Skip to end of metadata
Go to start of metadata
Security is Your Responsibility
Now that you understand the major cyber security threats at Berkeley Lab, we want to reinforce that Security is Your Responsibility. You are responsible for the security of the systems you use, manage or maintain - this includes meeting the Minimum Security Requirements .
If you need assistance securing your system, contact one of the following:
Skip Prompt: Are you a supervisor or system administrator?
- Yes. Read the appropriate tab(s).
- No. Skip to next topic.
1. Cyber Security is a Line Management Responsibility, Just Like Safety
It's part of your management role to oversee the cyber security of the projects and systems under your supervision. You must ensure that projects under your supervision integrate cyber security throughout the project lifecycle and that appropriate resources are available for cyber security.
2. Access Without Consent Requires Authorization
Before investigating employees for wrongdoing, you must obtain authorization from both the Laboratory Chief Operating Officer and Laboratory Counsel to access employee or guest computers or accounts. You may not conduct the investigation yourself or request help from a System Administrator. Law enforcement requests must be approved by Laboratory Counsel. Read our policy on Access without Consent.
3. Emergency Account Termination
For standard terminations, there's an intentional lag in closing accounts. If you need to immediately terminate an employee or guest account, contact the help-desk and HR.
4. Help us avoid costly increases in oversight
Just as in safety, we are in this together. A single serious cyber incident could fundamentally alter our oversight relationship with DOE and result in detailed rules, increased costs, and, ultimately, damage to the open, collaborative spirit of Berkeley Lab.
Your attention to cyber security helps Berkeley Lab achieve world-class cyber security in an environment of openness, experimentation and trust.
Since you manage systems for others, you have additional responsibilities.
1. Communicate what you do (and don't do) to your customers
We've had at least two cyber security incidents caused by confusion about who does what. For example:
- If you manage the webserver, do you also patch the wiki?
- If you manage the database, do you also manage the web application that accesses it?
Communicate to your team who owns what part of the cyber security of the system.
2. Understand Access without Consent
Access to investigate allegations of wrong-doing requires approval (summarized below). Your job is to make sure this policy is followed. Read our policy on Access without Consent.
|Investigation of wrongdoing
Both the Laboratory Chief Operating Officer and Laboratory Counsel
|Law enforcement requests
||Division Director (and access must be limited to least intrusive means possible)
3. Protect your Credentials
A common compromise across the DOE-complex occurs when a system administrator logs on to a compromised system. Once the attacker has your credentials and elevated privileges, they use it to access all the systems you can access.
Contact Cyber Security Operations for help protecting your credentials.
4. Manage Review of Roles and Privileges
Stale accounts increase risk of stolen credentials. All systems must have a regular (at least annual) review of accounts, roles and privileges. You must ensure that this process exists and occurs.