock screen patterns are an acceptable alternative.
Operating System Patches
Install critical operating system patches. When available, enable automatic update functionality. Cyber Security enforces patching of critical patches.
Windows: use "Automatic Updates" and contact the Help Desk and ask to be joined to Active Directory.
Apple: use "Software Update".
Install the Window Security Template to automatically configure baseline security settings.
To install the security template, contact the Help Desk and ask to be joined to Active Directory.
Complete Training Requirements appropriate for your position.
The JHA (or new WPC) system will notify you of your cyber training requirements.