Minimum Security Requirements

Alerts

No Alerts at this time.

E-mail: security@lbl.gov

Parent Policy: Security for Information Technology
Document #: 10.01.002.001

Computers connected to the Berkeley Lab network must meet minimum security requirements. Minimum security requirements establish a baseline of security for all systems on the Berkeley Lab network. Non-compliant devices may be disconnected from the network.

Cyber Security Operations will modify these requirements based on changing technology and evolving threats.

Exceptions: Computers on the visitor network (e.g. wireless network). Review Section D.5 of Security for Information Technology for our policy on additional exceptions.

Requirements

(tick) = Required   (minus) = Not applicable

 

#

Topic

Requirement

Tips on Implementing

Windows

Apple

UNIX/Linux

1

Antivirus Software

Install antivirus software and set to automatic updates.

Download Sophos for home and personal use at software.lbl.gov.

(tick)

(tick)

(minus)

2

Application Patches

Install critical application patches. When available, enable automatic update functionality. Cyber Security enforces patching of critical patches.

Windows and Apple: download BigFix from software.lbl.gov for easy desktop application patching.

(tick)

(tick)

(tick)

3

Authentication

Encrypt passwords when authenticating; do not transmit passwords in clear text.

Do not use Telnet as it is unencrypted.

(tick)

(tick)

(tick)

4

Institutional Accounts

Only employees or affiliates may have institutional accounts (i.e. Berkeley Lab Identity/LDAP and Active Directory).

The Account Management FAQ describes procedures for obtaining and managing accounts.

(tick)

(tick)

(tick)

5

Logging

Log to the central logging servers.
Exemption: Do not log if your computer is offsite or frequently offsite (e.g. a laptop).

Apple and Linux: Use Central Syslog Server instructions.

Windows: Use Central Winlog Server instructions.

(minus)

(tick)

(tick)

6

Network Services

Secure network services on your computer as follows:

  • Only activate network services needed to support your work. Unnecessary network services increase your risk of compromise.
  • Limit network access to only computers that need access.
  • Example: Webservers are a network service. Only use them if you need to and only open your webserver to the Internet if it's a public service; otherwise, limit access to within the Berkeley Lab perimeter.

Windows: Contact the Help Desk and ask to be joined to Active Directory. This will help secure some of your network services.

(tick)

(tick)

(tick)

7

Passwords

Passwords used on Laboratory IT must meet one of the approved password requirement templates.

  • Template 1
    • Minimum 14 characters
    • Strong on the strength meter (e.g. zxcvbn)
    • Change every year

  • Template 2
    • Minimum 8 characters
    • 1 lowercase letter
    • 1 uppercase letter
    • 1 number
    • 1 special character
    • Change every six months

Template 1 is in place for Berkeley Lab Identity (LDAP) passwords and Template 2 is in place for Active Directory (AD) passwords. In all cases the following apply.

  • Do not use the last five passwords
  • Do not share passwords except in emergency circumstances or when there is an overriding operational necessity.

Reset your password at password.lbl.gov. Also, try a password manager like 1Password, available at software.lbl.gov.

(tick)

(tick)

(tick)

8

Mobile Device PIN lock screen

Mobile devices, both personal and Lab issued, used to authenticate to institutional resources must be protected by a PIN lock screen. Some examples of institutional resources included Gmail, Google Calendar, LETS, and multifactor authenticator tokens in Google Authenticator.

Biometric authentication, including fingerprint or facial recognition, and lock screen patterns are an acceptable alternative.

(tick)

(tick)

(tick)

8

Operating System Patches

Install critical operating system patches. When available, enable automatic update functionality. Cyber Security enforces patching of critical patches.

Windows: use "Automatic Updates" and contact the Help Desk and ask to be joined to Active Directory.
Apple: use "Software Update".

(tick)

(tick)

(tick)

9

Security Template

Install the Window Security Template to automatically configure baseline security settings.

To install the security template, contact the Help Desk and ask to be joined to Active Directory.

(tick)

(minus)

(minus)

10

Training

Complete Training Requirements appropriate for your position.

The JHA (or new WPC) system will notify you of your cyber training requirements.

(tick)

(tick)

(tick)

Adaptavist ThemeBuilder EngineAtlassian Confluence